Data Center Servers Exposed

  /     /     /  
Publicated : 22/11/2024   Category : security


Data Center Servers Exposed


Popular server firmware contains multiple zero-day vulnerabilities, but fixes are fraught with trade-offs



You definitely dont want to show up on one of HD Moores Internet scans. But some 35,000 -- and counting -- servers have been found exposed on the Internet by the renowned researcher and his team in their ongoing global scanning project aimed at detecting networked devices in danger of attack. In the latest twist, popular server firmware exposed on the Net also contains multiple zero-day bugs that leave corporate servers open to outside attackers.
Rapid7 late last week disclosed several previously unknown security bugs in Supermicros Intelligent Platform Management Interface (IPMI) protocol implementation in its Baseboard Management Controller (BMC) firmware that, in effect, give attackers near-physical access to the affected servers. BMC firmware and its corresponding IPMI interface are basically remote management tools for the servers. The flaws were found in firmware version SMT_X9_226 of Supermicros product, and Supermicro recently updated the firmware with version SMT_X9_315, which Rapid7 found only addresses some of the zero-days as well as some other flaws.
Among the flaws Rapid7 found were static encryption keys, hard-coded credentials, and buffer overflows. Moore, who is chief research officer for Rapid7 and creator of Metasploit, says his team has not been able to confirm that Supermicros firmware update fixes the static encryption key and hard-coded credentials issue.
Supermicro had not yet responded to a press inquiry as of this posting.
Moore previously had revealed major holes in embedded devices, home routers, corporate videoconferencing systems, and other equipment on the public Internet that is open to abuse by bad guys. He and fellow researcher Dan Farmer in July announced they had discovered around 300,000 servers online at serious risk of hacker takeover via bugs in IPMI and BMC. An attacker could steal data from attached storage devices, tinker with operating system settings, install a backdoor, sniff credentials sent via the server, wipe the hard drives, or launch a denial-of-service attack on the servers, according to the researchers.
[A widely deployed protocol and controller used in servers and workstations both contain serious vulnerabilities that, in effect, give attackers near-physical access to the machines. Some 300,000 servers were discovered online at risk to this threat. See
New Gaping Security Holes Found Exposing Servers
. ]
The Supermicro bugs are the latest example of how data centers can also be unknowingly exposed on the public Net. And the rub: Even if Supermicro fixes all of the bugs, that doesnt mean its customers will apply the patches.
The problem is that nobody updates them, so it doesnt matter if the vendor patches it or not. The most we can do is awareness, says Tod Beardsley, Metasploit engineering manager for Rapid7. Metasploit now offers scanning modules for its framework that organizations can use to determine whether their servers are at risk, he says.
Exploiting [these bugs] is going to give you control over the BMC, which is then a short walk to the server itself, he says. You can enable a KVM and have a remote mouse as if you are standing in the data center ... then you can steal all the data.
Robert Graham, CEO of Errata, which has been conducting Internet scan research of its own, says Moores IPMI research is the most critical to enterprises because it shows how corporate servers and data centers are exposed.
Even though many of the flaws that are found in Moores, Errata Securitys, and others scans go ignored by many users and vendors, its still necessary because the bad guys are doing the very same scans, Graham contends. IPMI is dangerous, and that has been known for a long time [by hackers], he says.
Exposing the vulnerable devices ultimately pressures vendors to do something to improve security, he says. Graham says making a stink about these problems prevents vendors from holding their users hostage. When they say [to researchers], Please dont disclose this vulnerability because it affects my users ... it means, Im holding my users hostage, Graham says.
So what can enterprises do to protect their servers from getting hacked via IPMI or BMC bugs?
Johannes Ullrich, head of SANS Storm Center, says protecting the IPMI interface is a tricky balance. There is little one can do to protect an IPMI interface if the interface is needed to remotely administer the system, in particular, given the backdoor fixed passwords. The best you can do is limit access to the IPMI interface via a firewall, and maybe by changing default ports if this is an option, Ullrich said in a SANS ISC diary post. Once exposed, an attacker will have the same access to the system as a user with physical system access. Remember that turning off a system may leave IPMI enabled unless you disconnect power or network connectivity.
Running the IPMI traffic over a separate management network or VLAN is also an option, Erratas Graham says.
No matter how many updates you get, assume youve still got a problem. [IPMI] should always be managed [as if in a] hostile [environment], he says.
Beardsley says security pros should talk with their IT and network staff who run their data centers. Ask them nicely to make sure this stuff is not exposed on the WAN, he says.
Rapid7s full report on the Supermicro bugs is
here
.
Have a comment on this story? Please click Add Your Comment below. If youd like to contact
Dark Readings
editors directly,
send us a message
.

Last News

▸ IoT Devices on Average Have 25 Vulnerabilities ◂
Discovered: 23/12/2024
Category: security

▸ DHS-funded SWAMP scans code for bugs. ◂
Discovered: 23/12/2024
Category: security

▸ Debunking Machine Learning in Security. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Data Center Servers Exposed