New Gaping Security Holes Found Exposing Servers

  /     /     /  
Publicated : 22/11/2024   Category : security


New Gaping Security Holes Found Exposing Servers


Researcher HD Moore so far has discovered around 300,000 servers online at serious risk of hacker takeover



A widely deployed protocol and controller used in servers and workstations both contain serious vulnerabilities that, in effect, give attackers near-physical access to the machines, a pair of renowned researchers said today.
HD Moore, chief research officer at Rapid7 and creator of Metasploit, and security researcher Dan Farmer announced findings of their research on major flaws in the Intelligent Platform Management Interface (IPMI) protocol and the Baseboard Management Controllers (BMC) packaged with most servers for remote management purposes.
As part of his ongoing Internet scanning research, Moore found more than 100,000 servers and workstations online that are vulnerable to one or more of six flaws in IPMI and BMC -- some of which were bugs Farmer revealed earlier this year -- which Moore says is just the tip of the iceberg of potential servers in danger on the Net. The bugs could allow an attacker to compromise BMCs in the affected servers and siphon data from attached storage devices, make changes to the operating system, install a permanent backdoor, sniff credentials sent through the server, launch a denial-of-service attack, or wipe the hard drives.
[Unplug Universal Plug And Play (UPnP) to protect routers, storage devices, media players from getting hacked over the Internet, Rapid7 says. See
Millions Of Networked Devices In Harms Way
.]
Moore says these findings are big and more serious than other equipment he has found exposed on the Internet. Its one thing to be hacking some crappy home router, but its another thing to see servers wide open to attack, he says.
And there isnt really a fix for the IPMI protocol problems. By definition, the technology is pretty much broken. Theres no such thing as an IPMI secure device, Moore says.
The vulnerabilities follow a common theme in other weaknesses Moore has discovered in Internet-facing equipment: default backdoor-type access by the vendors for internal ease of access and use, including default passwords, and customers either unaware or not understanding the looming dangers of the holes sitting exposed on the Internet.
This definitely qualifies for the moniker gaping security hole, says Chris Wysopal, CTO at Veracode. These management interfaces give, as Dan [Farmer] says, equivalent to physical access and use a separate authentication scheme than IT admins typically use with centralized authentication, such as Windows Active Directory. Many admins dont know this management interface exists.
Those server ports should not be open to the outside, either, Wysopal says, so it appears to be a very prevalent mistake by server admins. The big deal I see is that once an attacker is through the perimeter, they can have a field day internally with these vulnerabilities.
BMCs are found on most servers today, and are OEMed and sold by Dell, HP, IBM, and Supermicro, for instance; they are either integrated on the motherboard of the server or as an add-on that plugs into a connector or PCI slot. They are basically computers in their own right that offer remote management of servers, and provide things like virtual keyboards, video, mouse, power, and removable media control for the machines. And even when the server is powered down, the BMC is still powered on.
IPMI, the server management protocol that runs on the BMC, is supported by some 200 vendors and was found by Farmer to have various authentication and access flaws.
The researchers say attackers could hack into a server via a compromised BMC by rebooting the server from a virtual CD-ROM and using a rescue disk. The former resets the local Windows Administrator account password and the latter does an in-memory patch that disables console authentication in both Linux and Windows. The BMC can then force the server to boot normally and provide console access to the attacker through built-in KVM functionality, they wrote in an FAQ on the vulnerabilities.
The BMC provides the equivalent of physical access to the server with many of the security exposures that this implies, such as booting to single-user mode, accessing the BIOS settings, and being able to watch the physical display. If the hard drives of the server are not encrypted, an attacker could boot the server into a rescue environment, and manipulate or copy the file system without any assistance from the servers operating system, they wrote.
Farmers initial work on the bugs initially didnt capture much public attention. It kind of sat there for five months, and the security community ignored it, he says. It wasnt until we got some Internet exposure to how bad it really was that it got the attention it deserved, according to Moore.
There are a total six flaws with BMC security that the researchers found, most of which are rooted in the IPMI protocol:
• IPMI version 2.0s cipher 0 encryption method that bypasses authentication altogether for IPMI commands. This feature is often on by default in BMCs;
• IPMI version 2.0 sends requesting clients a cryptographic hash of the users password before authentication, which could allow an attacker to brute-force the hash to grab the password if its not a strong one;
• IPMI version 2.0 supports logins by anonymous users -- with a username and password set to null. This user account often comes with administrative privileges, and some BMC vendors ship this feature activated by default;
• All versions of IPMI are able to provide authentication methods remotely to a requester via the get channel authentication request;
• Some BMCs enable the Universal Plug and Play (UPnP) protocol by default and have no option for disabling it. Supermicros BMC is among those vendors;
• IPMI passwords are stored unencrypted in BMCs. This is especially dangerous because multiple servers often share the same IPMI password. Both Dell and Supermicro BMCs are configured with unencrypted IPMI passwords.
Rapid7 found 308,000 IPMI-enabled BMCs exposed on the Net, 195,000 of which have no encryption because they run IPMI 1.5, which doesnt support it. Some 99,000 of the IPMI 2.0 servers expose password hashes, 53,000 are at risk of password bypass with Cipher 0, and 35,000 use a vulnerable UPnP service.
Meanwhile, most server hosting providers that support Supermicro BMCs are affected by these flaws. The danger here is that an attacker could install a permanent backdoor on the BMC that would provide it access to all of the hosting providers customers on that hardware platform, Moore says.
Rapid7, itself, had a brush with the BMC security holes earlier this year. The vulnerability management and penetration testing firm got a shipment of third-party appliances that included Supermicro motherboards that came with IPMI enabled. The first round of Supermicro boards we received this year had IPMI enabled by default, and it took a couple long days and late nights to jumper them so we could use them as intended without introducing a risk, Moore recalls. Our new boards specifically exclude the IPMI feature.
What To Do About It
Among the recommendations by the researchers: scan for and detect any exposed systems to make sure IPMI-enabled BMCs are not exposed to the Internet. For servers running internally, disable Cipher 0; set up strong and complex passwords; and for Supermicro BMCs, update the firmware.
Moores full posting on the IPMI/BMC server security issues, including links to Farmers research, is available
here
.
Have a comment on this story? Please click Add Your Comment below. If youd like to contact
Dark Readings
editors directly,
send us a message
.

Last News

▸ Researchers create BlackForest to gather, link threat data. ◂
Discovered: 23/12/2024
Category: security

▸ Travel agency fined £150,000 for breaking Data Protection Act. ◂
Discovered: 23/12/2024
Category: security

▸ 7 arrested, 3 more charged in StubHub cyber fraud ring. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
New Gaping Security Holes Found Exposing Servers