Security experts highlights remote server management issues
HD Moore, Chief Research Officer at Rapid7, the company known for the Metasploit attack framework, has warned that care should be taken when using remote server management features. Moore has exposed major vulnerabilities in the IPMI 1.5 and 2.0 remote management protocols and in the firmware of many Baseboard Management Controllers (BMCs): These chips grant remote network access even when the actual server isn't in operation (out-of-band management). However, like industrial control systems, UPnP routers and servers for serial ports before it, the BMC firmware contains vulnerabilities that can easily be exploited by attackers.
The vulnerabilities aren't new. Only in June, server manufacturer Thomas-Krenn.com warned that a UPnP bug exists in the BMC firmware of numerous Supermicro server motherboards. For this and other reasons, many BMCs communicate via a separate network port that should be connected to a protected LAN for remote management purposes only. However, many server boards allow the remote maintenance features to be configured in such a way that they can be accessed via one of the normal gigabit Ethernet ports. Administrators who are uncertain about how their servers are configured should be sure to check their setup.
HD Moore initially points to the paper on IPMI risks written by Dan Farmer, who has also released a best practices document. Moore goes on to explain how to identify the BMC's active network ports and lists commonly used default passwords that give easy access to many major manufacturers' remote server management features.
If the operating system that is running on the server in question includes a driver for the (often virtual serial) BMC interface, IPMI commands can potentially be used to access the BMC from the host. It will also be possible to use the BMC's KVM-over-IP feature to control the server. However, HD Moore expects that there are additional attack vectors: some BMC firmware components contain very old and badly maintained legacy code. A BMC often consists of a System-on-Chip (SoC) that combines a number of I/O ports with an old graphics chip and a simple ARM or PowerPC core. Often, firmware developers use older open source tools that will work on obsolete chip generations.
IPMI itself is also vulnerable. Dan Farmer has described the "Cipher-0" problem that allows attackers to bypass the authentication of IPMI 2.0. HD Moore explains how to probe a server for this vulnerability using Metasploit. However, IPMI 2.0 isn't even fully secure with a password, because it uses the Remote Authenticated Key Exchange Protocol (RAKP) – and because passwords can be reconstructed via their submitted hash values using tools such as hashcat.
Many server boards by Supermicro that have an "F" in their type description include remote management BMCs by Taiwanese manufacturer Nuvoton (a Winbond subsidiary) with firmware by Aten. These chips were developed by American Megatrends (AMI) as MegaRACs. In 2010, Emulex acquired former chip-set manufacturer ServerEngines and its Pilot BMC product range.