Despite patches, Supermicro's IPMI firmware is far from secure, researchers say

The IPMI in Supermicro motherboards has vulnerabilities that can give attackers unuathorized access to servers, Rapid7 researchers said

The Intelligent Platform Management Interface (IPMI) implementation found in motherboards from server manufacturer Supermicro suffers from serious vulnerabilities that could allow attackers to remotely compromise the management controllers in servers that use them.

The IPMI specification was developed by Intel and allows system administrators to manage and monitor computer systems remotely in the absence of physical access to them. IPMI supports multiple communication protocols and operates independently of the operating system running on the computer. Its central part is a microcontroller called the Baseboard Management Controller (BMC) that is usually embedded into the motherboard and is directly connected to its southbridge and a variety of sensors.

BMCs are essentially computers that run inside other computers, most commonly servers. They are usually based on ARM chips and run Linux-based firmware that implements the IPMI functions including monitoring, rebooting and reinstalling the host server's OS.

IPMI implementations vary from vendor to vendor, but most expose a Web-based management interface, a command-line interface via Telnet or Secure Shell, and the IPMI network protocol on port 623 UDP or TCP.

If an attacker gains administrative access to the BMC, they can reboot the host server's operating system into a root shell and introduce a backdoor or copy data from the hard drive. Gaining access to the host operating system while it's running without rebooting it might also be possible, according to a July analysis of IPMI security risks by security researchers from Rapid7.

On Aug. 22, Rapid7 researchers found several security issues in the IPMI firmware version SMT_X9_226 from Supermicro and reported them to the vendor.

Those issues included the use of hard-coded encryption keys for SSL and SSH connections that could allow an attacker to perform a man-in-the-middle attack and decrypt communication to the firmware; the use of hard-coded credentials with static passwords, including one that cannot be changed by the user; buffer overflow vulnerabilities in the login.cgi, lose_window.cgi and logout.cgi applications that can result in remote code execution as the root user account; and a directory traversal flaw in the url_redirect.cgi application that allows attackers with access to a nonprivileged account to read any file of the system, including the one that contains plain-text credentials for all users.

The researchers also found that more than 65 other CGI applications included in the firmware made unsafe function calls that could potentially be exploited. Accessing those CGI applications required authentication, which limited their exposure to attacks, but an attacker logged in as a low-privileged user could still exploit their flaws to gain root access to the BMC.

Supermicro released a new firmware version called SMT_X9_315 that fixes some of the vulnerabilities reported by Rapid7, particularly the remote code execution ones. However, it appears that some other issues remain unpatched, the Rapid7 researchers said Wednesday in a blog post.

"Firmware version SMT_X9_315 has reorganized the web root, adding quite a few new CGI applications, removing many more, and generally purging the use of insecure functions like strcpy()," the researchers said. In addition, accessing most CGI applications now requires authentication, with the exception of vmstatus.cgi and login.cgi, they said.

However, the Rapid7 researchers identified new issues that could allow remote root access without authentication though many of the CGI applications and those issues have now also been reported to Supermicro.

"A cursory review of the new firmware shows significant improvements, but far more work is needed to provide a secure management console," the researchers said. "In the meantime, please treat the Supermicro IPMI web management interface the same way you would an unprotected root shell on the server it is attached to; disconnected from untrusted networks with access limited through another form of authentication (VPN, etc)."

According to the Rapid7 researchers, there are over 35,000 Supermicro IPMIs exposed to the Internet.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Lucian Constantin

IDG News Service
Topics: patches, Supermicro, intrusion, servers, Rapid7, security, hardware systems, Exploits / vulnerabilities
Comments are now closed.

Latest News Articles

Most Popular Articles

Follow Us

GGG Evaluation Team

Kathy Cassidy

STYLISTIC Q702

First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.

Anthony Grifoni

STYLISTIC Q572

For work use, Microsoft Word and Excel programs pre-installed on the device are adequate for preparing short documents.

Steph Mundell

LIFEBOOK UH574

The Fujitsu LifeBook UH574 allowed for great mobility without being obnoxiously heavy or clunky. Its twelve hours of battery life did not disappoint.

Andrew Mitsi

STYLISTIC Q702

The screen was particularly good. It is bright and visible from most angles, however heat is an issue, particularly around the Windows button on the front, and on the back where the battery housing is located.

Simon Harriott

STYLISTIC Q702

My first impression after unboxing the Q702 is that it is a nice looking unit. Styling is somewhat minimalist but very effective. The tablet part, once detached, has a nice weight, and no buttons or switches are located in awkward or intrusive positions.

Resources

Best Deals on GoodGearGuide

Compare & Save

Deals powered by WhistleOut
WhistleOut

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?