Rapid7 security researchers have identified a number of vulnerabilities in the Intelligent Platform Management Interface (IPMI) firmware developed by Supermicro, a US-based company that provides various types of servers.
According to Rapid7’s HD Moore, a total of 7 security holes have been identified. Currently, there are over 35,000 such IPMI systems that can be accessed for the public Internet, which means that the potential victim base is fairly large.
Experts have found that the firmware in question comes with hardcoded private encryption keys. This issue can be leveraged by cybercriminals to launch man-in-the-middle attacks against publicly available firmware.
Secondly, researchers have identified what’s basically a backdoor in the OpenWSMan interface. It appears that there are two sets of credentials for this interface readily available to anyone who knows where to look for them. The worst part is that none of the two can be changed.
In addition to these credential vulnerabilities, experts have also identified buffer overflows in the logout.cgi, close_window.cgi and the login.cgi CGI applications.
url_redirect.cgi is vulnerable to directory traversal attacks because the url_name parameter in the GCI application is not sanitized.
Finally, Rapid7 warns that an attacker with low privileges can gain root access to a device by exploiting an issue that affects the more than 65 CGI applications available via the web interface.
Initially, Supermicro only confirmed receiving the vulnerability reports, but the company didn’t provide any status updates to Rapid7. Shortly after the security firm published its findings, Supermicro clarified that a patch has been made available.
On the other hand, researchers haven’t been able to determine if all the issues they’ve reported have been properly fixed.
Rapid7 says it has contacted Supermicro once again with a new series of security holes.
“A cursory review of the new firmware shows significant improvements, but far more work is needed to provide a secure management console,” HD Moore noted.