A new vulnerability has been released by the CARI.net team regarding Supermicroâ??s implementation of IPMI/BMC for management. The vulnerability involves a plaintext password file available for download simply by connecting to the specific port, 49152. One of our team has tested this vulnerability, and it works like a champ, so letâ??s add another log to the fire and spread the good word. The CARI.net team has a great writeup on the vulnerability linked below: http://blog.cari.net/carisirt-yet-another-bmc-vulnerability-and-some-added-extras/
tony d0t carothers --gmail |
Tony 150 Posts ISC Handler Jun 19th 2014 |
Thread locked Subscribe |
Jun 19th 2014 7 years ago |
Bunch of signatures came up recently. They might be related to this:
Snort VRT 1:27238 <-> DISABLED <-> SERVER-OTHER IPMI default username - admin (server-other.rules) 1:27240 <-> DISABLED <-> SERVER-OTHER multiple vendors IPMI RAKP username brute force attempt (server-other.rules) 1:27239 <-> DISABLED <-> SERVER-OTHER IPMI default username - USERID (server-other.rules) 1:27237 <-> DISABLED <-> SERVER-OTHER IPMI default username - root (server-other.rules) Emerging threats 2018585 - ET EXPLOIT Supermicro BMC Password Disclosure 1 (exploit.rules) 2018586 - ET EXPLOIT Supermicro BMC Password Disclosure 2 (exploit.rules) 2018587 - ET EXPLOIT Supermicro BMC Password Disclosure 3 (exploit.rules) 2018588 - ET EXPLOIT Supermicro BMC Password Disclosure 4 (exploit.rules) Trend Micro http://www.tripwire.com/state-of-security/top-security-stories/vert-alert-supermicro-ipmibmc-plaintext-password-disclosure/ Scanners OpenVAS https://wald.intevation.org/scm/viewvco.php/scripts/2014/gb_supermicro_bmc_06_14.nasl?root=openvas-nvts&view=markup Nmap http://seclists.org/nmap-dev/2014/q2/525 |
MD 11 Posts |
Quote |
Jun 23rd 2014 7 years ago |
SM has not posted a revised firmware to correct issue for the H8DG6-F mainboard. Is vulnerable.
|
Starlight 34 Posts |
Quote |
Jun 23rd 2014 7 years ago |
Hey guys,
If you find ANY products by any other vendor that are susceptible to this issue, please let me know. It appears that Supermicro sold OEM versions of this to some other companies who's subsequent products are similarly affected. I have a dialogue with Supermicro open about this. I'm also tracking any and all boards that either are not well known, do not have official patches or you have trouble patching. Thanks! Zach W. sirt@cari.net |
Zach W 10 Posts |
Quote |
Jun 24th 2014 7 years ago |
Found a mitigation for older BMC firmwares
not vulnerable to the UPnP attack, but vulnerable to the equally bad and more widespread cipher-suite-0 attack vulnerability. One should first issue ipmitool ... channel getciphers ipmi 1 ipmitool ... lan print 1 Where ... designates typical authentication and target address parameters. For a Supermicro X8DTU-F mainboard running firmware version 1.17, one obtains first a list of active cipher sets and second one sees . . . Cipher Suite Priv Max : aaaaXXaaaXXaaXX Where 'X's correspond to empty cipher sets and 'a's correspond to available ciphers. Then run ipmitool ... lan set 1 cipher_privs uuuaXXuuuXXuuXX which restricts all Cipher-Suites except C3 to user-privilege-only activities. Testing with ipmitool ... -P bad_passwd -C0 user list now returns Set Session Privilege Level to ADMINISTRATOR failed Disabling all accounts except those at administrator access level prevents unauthenticated access, but for shops where user access level is employed this will still prevent creation of new accounts. Setting user-access account names to non-default and non-obvious values will reduce risk further. Would be preferable to employ 'X' to completely disable cipher suites, but this doesn't work for this particular BMC and leaves suites open to administrator account login. Anyone applying this must be *VERY* careful to place the 'a' in the correct position or they may lock themselves out from administrative access. ------ Another old BMC, the HP LO-100 is mitigated with ipmitool ... lan set 2 cipher_privs uuuOXXXXXXXXXXX With a LO-100, one should use the web management interface and disable all but one or two logins to reduce the attack surface. Avoid permitting user-access-level accounts. Yet another example is an old Tyan M3295 IPMI daughter card, also vulnerable to cipher-suite-0 attack. In this case 'X' is effective for disabling cipher sets and the hole may be closed with ipmitool ... lan set 1 cipher_privs XXXaXXXXXXXXXXX |
Starlight 34 Posts |
Quote |
Jun 25th 2014 7 years ago |
correction:
appears that Cipher-Suite-1 is referenced by web administration with the X8DTU-F BMC firmware. To avoid locking out web management, use this instead of the above: ipmitool ... lan set 1 cipher_privs uauaXXuuuXXuuXX |
Starlight 34 Posts |
Quote |
Jun 25th 2014 7 years ago |
Sign Up for Free or Log In to start participating in the conversation!