Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Sign In Register

Quick Links


Categories

In this Discussion

New vulnerability - Supermicro IPMI / BMC
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

New vulnerability - Supermicro IPMI / BMC

ndelaespadandelaespada Member, Host Rep
in General

Is your IMPI still accessible from anywhere?

https://isc.sans.edu/diary/New+Supermicro+IPMIBMC+Vulnerability/18285

Comments

  • netomxnetomx Moderator, Veteran

    Wow, that's sad! Now I know why security by obscurity is bad

  • jarjar Patron Provider, Top Host, Veteran
    edited June 2014

    Damn. Immediately made me think about the automated firewall Incero put in place a while back. Time for them to sit back and smile. Shameless plug on the company my best friend works for.

    Thanked by 2netomx ryanarp
  • ndelaespadandelaespada Member, Host Rep

    latest fw closes that hole and encrypts passwords.

  • c0yc0y Member

    This vuln has been around for 1+ year, Zeekill used to "demonstrate" (sigh) at on my dev servers (although with consent)

  • ndelaespadandelaespada Member, Host Rep

    ouch! still tons of servers wide open out there :S

  • FlorisFloris Member
    edited June 2014

    https://isc.sans.edu/diary/New+Supermicro+IPMIBMC+Vulnerability/18285

    A new vulnerability has been released by the CARI.net team regarding Supermicro’s implementation of IPMI/BMC for management. The vulnerability involves a plaintext password file available for download simply by connecting to the specific port, 49152. One of our team has tested this vulnerability, and it works like a champ, so let’s add another log to the fire and spread the good word. The CARI.net team has a great writeup on the vulnerability linked below:

    http://blog.cari.net/carisirt-yet-another-bmc-vulnerability-and-some-added-extras/

    Much thanx to the Zach at CARI.net for the heads-up.

    Basicly:
    People who have a supermicro machine with the Nuvoton WPCM450 controller chip, their IPMI is vulnerable, others aren't. If you do, flash new firmware, if that's not possible/not working, try this instead:

    Besides flashing, there is another (albeit unsupported) temporary fix. Most of the systems affected by this particular issue also have their “sh” shell accessible from the SMASH command line. If you login to the SMASH via ssh and run the command “shell sh”, you can drop into a functional SH shell. From there you can actually kill all “upnp” processes and their related children, which provides a functional fix. That is of course until the system is completely disconnected from power and reconnected, during which the IPMI module will reboot. This is what I have done for our own systems that were unable to be permanently fixed at this time. After continual monitoring, I am satisfied with the results and there has not been any noticeable impact on functionality.

  • fileMEDIAfileMEDIA Member

    Yeahh:

    telnet 192.168.178.63 49152 Trying 192.168.178.63... Connected to 192.168.178.63. Escape character is '^]'. GET /PSBlock ?/} adminADMINADMINTT????%??"?o???DDD@ ?Connection closed by foreign host.

  • RalliasRallias Member

    netomx said: Wow, that's sad! Now I know why security by obscurity is bad

    It took until you saw this to know that?

  • Master_BoMaster_Bo Member

    ""Sounds like fun" ((c) James T. Kirk).

    It turns out most such a silly vulnerabilities are in the wild for quite a time.

    Thanked by 1netomx
  • netomxnetomx Moderator, Veteran

    @Rallias said:
    It took until you saw this to know that?

    Its just an expression, mate

Sign In or Register to comment.