« Short for Intelligent Platform Management Interface, these tiny computers live as an embedded Linux system attached to the motherboards of big servers from vendors such as IBM, Dell and HP. IPMI is used by a Baseboard Management Controller (BMC) to manage Out-of-Band communication, essentially giving admins remote control over servers and devices, including memory, networking capabilities and storage.
Sun 08 Jun 2014 09:13:27 PM CEST - permalink -
Yesterday, Farmer released a paper called “Sold Down the River,” in which he chastises big hardware vendors for ignoring security vulnerabilities and poor configurations that are trivial to find and exploit.
“Many of these problems would have been easy to fix if the IPMI protocol had undergone a serious security review or if the developers of modern BMCs had spent a little more effort in hardening their products and giving their customers the tools to secure their servers,” Farmer wrote.
Farmer said the number of servers with vulnerable BMCs have given IPMI insecurity a long shelf life. Moore’s scan pulled up 230,000 responses over port 623, an admittedly tiny slice of the overall number of implementations. Yet Farmer concludes that 90 percent of BMCs running IPMI could be compromised because of default or weak passwords or weaknesses in the protocol, not only implicating the host server but others in the same management group because, as he discovered, some vendors share common passwords.
There are two popular versions of IPMI, 1.5 and 2.0, and there is almost a 50-50 split in deployments. BMCs running version 1.5 are, however, seriously plagued by a vulnerability in that nearly all server management ports have NULL authentication set, allowing log-ins without authentication. Nearly all BMCs, Farmer said, also have NULL enabled, which, when combined with the server management issue, gives hackers an open door to any older IPMI system. “The privileges associated with the NULL account vary from vendor to vendor, but it seems to usually grant administrator access,” Farmer wrote.
Farmer said 90.1 percent of IPMI 1.5 systems had NULL authentication enabled. Compounding the issue is that 1.5 also lacks cryptographic protection between the user and BMC, leaving it vulnerable to attacks against network traffic such as password sniffing and man-in-the-middle attacks.
Version 2.0, meanwhile, includes some crypto protections and some vendors recognized NULL authentication as a vulnerability and fixed it in about half of the implementations. The crypto used, however, introduces new security issues, Farmer said. The Cipher Zero protocol allows an outsider to log in without authentication, only a valid user name; any password will be ignored, Farmer said. Most server vendors enable it by default on their BMC; HP recently gave users the option of turning it off for the first time, Farmer said.
Farmer said he used Metasploit to scan IPMI 2.0 BMCs to gather password hashes from 83 percent of those systems, and using the popular John The Ripper password cracker, he was able to get 30 percent of those passwords. And most of those passwords were easily guessable passwords such as “admin.”
Further testing, Farmer said, revealed that 11,500 BMCs shared a common password, which could have been an undocumented default password; and another 1,300 BMCs, most in Europe on primarily on six networks, had a shared password, likely indicating a service provider using a common password to manage dispersed systems, Farmer said. »