Flaw in Supermicro BMC Leaves Remote Management Passwords Exposed

Written by  Friday, 20 June 2014 15:57 Published in News

passwords stolen thanks to a BMC chip with a fairly serious Universal Plug-n-Play feature. According to security researcher Zachary Wikholm, there is s a flaw in the IPMI BIOS on the WPCM450 BMC (Baseboard Management Controller) that Supermicro uses on their boards (with the exception of very newest ones).

This flaw allows a hacker to send a “GET” request to the board over port 49152 and download files including the password file that is also left in plain text (just to make things worse). In fact the entire directory appears to be up for grabs. Supermicro says they have already patched this with an IPMI BIOS update so they are putting the issue back in the hands of the consumer. The flaw in this logic is that not every server that has this issue can be taken down for the amount of time needed to patch this.

This can mean a significant impact to revenue for smaller companies that rely on their servers for business. Now, that having been said, when you have a large security flaw like this it is important to make the time to update the product to make sure it is protected. That is a fact of life in the IT world. The delay in resolving issues like this can lead to even more lost revenue when someone finds you and uses the flaw to get in.

To find you (and your effected server) all someone needs to do is look for systems that are responding on port 49152. When Wikholm went to find out how many systems might be affected by this he got a very large number in return; over 9 million devices were responding on that port. Not all were Supermicro in the end. It turns out that around 31,000 Supermicro servers respond on this port. Roughly 3300 are still setup using the default password, which is very bad.

The other devices turn out to be modems, routers, IP cameras and other devices with enabled UPnP functions. These devices all returned something from an HTTP Get command, in most cases with kernel version and in others with more detailed information about the device itself.  Wikholm did say that there is a way to turn off all UPnP features on the BMC, but that it was neither supported, nor a permanent fix.

“Most of the systems affected by this particular issue also have their “sh” shell accessible from the SMASH command line. If you login to the SMASH via ssh and run the command “shell sh”, you can drop into a functional SH shell. From there you can actually kill all “upnp” processes and their related children, which provides a functional fix. That is of course until the system is completely disconnected from power and reconnected, during which the IPMI module will reboot.”

Issues like this should make people take not and consider just how much of our world is exposed to the internet through simply technologies like UPnP this is not the first UPnP flaw that I have seen and I am sure it will not be the last. To Supermicro owners we have to say: happy updating. If you want more technical background you can check out Wikhom's Blog post

Tell us what you think in our Forum

Read 565 times Last modified on Friday, 20 June 2014 16:03