14 DAY TRIAL // Plain text passwords for remote log in to servers can be accessed from machines equipped with motherboards built by Supermicro, a company that manufactures and sells computer hardware.
The security weakness, found by Zachary Wikholm, senior security engineer with the CARInet Security Incident Response Team, dwells in the BMC (baseboard management controller) component of the motherboard that allows monitoring the health of the machine by providing details on current temperatures, fan speeds, power-supply voltage, along with disk and memory performance data.
BMC components are not used just for monitoring the state of the server from afar, though, and also provide remote control functionality.
Supermicro released a firmware update that fixes the problem, but many systems remain vulnerable because they cannot be patched due to ensuing technical implications.
According to the disclosure, “Supermicro had created the password file PSBlock in plain text and left it open to the world on port 49152.”
“You can quite literally download the BMC password file from any UPnP enabled Supermicro motherboard running IPMI on a public interface,” adds the engineer.
Using the Shodan search engine that indexes online devices and allows finding them according to given parameters, Wikholm discovered a total of 31,964 vulnerable systems.
Also, it appears that a part of the countersigns retrieved are default combinations, a practice that should be avoided by all means.
“This means at the point of this writing, there are 31,964 systems that have their passwords available on the open market. It gets a bit scarier when you review some of the password statistics. Out of those passwords, 3296 are the default combination. Since I’m not comfortable providing too much password information, I will just say that there exists a subset of this data that either contains or just was ‘password’.”
Apart from flashing the BIOS, Wikholm proposes another workaround, but it appears to be a temporary one because it functions only until the next reboot of the IPMI (Intelligent Platform Management Interface), which can be caused by disconnection from a power supply.
The solution consists of connecting to the vulnerable machine through SSH and disabling UpnP (universal plug and play) devices: “Most of the systems affected by this particular issue also have their ‘sh’ shell accessible from the SMASH command line. If you login to the SMASH via ssh and run the command ‘shell sh,’ you can drop into a functional SH shell. From there you can actually kill all ‘upnp’ processes and their related children, which provides a functional fix.”
A post on the InfoSec community forum confirmed the vulnerability discovered by Wikholm, saying that downloading the password can be done by just connecting to port 49152.