In association with heise online

05 July 2013, 09:42

Security experts highlights remote server management issues

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

Remote management
Zoom Remote management feature of a Supermicro server board

HD Moore, Chief Research Officer at Rapid7, the company known for the Metasploit attack framework, has warned that care should be taken when using remote server management features. Moore has exposed major vulnerabilities in the IPMI 1.5 and 2.0 remote management protocols and in the firmware of many Baseboard Management Controllers (BMCs): These chips grant remote network access even when the actual server isn't in operation (out-of-band management). However, like industrial control systems, UPnP routers and servers for serial ports before it, the BMC firmware contains vulnerabilities that can easily be exploited by attackers.

The vulnerabilities aren't new. Only in June, server manufacturer warned that a UPnP bug exists in the BMC firmware of numerous Supermicro server motherboards. For this and other reasons, many BMCs communicate via a separate network port that should be connected to a protected LAN for remote management purposes only. However, many server boards allow the remote maintenance features to be configured in such a way that they can be accessed via one of the normal gigabit Ethernet ports. Administrators who are uncertain about how their servers are configured should be sure to check their setup.

HD Moore initially points to the paper on IPMI risks written by Dan Farmer, who has also released a best practices documentPDF. Moore goes on to explain how to identify the BMC's active network ports and lists commonly used default passwords that give easy access to many major manufacturers' remote server management features.

Mouse and keyboard access using KVM-over-IP
Zoom Some BMCs use KVM-over-IP to provide mouse and keyboard access to a system's graphical user interface and BIOS setup
If the operating system that is running on the server in question includes a driver for the (often virtual serial) BMC interface, IPMI commands can potentially be used to access the BMC from the host. It will also be possible to use the BMC's KVM-over-IP feature to control the server. However, HD Moore expects that there are additional attack vectors: some BMC firmware components contain very old and badly maintained legacy code. A BMC often consists of a System-on-Chip (SoC) that combines a number of I/O ports with an old graphics chip and a simple ARM or PowerPC core. Often, firmware developers use older open source tools that will work on obsolete chip generations.

IPMI itself is also vulnerable. Dan Farmer has described the "Cipher-0" problem that allows attackers to bypass the authentication of IPMI 2.0. HD Moore explains how to probe a server for this vulnerability using Metasploit. However, IPMI 2.0 isn't even fully secure with a password, because it uses the Remote Authenticated Key Exchange Protocol (RAKP) – and because passwords can be reconstructed via their submitted hash values using tools such as hashcat.

BMC by ServerEngines
Zoom BMC by ServerEngines on an Intel server board
Many server boards by Supermicro that have an "F" in their type description include remote management BMCs by Taiwanese manufacturer Nuvoton (a Winbond subsidiary) with firmware by Aten. These chips were developed by American Megatrends (AMI) as MegaRACs. In 2010, Emulex acquired former chip-set manufacturer ServerEngines and its Pilot BMC product range.


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit