WaPo writes about vulnerabilities in Supermicro IPMIs

Alain Hebert ahebert at pubnix.net
Fri Aug 16 14:17:35 UTC 2013


    Hi,

    I find it odd that this is suddenly news...

    There is plenty of security updates for iBMC/iDrac/etc from
IBM/HP/Dell/etc over the years.

But:

    You can use ipmitool, rootkit/exploit some Linux box and upload your
own firmware in that iBMC/iDrac/etc... for example the BMC firmware for
a Dell C1100 leave plenty of space to inject your own shell in it.  And
Voila! access to the management network =D.

    BTW I got ipmitool working even on VMWare 5.1 :(

Counter:

    We (PCIDSS hat) always check for those management interfaces and
"proposed" to move those interfaces into they own VLANs+Subnets. 
Meaning: PCI DMZ Zone has its own DMZ iBMC VLAN/Subnet/FW Rules, PCI DB
Zone has its own iBMC VLAN/Subnet/FW Rules, etc.

    It is a few more VLAN/Subnets... but modern Firewall can handle this
easy.

    PS: "proposed" as in not giving them a choice =D

-----
Alain Hebert                                ahebert at pubnix.net   
PubNIX Inc.        
50 boul. St-Charles
P.O. Box 26770     Beaconsfield, Quebec     H9W 6G7
Tel: 514-990-5911  http://www.pubnix.net    Fax: 514-990-9443

On 08/16/13 00:22, Kyle Creyts wrote:
> just so we're all clear, SuperMicro wasn't the only one...
>
> link: http://pastebin.com/syXHLuC5
>
> 1.  CVE-2013-4782 CVSS Base Score = 10.0
> 2.  The SuperMicro BMC implementation allows remote attackers to
> bypass authentication and execute arbitrary IPMI commands by using
> cipher suite 0 (aka cipher zero) and an arbitrary password.
> 3.
> 4.  CVE-2013-4783 CVSS Base Score = 10.0
> 5.  The Dell iDRAC 6 BMC implementation allows remote attackers to
> bypass authentication and execute arbitrary IPMI commands by using
> cipher suite 0 (aka cipher zero) and an arbitrary password.
> 6.
> 7.  CVE-2013-4784 CVSS Base Score = 10.0
> 8.  The HP Integrated Lights-Out (iLO) BMC implementation allows
> remote attackers to bypass authentication and execute arbitrary IPMI
> commands by using cipher suite 0 (aka cipher zero) and an arbitrary
> password.
> 9.
> 10. CVE-2013-4785 CVSS Base Score = 10.0
> 11. iDRAC 6 firmware 1.7, and possibly other versions, allows remote
> attackers to modify the CLP interface for arbitrary users and possibly
> have other impact via a request to an unspecified form that is
> accessible from testurls.html.
> 12.
> 13. CVE-2013-4786 CVSS Base Score = 7.8
> 14. The IPMI 2.0 specification supports RMCP+ Authenticated
> Key-Exchange Protocol (RAKP) authentication, which allows remote
> attackers to obtain password hashes and conduct offline password
> guessing attacks by obtaining the HMAC from a RAKP message 2 responses
> from a BMC.
>
>
> References:
>
> http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-4782
> =>  http://fish2.com/ipmi/cipherzero.html
>
> http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-4783
> => http://fish2.com/ipmi/cipherzero.html
>
> http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-4784
> =>  http://fish2.com/ipmi/cipherzero.html
>
> http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-4785
> =>  http://fish2.com/ipmi/dell/secret.html
>
> http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-4786
> =>  http://fish2.com/ipmi/remote-pw-cracking.html
>
> On Thu, Aug 15, 2013 at 6:00 PM, Jay Ashworth <jra at baylink.com> wrote:
>> Presumably, everyone else's are very religious as well.
>>
>> Is anyone here stupid enough not to put the management interfaces behind
>> a firewall/VPN?
>>
>>   http://www.washingtonpost.com/blogs/the-switch/wp/2013/08/14/researchers-figure-out-how-to-hack-tens-of-thousands-of-servers/
>>
>> And should I be nervous that Usenix pointed me *there* for the story,
>> rather than a tech press outlet?
>>
>> Cheers,
>> -- jra
>> --
>> Jay R. Ashworth                  Baylink                       jra at baylink.com
>> Designer                     The Things I Think                       RFC 2100
>> Ashworth & Associates     http://baylink.pitas.com         2000 Land Rover DII
>> St Petersburg FL USA               #natog                      +1 727 647 1274
>>
>
>




More information about the NANOG mailing list