WaPo writes about vulnerabilities in Supermicro IPMIs
Alain Hebert
ahebert at pubnix.net
Fri Aug 16 14:17:35 UTC 2013
Hi,
I find it odd that this is suddenly news...
There is plenty of security updates for iBMC/iDrac/etc from
IBM/HP/Dell/etc over the years.
But:
You can use ipmitool, rootkit/exploit some Linux box and upload your
own firmware in that iBMC/iDrac/etc... for example the BMC firmware for
a Dell C1100 leave plenty of space to inject your own shell in it. And
Voila! access to the management network =D.
BTW I got ipmitool working even on VMWare 5.1 :(
Counter:
We (PCIDSS hat) always check for those management interfaces and
"proposed" to move those interfaces into they own VLANs+Subnets.
Meaning: PCI DMZ Zone has its own DMZ iBMC VLAN/Subnet/FW Rules, PCI DB
Zone has its own iBMC VLAN/Subnet/FW Rules, etc.
It is a few more VLAN/Subnets... but modern Firewall can handle this
easy.
PS: "proposed" as in not giving them a choice =D
-----
Alain Hebert ahebert at pubnix.net
PubNIX Inc.
50 boul. St-Charles
P.O. Box 26770 Beaconsfield, Quebec H9W 6G7
Tel: 514-990-5911 http://www.pubnix.net Fax: 514-990-9443
On 08/16/13 00:22, Kyle Creyts wrote:
> just so we're all clear, SuperMicro wasn't the only one...
>
> link: http://pastebin.com/syXHLuC5
>
> 1. CVE-2013-4782 CVSS Base Score = 10.0
> 2. The SuperMicro BMC implementation allows remote attackers to
> bypass authentication and execute arbitrary IPMI commands by using
> cipher suite 0 (aka cipher zero) and an arbitrary password.
> 3.
> 4. CVE-2013-4783 CVSS Base Score = 10.0
> 5. The Dell iDRAC 6 BMC implementation allows remote attackers to
> bypass authentication and execute arbitrary IPMI commands by using
> cipher suite 0 (aka cipher zero) and an arbitrary password.
> 6.
> 7. CVE-2013-4784 CVSS Base Score = 10.0
> 8. The HP Integrated Lights-Out (iLO) BMC implementation allows
> remote attackers to bypass authentication and execute arbitrary IPMI
> commands by using cipher suite 0 (aka cipher zero) and an arbitrary
> password.
> 9.
> 10. CVE-2013-4785 CVSS Base Score = 10.0
> 11. iDRAC 6 firmware 1.7, and possibly other versions, allows remote
> attackers to modify the CLP interface for arbitrary users and possibly
> have other impact via a request to an unspecified form that is
> accessible from testurls.html.
> 12.
> 13. CVE-2013-4786 CVSS Base Score = 7.8
> 14. The IPMI 2.0 specification supports RMCP+ Authenticated
> Key-Exchange Protocol (RAKP) authentication, which allows remote
> attackers to obtain password hashes and conduct offline password
> guessing attacks by obtaining the HMAC from a RAKP message 2 responses
> from a BMC.
>
>
> References:
>
> http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-4782
> => http://fish2.com/ipmi/cipherzero.html
>
> http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-4783
> => http://fish2.com/ipmi/cipherzero.html
>
> http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-4784
> => http://fish2.com/ipmi/cipherzero.html
>
> http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-4785
> => http://fish2.com/ipmi/dell/secret.html
>
> http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-4786
> => http://fish2.com/ipmi/remote-pw-cracking.html
>
> On Thu, Aug 15, 2013 at 6:00 PM, Jay Ashworth <jra at baylink.com> wrote:
>> Presumably, everyone else's are very religious as well.
>>
>> Is anyone here stupid enough not to put the management interfaces behind
>> a firewall/VPN?
>>
>> http://www.washingtonpost.com/blogs/the-switch/wp/2013/08/14/researchers-figure-out-how-to-hack-tens-of-thousands-of-servers/
>>
>> And should I be nervous that Usenix pointed me *there* for the story,
>> rather than a tech press outlet?
>>
>> Cheers,
>> -- jra
>> --
>> Jay R. Ashworth Baylink jra at baylink.com
>> Designer The Things I Think RFC 2100
>> Ashworth & Associates http://baylink.pitas.com 2000 Land Rover DII
>> St Petersburg FL USA #natog +1 727 647 1274
>>
>
>
More information about the NANOG
mailing list