Over 30,000 servers with Supermicro baseboard management controllers (BMCs) on their motherboards are offering up administrator passwords to anyone who knowns where to look, warns Zachary Wikholm, a senior security engineer with the Security Incident Response Team of hosting provider CARI.net.
This confidential information is made available because the company has created the password file in plain text, and the file can be downloaded by simply connecting to port 49152.
“You can quite literally download the BMC password file from any UPnP enabled Supermicro motherboard running IPMI on a public interface,” says Wikholm, and adds that this is not the only file that is vulnerable to such an attack. “All the contents of the /nv/ directory are accessible via browser including the server.pem file, the wsman admin password and the netconfig files.”
The vulnerability still endangers servers despite Supermicro fixing the issue with a new IPMI BIOS version, as the fix requires administrators to reflash their systems with the new IPMI BIOS and this is not always possible.
Wikholm has stepped in and has devised a temporary fix for them.
“Most of the systems affected by this particular issue also have their ‘sh’ shell accessible from the SMASH command line. If you login to the SMASH via ssh and run the command ‘shell sh’, you can drop into a functional SH shell. From there you can actually kill all ‘upnp’ processes and their related children, which provides a functional fix,” he shared, but added that the fix lasts just as long as the system isn’t disconnected or rebooted.
With the help of John Matherly – the creator of Shodan, the search engine for finding Internet-connected devices – Wikholm decided to check just how many vulnerable systems there are on the internet. The result? 31,964.
“This means at the point of this writing, there are 31,964 systems that have their passwords available on the open market,” he pointed out. “It gets a bit scarier when you review some of the password statistics. Out of those passwords, 3296 are the default combination. Since I’m not comfortable providing too much password information, I will just say that there exists a subset of this data that either contains or just was ‘password’.”
The existence and the exploitation potential of the flaw was confirmed by SANS ISC handler Tony Carothers: “One of our team has tested this vulnerability, and it works like a champ, so let’s add another log to the fire and spread the good word.”