Many servers expose insecure out-of-band management interfaces to the Internet
Design and implementation flaws in the Intelligent Platform Management Interface puts many servers at risk, security researcher says
9 June 2014 | 0
Many servers expose insecure management interfaces to the Internet through microcontrollers embedded into the motherboard that run independently of the main OS and provide monitoring and administration functions.
These Baseboard Management Controllers (BMCs) are part of the Intelligent Platform Management Interface (IPMI), a standardised interface made up of a variety of sensors and controllers that allow administrators to manage servers remotely when they’re shut down or unresponsive, but are still connected to the power supply.
BMCs are embedded systems that run inside servers and have their own firmware — usually based on Linux. They provide IPMI access through a network service accessible over UDP port 623.
Security researchers have warned in the past that most IPMI implementations suffer from architectural insecurities and other vulnerabilities that can be exploited to gain administrative access to BMCs. If attackers control the BMC they can mount attacks against the server’s OS as well as other servers from the same management group.
“For over a decade major server manufacturers have harmed their customers by shipping servers that are vulnerable by default, with a management protocol that is insecure by design, and with little to no documentation about how to make things better,” said Dan Farmer, a security researcher who has analysed IPMI security over the past two years, in a paper published Wednesday. “These vendors have not only gone out of their way to make their offerings difficult to understand or audit but also neglected to supply any substantial defence tools or helpful security controls.”
If attackers control the BMC they can mount attacks against the server’s OS as well as other servers from the same management group
Farmer, together with HD Moore, chief research officer at Rapid7 and lead architect of the Metasploit penetration testing framework, ran scans on the Internet in May and identified 230,000 publicly accessible BMCs. A deeper analysis revealed that 46.8% of them were running IPMI version 1.5, which dates back to 2001, and 53.2% were running IPMI version 2.0, which was released in 2004.
“BMCs running 1.5 only had a single simple problem, but it’s a whopper — nearly all server management ports had the NULL authentication option set, meaning that all accounts could be logged into without authentication,” Farmer said. “Furthermore virtually all BMCs also had the NULL user enabled, by itself a problem but not a serious one, but working in tandem with the first it means that you can login to pretty much any older IPMI system without an account or a password.”
About 90% of the BMCs connected to the Internet that were running IPMI 1.5 had the NULL authentication issue, Farmer said. The privileges associated with the NULL account vary from vendor to vendor, but in most cases they grant administrative access, and even when they don’t the mere ability to execute any kind of commands without authentication is a bad thing, he said.
In addition, IPMI version 1.5 doesn’t encrypt the connection between a user and a BMC so man-in-the-middle and other network attacks can be used to sniff passwords or hijack the connection. “You might think of the security of version 1.5 as something akin to using the old, reviled, unencrypted, and easily subverted telnet command for remote logins,” Farmer said.
IPMI version 2 includes cryptographic protection and supports 16 ciphers groups, but it has security issues of its own.
For example, the first cipher option, known cipher zero, provides no authentication, integrity or confidentiality protection, Farmer said. A valid user name is required for logging in, but no password is required. “The majority of servers have cipher zero enabled on their BMC by default, and HP [Hewlett-Packard], who is one of the largest, if not the largest vendor of BMCs, had apparently never allowed you to turn it off until just recently.”
The researcher found that around 60% of the publicly accessible BMCs running IPMI version 2 had the cipher zero vulnerability.
Another serious issue introduced by IPMI 2.0 stems from its RAKP key-exchange protocol that’s used when negotiating secure connections. The protocol allows an anonymous user to obtain password hashes associated with any accounts on the BMC, as long as the account names are known.
“This is an astonishingly bad design, because it allows an attacker to grab your password’s hash and do offline password cracking with as many resources as desired to throw at the problem,” Farmer said.