Metasploit creator and Rapid7 CSO HD Moore today disclosed seven zero-day vulnerabilities in IPMI firmware from vendor Super Micro. The security issues were reported to the vendor in August, however the vendor, beyond acknowledging receipt of the vulnerabilities never communicated with Rapid7 regarding a fix.
A Super Micro representative told Threatpost that this was an “old story” and that the issue had been resolved. A request for further comment from a Super Micro project manager was not returned in time for publication and the availability of patches could not be confirmed.
September 1, 2016 , 11:52 am
August 29, 2016 , 5:40 pm
August 22, 2016 , 1:52 pm
“The vendor has been pretty quiet on this; they acknowledged receipt of the vulnerabilities, but that’s the long and short of it. They’ve said nothing to us about a patch,” said Rapid7 senior manager of engineering Tod Beardsley. “I imagine they’ll be patching silently, but honestly if they do issue patches and make a lot of noise about it, nobody updates these things. It’s embedded hardware that sits on more traditional hardware, but like anything embedded, nobody gets patches for these. I worked in IT for years, and I think I updated BIOS once.”
IPMI, or intelligent platform management interface, are tiny computers that sit on a motherboard that are used by IT administrators in large data centers for remote management of servers or remote BIOS maintenance. They’re mostly present in rack-mount servers, and are cumbersome to update because they often require physical access to the hardware, and in a service provider environment, for example, there could be hundreds of these embedded devices present.
Beardsley said that a Project Sonar scan for the IPMI firmware in question, version SMT_X9_226, found 35,000 of them online. He estimates that number likely represents less than 10 percent of the total devices in use.
While these are previously unreported vulnerabilities—Metasploit exploit modules are in the works, Moore said—exploiting them requires a bit of understanding on the attacker’s part.
“You definitely have to know what you’re doing; it’s a different architecture,” Beardsley said. “Most exploit developers and vulnerability researchers are familiar with Intel x86 or Intel 64-bit, or ARM because Android runs on ARM, so it’s popular. But these things run on pretty unusual hardware for infosec guys. Getting reliable exploitability is difficult. I don’t expect a worm in the next six hours or anything. We’ve been sitting on these for a while, trying to get reliable exploits. We can crash all day long, but that’s useless. Getting reliable exploits is tricky. We’ve been going back and forth between emulated environments and real environments and things that seem to work great in emulated environments just fall over on the physical device. It will take some effort for sure.”
However, if an attacker is able to exploit one of the IPMI vulnerabilities disclosed, they would not only be on the network, but could take control of the server in question at a BIOS level.
Of the seven vulnerabilities disclosed, the most serious involve static private encryption keys hardcoded into the firmware for both the Lighttpd Web server SSL interface and the Dropbear SSH daemon, Moore said.
“An attacker with access to the publicly available Supermicro firmware can perform man-in-the-middle and offline decryption of communication to the firmware,” Moore said in a blogpost.
Beardsley said that while it’s possible for the admin to update the SSL key for the Web interface, it does not appear possible to update the SSH key.
“So once you know the private key, which you can easily extract from the firmware, it’s game over and I can SSH to any of these devices,” he said.
Rapid7 also reported that the firmware contains two hardcoded sets of credentials for the OpenWSMan interface, one for the digest authentication file that cannot be changed by the user and acts essentially as a backdoor, while the other involves the basic authentication password file stored on the firmware. Moore said that changing the admin account password still leaves the OpenWSMan password still set to admin.
Moore also disclosed two buffer overflow vulnerabilities in each of the login.cgi, close_window.cgi and logout.cgi CGI applications, as well as a directory traversal vulnerability in the url_redirect.cgi CGI application and numerous unbounded strcpy(), memcpy() and sprint() calls by more than 65 other CGI applications available through the Web interface.
“These things are real computers and have valuable file systems,” Beardsley said. “You can limit yourself to just this device that lives on the motherboard, or in a lot of cases, you can use them to manage the server. That’s what they’re there for, to manage the server. It’s a pretty short step from getting onto to the IPMI to getting onto the server proper.”