Supermicro Fails At IPMI, Leaks Admin Passwords 102
drinkypoo writes: Zachary Wikholm of Security Incident Response Team (CARISIRT) has publicly announced a serious failure in IPMI BMC (management controller) security on at least 31,964 public-facing systems with motherboards made by SuperMicro: "Supermicro had created the password file PSBlock in plain text and left it open to the world on port 49152." These BMCs are running Linux 2.6.17 on a Nuvoton WPCM450 chip. An exploit will be rolled into metasploit shortly. There is already a patch available for the affected hardware.
Anyone who trusted SuperMicro... (Score:2, Insightful)
Anyone who trusted SuperMicro for anything business critical gets what they deserved. I had the misfortune of working with their engineering department back in 2006/2007. They were absolutely clueless. Slapping random components together hoping to build good server motherboards, wondering why things would perform oddly or be unstable. They admittedly got it right more often than not, but thats not exactly what you want for servers. Stuff like this is proof they aren't serious business.
What moron puts IPMI public facing? (Score:4, Insightful)
What use case? This sort of things should always be behind a firewall. Is it to hard to VPN in? Hell our supermicro IPMI's work rather well though a proxy on the firewall (dell and HP for that matter).
Re:What moron puts IPMI public facing? (Score:4, Insightful)
Exactly. Supermicro definitely screwed the pooch on this one, but so is anyone deploying these systems without a firewall in front of them. It's just common sense.
Re:What moron puts IPMI public facing? (Score:4, Insightful)
In increasing order of moron, here are a few ways that this can happen:
1) The IPMI may share the same port as the primary network interface.
2) You may have requested an expensive switching architecture with proper VLAN segregation, but your manager only approved you to take the old D-Link box from under his desk, forcing everything to be on the same segment.
3) The people who run the datacentre may have thoughtfully connected every Ethernet port they could find to your switch, even the one with that funny wrench symbol on it, without telling you. In many cases it's possible for a server to be purchased, received, installed, configured and put into production without any of its owners ever seeing it in person. Throw in a heavy dose of "It's somebody else's problem" all around and anything can happen.
4) In some organizations (and I'm not going to name any), IT policy like "All management ports must be reachable from our head office and the IT support desk in Hyderabad" is set by people who think that "security" means remembering to lock their Lexus.