PDA

View Full Version : {BMC Exploit} Are your servers at risk?!



katos
21-06-14, 09:45 AM
http://2.bp.blogspot.com/-DmIKi-fYD-A/U6Pr8DuG1WI/AAAAAAAAcH8/2-slGo9JhxQ/s728/SuperMicro-Motherboard.jpg

A new vulnerability affecting multiple servers running specific motherboards has been discovered, and it is quite frightening!


The vulnerability actually resides in the Baseboard Management Controller (BMC) in the WPCM450 line of chips incorporated into the motherboards. Security Researcher at CARInet Security Incident Response Team, discovered that Baseboard Management Controller (BMC) of Supermicro motherboards contain a binary file that stores remote login passwords in clear text and the file is available for download simply by connecting to the specific port. (Port hidden for security reasons).

Baseboard Management Controller (BMC) is the central part of the microcontroller that resides on server motherboard or in the chassis of a blade server or telecom platform. The BMC links to a main processor and other onboard elements via a simple serial bus.

The vulnerable 84 firmwares (http://0bin.net/paste/hIEDdqEmuy+nPPje#ohfywdDqTxPLGCd4NpsKFt9Gn183TRHHN mlIW4AmNQM=) are listed here and server administrators are advised to apply available patches from vendors. In order to apply patches, you need to flash the device with new firmware update. You can speak with your hosting provider(s) about this, as they can pass on the relevant information to their providers, or carry out the updates themselves.

Quote



1) A compromised IPMI card can be used to root the server by rebooting to a virtual cdrom containing a rescue disk image. If you own the IPMI card, you can own the server.

2) A compromised server can be used to reflash and otherwise compromise the IPMI card using the local device interface.

What this means is that an attacker who owns an exposed IPMI card can pull any data they want off the drive of the server or rootkit it. They can even rootkit the IPMI card itself using off-the-shelf tools for firmware modification. Even reinstalling the server would not remove a rootkit like this.

Now think about this in terms of segmenting your IPMI from your production network. An attacker that gets access to one can get access to the other. For shared hosting environments, this is a nightmare that is pretty much impossible to fix without disabling the card

PS: Sorry if this is the wrong section, didn't know where else to place it.

Suraf
22-06-14, 12:22 PM
Hopefully the server owners whom may be using these motherboards will notice this thread.

katos
22-06-14, 12:47 PM
Hopefully the server owners whom may be using these motherboards will notice this thread.

hopefully! :)