New Supermicro IPMI/BMC Vulnerability - SANS Internet Storm Center

New Supermicro IPMI/BMC Vulnerability
A new vulnerability has been released by the CARI.net team regarding Supermicro�??s implementation of IPMI/BMC for management. The vulnerability involves a plaintext password file available for download simply by connecting to the specific port, 49152. One of our team has tested this vulnerability, and it works like a champ, so let�??s add another log to the fire and spread the good word. The CARI.net team has a great writeup on the vulnerability linked below: http://blog.cari.net/carisirt-yet-another-bmc-vulnerability-and-some-added-extras/ Much thanx to the Zach at CARI.net for the heads-up. tony d0t carothers --gmail	Tony 150 Posts ISC Handler Jun 19th 2014
Thread locked Subscribe	Jun 19th 2014 7 years ago
Bunch of signatures came up recently. They might be related to this: Snort VRT 1:27238 <-> DISABLED <-> SERVER-OTHER IPMI default username - admin (server-other.rules) 1:27240 <-> DISABLED <-> SERVER-OTHER multiple vendors IPMI RAKP username brute force attempt (server-other.rules) 1:27239 <-> DISABLED <-> SERVER-OTHER IPMI default username - USERID (server-other.rules) 1:27237 <-> DISABLED <-> SERVER-OTHER IPMI default username - root (server-other.rules) Emerging threats 2018585 - ET EXPLOIT Supermicro BMC Password Disclosure 1 (exploit.rules) 2018586 - ET EXPLOIT Supermicro BMC Password Disclosure 2 (exploit.rules) 2018587 - ET EXPLOIT Supermicro BMC Password Disclosure 3 (exploit.rules) 2018588 - ET EXPLOIT Supermicro BMC Password Disclosure 4 (exploit.rules) Trend Micro http://www.tripwire.com/state-of-security/top-security-stories/vert-alert-supermicro-ipmibmc-plaintext-password-disclosure/ Scanners OpenVAS https://wald.intevation.org/scm/viewvco.php/scripts/2014/gb_supermicro_bmc_06_14.nasl?root=openvas-nvts&view=markup Nmap http://seclists.org/nmap-dev/2014/q2/525	MD 11 Posts
Quote	Jun 23rd 2014 7 years ago
SM has not posted a revised firmware to correct issue for the H8DG6-F mainboard. Is vulnerable.	Starlight 34 Posts
Quote	Jun 23rd 2014 7 years ago
Hey guys, If you find ANY products by any other vendor that are susceptible to this issue, please let me know. It appears that Supermicro sold OEM versions of this to some other companies who's subsequent products are similarly affected. I have a dialogue with Supermicro open about this. I'm also tracking any and all boards that either are not well known, do not have official patches or you have trouble patching. Thanks! Zach W. sirt@cari.net	Zach W 10 Posts
Quote	Jun 24th 2014 7 years ago
Found a mitigation for older BMC firmwares not vulnerable to the UPnP attack, but vulnerable to the equally bad and more widespread cipher-suite-0 attack vulnerability. One should first issue ipmitool ... channel getciphers ipmi 1 ipmitool ... lan print 1 Where ... designates typical authentication and target address parameters. For a Supermicro X8DTU-F mainboard running firmware version 1.17, one obtains first a list of active cipher sets and second one sees . . . Cipher Suite Priv Max : aaaaXXaaaXXaaXX Where 'X's correspond to empty cipher sets and 'a's correspond to available ciphers. Then run ipmitool ... lan set 1 cipher_privs uuuaXXuuuXXuuXX which restricts all Cipher-Suites except C3 to user-privilege-only activities. Testing with ipmitool ... -P bad_passwd -C0 user list now returns Set Session Privilege Level to ADMINISTRATOR failed Disabling all accounts except those at administrator access level prevents unauthenticated access, but for shops where user access level is employed this will still prevent creation of new accounts. Setting user-access account names to non-default and non-obvious values will reduce risk further. Would be preferable to employ 'X' to completely disable cipher suites, but this doesn't work for this particular BMC and leaves suites open to administrator account login. Anyone applying this must be VERY careful to place the 'a' in the correct position or they may lock themselves out from administrative access. ------ Another old BMC, the HP LO-100 is mitigated with ipmitool ... lan set 2 cipher_privs uuuOXXXXXXXXXXX With a LO-100, one should use the web management interface and disable all but one or two logins to reduce the attack surface. Avoid permitting user-access-level accounts. Yet another example is an old Tyan M3295 IPMI daughter card, also vulnerable to cipher-suite-0 attack. In this case 'X' is effective for disabling cipher sets and the hole may be closed with ipmitool ... lan set 1 cipher_privs XXXaXXXXXXXXXXX	Starlight 34 Posts
Quote	Jun 25th 2014 7 years ago
correction: appears that Cipher-Suite-1 is referenced by web administration with the X8DTU-F BMC firmware. To avoid locking out web management, use this instead of the above: ipmitool ... lan set 1 cipher_privs uauaXXuuuXXuuXX	Starlight 34 Posts
Quote	Jun 25th 2014 7 years ago

A new vulnerability has been released by the CARI.net team regarding Supermicro�??s implementation of IPMI/BMC for management. The vulnerability involves a plaintext password file available for download simply by connecting to the specific port, 49152. One of our team has tested this vulnerability, and it works like a champ, so let�??s add another log to the fire and spread the good word. The CARI.net team has a great writeup on the vulnerability linked below:

http://blog.cari.net/carisirt-yet-another-bmc-vulnerability-and-some-added-extras/

Much thanx to the Zach at CARI.net for the heads-up.

tony d0t carothers --gmail

Tony

150 Posts
ISC Handler

Jun 19th 2014

Bunch of signatures came up recently. They might be related to this:

Snort VRT

1:27238 <-> DISABLED <-> SERVER-OTHER IPMI default username - admin (server-other.rules)
1:27240 <-> DISABLED <-> SERVER-OTHER multiple vendors IPMI RAKP username brute force attempt (server-other.rules)
1:27239 <-> DISABLED <-> SERVER-OTHER IPMI default username - USERID (server-other.rules)
1:27237 <-> DISABLED <-> SERVER-OTHER IPMI default username - root (server-other.rules)

Emerging threats

2018585 - ET EXPLOIT Supermicro BMC Password Disclosure 1 (exploit.rules)
2018586 - ET EXPLOIT Supermicro BMC Password Disclosure 2 (exploit.rules)
2018587 - ET EXPLOIT Supermicro BMC Password Disclosure 3 (exploit.rules)
2018588 - ET EXPLOIT Supermicro BMC Password Disclosure 4 (exploit.rules)

Trend Micro

http://www.tripwire.com/state-of-security/top-security-stories/vert-alert-supermicro-ipmibmc-plaintext-password-disclosure/

Scanners

OpenVAS

https://wald.intevation.org/scm/viewvco.php/scripts/2014/gb_supermicro_bmc_06_14.nasl?root=openvas-nvts&view=markup

Nmap

http://seclists.org/nmap-dev/2014/q2/525

MD

11 Posts

SM has not posted a revised firmware to correct issue for the H8DG6-F mainboard. Is vulnerable.

Starlight

34 Posts

Hey guys,

If you find ANY products by any other vendor that are susceptible to this issue, please let me know. It appears that Supermicro sold OEM versions of this to some other companies who's subsequent products are similarly affected. I have a dialogue with Supermicro open about this.

I'm also tracking any and all boards that either are not well known, do not have official patches or you have trouble patching. Thanks!

Zach W.
sirt@cari.net

Zach W

10 Posts

Found a mitigation for older BMC firmwares
not vulnerable to the UPnP attack, but
vulnerable to the equally bad and more
widespread cipher-suite-0 attack
vulnerability.

One should first issue

ipmitool ... channel getciphers ipmi 1
ipmitool ... lan print 1

Where ... designates typical authentication
and target address parameters.

For a Supermicro X8DTU-F mainboard running
firmware version 1.17, one obtains first a
list of active cipher sets and second one
sees

.
.
.
Cipher Suite Priv Max : aaaaXXaaaXXaaXX

Where 'X's correspond to empty cipher sets and
'a's correspond to available ciphers. Then
run

ipmitool ... lan set 1 cipher_privs uuuaXXuuuXXuuXX

which restricts all Cipher-Suites except C3
to user-privilege-only activities.

Testing with

ipmitool ... -P bad_passwd -C0 user list

now returns

Set Session Privilege Level to ADMINISTRATOR failed

Disabling all accounts except those at
administrator access level prevents
unauthenticated access, but for shops where
user access level is employed this will still
prevent creation of new accounts. Setting
user-access account names to non-default and
non-obvious values will reduce risk further.

Would be preferable to employ 'X' to
completely disable cipher suites, but this
doesn't work for this particular BMC and
leaves suites open to administrator account
login.

Anyone applying this must be *VERY* careful
to place the 'a' in the correct position or
they may lock themselves out from
administrative access.

------

Another old BMC, the HP LO-100 is mitigated with

ipmitool ... lan set 2 cipher_privs uuuOXXXXXXXXXXX

With a LO-100, one should use the web
management interface and disable all but one
or two logins to reduce the attack surface.
Avoid permitting user-access-level accounts.

Yet another example is an old Tyan M3295
IPMI daughter card, also vulnerable to
cipher-suite-0 attack. In this case 'X' is
effective for disabling cipher sets and the
hole may be closed with

ipmitool ... lan set 1 cipher_privs XXXaXXXXXXXXXXX

Starlight

34 Posts

correction:

appears that Cipher-Suite-1 is referenced
by web administration with the X8DTU-F
BMC firmware. To avoid locking out web
management, use this instead of the
above:

ipmitool ... lan set 1 cipher_privs uauaXXuuuXXuuXX

Starlight

34 Posts