Login   |   Secure Purdue > News

Advisory: IPMI Vulnerability

STEAM-ADVISORY NO. 2014071101
PURDUE UNIVERSITY SECURITY STEAM-CIRT
Friday, July 11th, 2014 10:48am

==OVERVIEW==
IPMI is a protocol used mainly for remote management of server hardware. There is an embedded, independent CPU with its own memory and storage, which runs Linux, and is called the Baseboard Management Controller (BMC). The BMC is designed to operate even when the server is powered off. This system is used to run network services (web, telnet, VNC, SMTP, etc.) to help manage, debug, monitor, reboot, and roll out servers and virtual systems for a physical server.

Systems with IPMI availability, on a publicly accessible IP address, are especially vulnerable to attack. Attackers can easily identify and control systems that run IPMI and can steal username/password combinations, gain complete control over hardware/software/firmware, and grant remote access to the BIOS and operating system.


==SYSTEMS AFFECTED==
The systems that are affected are any improperly configured server class hardware. Different server hardware manufacturers rebrand BMCs.
The following list names the unique rebrand from some of the most common server manufacturers:

Dell ------------- iDrac
HP ------------- iLO
IBM -------------- IMM2 or Remote Supervisor Adapter
Sun -------------- ILOM
Fujitsu ---------- iRMC
Supermicro ------- IPMI


==DETAILS==
According to Rapid7 there are 6 vulnerabilities. The below is a summary of the vulnerabilities from:
community.rapid7 .com /docs/DOC-2344 (copy/paste and remove spaces):

1. BMCs that support version 2.0 of the IPMI protocol often support an encryption method known as "Cipher 0". This cipher essentially bypasses the entire authentication process allowing IPMI commands from any source. Many BMC manufacturers enable this method by default. Exploitation can be performed using standard command-line IPMI tools.

2. BMCs that support version 2.0 of the IPMI protocol send any
requesting client a cryptographic hash of the requested user's password prior to authentication. An attacker can perform an offline brute force attack on this hash to quickly determine the correct password. This vulnerability is mitigated by the use of lengthy, complex passwords. A standalone python script and a separate Metasploit module exist to reproduce this attack.

3. BMCs that support version 2.0 of the IPMI protocol may support
"anonymous" logins using a username and password set to the null value. This differs from the 1.5 "none" authentication method and acts like a real user account, one that often has administrative privileges. Some vendors ship their BMCs with an anonymous login configured by default. Exploitation can be performed using standard command-line IPMI tools.

4. BMCs that support any version of the IPMI protocol provide the
ability to enumerate authentication methods remotely with using a Get Channel Authentication request. The protocol specification mandates this support and the BMCs response indicates whether an anonymous login has been configured, whether IPMI 2.0 commands are supported, and whether the "none" authentication method is honored. This is a significant information leak and simplifies the discovery and exploitation of IPMI devices. A standalone python script and a separate Metasploit module exist to reproduce this attack.

5. Some BMC’s, including Supermicro’s versions, enable the Universal
Plug and Play (UPnP) protocol by default and provide no way for the user to disable this functionality. Supermicro uses firmware supplied by a company called ATEN, and they in turn use a vulnerable version of libupnp in their shipping firmware images. A Metasploit exploit module exists that provides remote root on Supermicro BMCs using this vulnerability.

6. Because of the Protocol specification, IPMI passwords must be
stored unencrypted on the BMC. This has significant ramifications when combined with the other vulnerabilities that allow remote root access to the BMC, because organizations place servers into large (at times exceeding 100,000 or more computers) managed IPMI groups that all share the same password. This is especially serious in the context of hosting providers, as these providers often configure two passwords - one known to the provider and another given to the customer. The exposure of clear text credentials makes it possible for an attacker to compromise all BMCs using the same password. Information how and where these passwords are stored has been documented online, and has been confirmed on both Dell and Supermicro BMC implementations.


==SOLUTIONS==
1. Identify Affected Products -
Dell ------------- iDrac
HP ------------- iLO
IBM -------------- IMM2 or Remote Supervisor Adapter
Sun -------------- ILOM
Fujitsu ---------- iRMC
Supermicro ------- IPMI

2. Restrict IPMI to Internal Networks -
Restrict IPMI traffic to trusted internal networks. Traffic from IPMI (usually UDP port 623) should be restricted to a management VLAN segment with strong network controls. Scan for IPMI usage outside of the trusted network and monitor the trusted network for abnormal activity.

3. Utilize Strong Passwords –
Devices running IPMI should have strong, unique passwords set for the IPMI service. See US-CERT Security Tip ST04-002 and Password Security, Protection, and Management for more information on password security.

4. Encrypt Traffic –
Enable encryption on IPMI interfaces, if possible. Check your manufacturer manual for details on how to set up encryption.

5. Require Authentication –
The "cipher 0" option is enabled by default on many IPMI enabled devices that allows authentication to be bypassed. Disable "cipher 0"
to prevent attackers from bypassing authentication and sending arbitrary IPMI commands. Anonymous logins should also be disabled.
Supermicro BMC “cipher 0” fix can be found at supermicro .com /support/faqs/faq.cfm?faq=16536 (copy/paste and remove the spaces).

6. Sanitize Flash Memory at End of Life –
Follow manufacturer recommendations for sanitizing passwords. If none exists, destroy the flash chip, motherboard, or other areas the IPMI password may be stored.


==FURTHER INFORMATION AND RESOURCES==
(copy/paste and remove the spaces)
us-cert .gov /ncas/alerts/TA13-207A
fish2 .com /ipmi/itrain.pdf
fish2 .com /ipmi/bp.pdf
community.rapid7 .com /community/metasploit/blog/2013/07/02/a-penetration-testers-guide-to-ipmi
community.rapid7 .com /docs/DOC-2344
ipmiscan.shadowserver .org
supermicro .com /FAQ/index.aspx?&se=16536&k=y


==STEAM-CIRT CONTACT INFORMATION==
For questions concerning this advisory, please send email to:
itap-securityhelp@purdue.edu.

Report computer-related abuse to steam-cirt:
purdue .edu /securePurdue/incidentReportForm.cfm
purdue .edu /securepurdue/steam
(copy/paste and remove spaces)

Posted by ITSP on July 11, 2014, in Advisory Alerts.