WaPo writes about vulnerabilities in Supermicro IPMIs

Anthony Bonkoski ajbonkoski at gmail.com
Fri Aug 16 19:19:31 UTC 2013 

There's a few misconceptions I'd like to address, plus add some backstory.

The Washington Post article is intentionally void of details. It is
intended as a non-technical article. You can find the actual technical
paper here:
https://www.usenix.org/conference/woot13/illuminating-security-issues-surrounding-lights-out-server-management

Cipher-0  is an awful, yet well-known issue that comes directly from the
Intel spec, and thus affects a large set of implementations. Here's an
excellent write-up: http://fish2.com/ipmi/cipherzero.html

The iDRAC testurls vuln. was a result of the firmware being shipped with a
developer debugging webpage that could be used as a backdoor.

Recent work shows that some password hashes can be recovered and cracked.

In this latest development, we reverse engineered a SuperMicro/ATEN
firmware binary and discovered security gross negligence. We discovered the
very worst vuln: client-side only input checking, shell-injection, and
trivial buffer-overflows in many CGI programs including the user/pass
fields of the login page. Further, the device has almost no modern
buffer-overflow defenses (DEP, ASLR, and Stack Carries). We show that it is
*easy* to exploit these flaws and gain a root shell. This is especially
nasty because the system operator is not give access to a Unix shell on the
BMC, thus a remote attacker can gain more capabilities on the BMC than even
the administrator.

In short, the previous work should certainly be enough to make any sys
admin fear exposing IPMI to a public IP.

However, the problem is much worse than we previously thought. This
particular implementation shows a complete disregard for even the most
basic security practices.

-Anthony

On Aug 16, 2013 10:19 AM, "Alain Hebert" <ahebert at pubnix.net> wrote:

    Hi,

    I find it odd that this is suddenly news...

    There is plenty of security updates for iBMC/iDrac/etc from
IBM/HP/Dell/etc over the years.

But:

    You can use ipmitool, rootkit/exploit some Linux box and upload your
own firmware in that iBMC/iDrac/etc... for example the BMC firmware for
a Dell C1100 leave plenty of space to inject your own shell in it.  And
Voila! access to the management network =D.

    BTW I got ipmitool working even on VMWare 5.1 :(

Counter:

    We (PCIDSS hat) always check for those management interfaces and
"proposed" to move those interfaces into they own VLANs+Subnets.
Meaning: PCI DMZ Zone has its own DMZ iBMC VLAN/Subnet/FW Rules, PCI DB
Zone has its own iBMC VLAN/Subnet/FW Rules, etc.

    It is a few more VLAN/Subnets... but modern Firewall can handle this
easy.

    PS: "proposed" as in not giving them a choice =D

-----
Alain Hebert                                ahebert at pubnix.net
PubNIX Inc.
50 boul. St-Charles
P.O. Box 26770     Beaconsfield, Quebec     H9W 6G7
Tel: 514-990-5911  http://www.pubnix.net    Fax: 514-990-9443

On 08/16/13 00:22, Kyle Creyts wrote:
> just so we're all clear, SuperMicro wasn't the only one...
>
> link: http://pastebin.com/syXHLuC5
>
> 1.  CVE-2013-4782 CVSS Base Score = 10.0
> 2.  The SuperMicro BMC implementation allows remote attackers to
> bypass authentication and execute arbitrary IPMI commands by using
> cipher suite 0 (aka cipher zero) and an arbitrary password.
> 3.
> 4.  CVE-2013-4783 CVSS Base Score = 10.0
> 5.  The Dell iDRAC 6 BMC implementation allows remote attackers to
> bypass authentication and execute arbitrary IPMI commands by using
> cipher suite 0 (aka cipher zero) and an arbitrary password.
> 6.
> 7.  CVE-2013-4784 CVSS Base Score = 10.0
> 8.  The HP Integrated Lights-Out (iLO) BMC implementation allows
> remote attackers to bypass authentication and execute arbitrary IPMI
> commands by using cipher suite 0 (aka cipher zero) and an arbitrary
> password.
> 9.
> 10. CVE-2013-4785 CVSS Base Score = 10.0
> 11. iDRAC 6 firmware 1.7, and possibly other versions, allows remote
> attackers to modify the CLP interface for arbitrary users and possibly
> have other impact via a request to an unspecified form that is
> accessible from testurls.html.
> 12.
> 13. CVE-2013-4786 CVSS Base Score = 7.8
> 14. The IPMI 2.0 specification supports RMCP+ Authenticated
> Key-Exchange Protocol (RAKP) authentication, which allows remote
> attackers to obtain password hashes and conduct offline password
> guessing attacks by obtaining the HMAC from a RAKP message 2 responses
> from a BMC.
>
>
> References:
>
> http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-4782
> =>  http://fish2.com/ipmi/cipherzero.html
>
> http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-4783
> => http://fish2.com/ipmi/cipherzero.html
>
> http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-4784
> =>  http://fish2.com/ipmi/cipherzero.html
>
> http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-4785
> =>  http://fish2.com/ipmi/dell/secret.html
>
> http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-4786
> =>  http://fish2.com/ipmi/remote-pw-cracking.html
>
> On Thu, Aug 15, 2013 at 6:00 PM, Jay Ashworth <jra at baylink.com> wrote:
>> Presumably, everyone else's are very religious as well.
>>
>> Is anyone here stupid enough not to put the management interfaces behind
>> a firewall/VPN?
>>
>>
http://www.washingtonpost.com/blogs/the-switch/wp/2013/08/14/researchers-figure-out-how-to-hack-tens-of-thousands-of-servers/
>>
>> And should I be nervous that Usenix pointed me *there* for the story,
>> rather than a tech press outlet?
>>
>> Cheers,
>> -- jra
>> --
>> Jay R. Ashworth                  Baylink
jra at baylink.com
>> Designer                     The Things I Think
RFC 2100
>> Ashworth & Associates     http://baylink.pitas.com         2000 Land
Rover DII
>> St Petersburg FL USA               #natog                      +1 727
647 1274
>>
>
>

More information about the NANOG mailing list