Despite patches, Supermicro's IPMI firmware is far from secure, researchers say
The Intelligent Platform Management Interface (IPMI) implementation found in motherboards from server manufacturer Supermicro suffers from serious vulnerabilities that could allow attackers to remotely compromise the management controllers in servers that use them.
The IPMI specification was developed by Intel and allows system administrators to manage and monitor computer systems remotely in the absence of physical access to them. IPMI supports multiple-communication protocols and operates independently of the operating system running on the computer. Its central part is a microcontroller called the Baseboard Management Controller (BMC) that is usually embedded into the motherboard and is directly connected to its southbridge and a variety of sensors.
BMCs are essentially computers that run inside other computers, most commonly servers. They are usually based on ARM chips and run Linux-based firmware that implements the IPMI functions including monitoring, rebooting and reinstalling the host server’s OS.
IPMI implementations vary from vendor to vendor, but most expose a web-based management interface, a command-line interface via Telnet or Secure Shell, and the IPMI network protocol on port 623 UDP or TCP.
How it can go wrong
If an attacker gains administrative access to the BMC, they can reboot the host server’s operating system into a root shell and introduce a backdoor or copy data from the hard drive. Gaining access to the host operating system while it’s running without rebooting it might also be possible, according to a July analysis of IPMI security risks by security researchers from Rapid7.
On Aug. 22, Rapid7 researchers found several security issues in the IPMI firmware version SMT_X9_226 from Supermicro and reported them to the vendor.
Those issues included the use of hard-coded encryption keys for SSL and SSH connections that could allow an attacker to perform a man-in-the-middle attack and decrypt communication to the firmware; the use of hard-coded credentials with static passwords, including one that cannot be changed by the user; buffer overflow vulnerabilities in the login.cgi, lose_window.cgi and logout.cgi applications that can result in remote code execution as the root user account; and a directory traversal flaw in the url_redirect.cgi application that allows attackers with access to a nonprivileged account to read any file of the system, including the one that contains plain-text credentials for all users.
The researchers also found that more than 65 other CGI applications included in the firmware made unsafe function calls that could potentially be exploited. Accessing those CGI applications required authentication, which limited their exposure to attacks, but an attacker logged in as a low-privileged user could still exploit their flaws to gain root access to the BMC.
Supermicro released a new firmware version called SMT_X9_315 that fixes some of the vulnerabilities reported by Rapid7, particularly the remote code execution ones. However, it appears that some other issues remain unpatched, the Rapid7 researchers said Wednesday in a blog post.
“Firmware version SMT_X9_315 has reorganized the web root, adding quite a few new CGI applications, removing many more, and generally purging the use of insecure functions like strcpy(),” the researchers said. In addition, accessing most CGI applications now requires authentication, with the exception of vmstatus.cgi and login.cgi, they said.
However, the Rapid7 researchers identified new issues that could allow remote root access without authentication though many of the CGI applications and those issues have now also been reported to Supermicro.
“A cursory review of the new firmware shows significant improvements, but far more work is needed to provide a secure management console,” the researchers said. “In the meantime, please treat the Supermicro IPMI web management interface the same way you would an unprotected root shell on the server it is attached to; disconnected from untrusted networks with access limited through another form of authentication (VPN, etc).”
According to the Rapid7 researchers, there are over 35,000 Supermicro IPMIs exposed to the Internet.