nanog mailing list archives

Re: WaPo writes about vulnerabilities in Supermicro IPMIs

From: Alain Hebert <ahebert () pubnix net>
Date: Fri, 16 Aug 2013 10:17:35 -0400

    Hi,

    I find it odd that this is suddenly news...

    There is plenty of security updates for iBMC/iDrac/etc from
IBM/HP/Dell/etc over the years.

But:

    You can use ipmitool, rootkit/exploit some Linux box and upload your
own firmware in that iBMC/iDrac/etc... for example the BMC firmware for
a Dell C1100 leave plenty of space to inject your own shell in it.  And
Voila! access to the management network =D.

    BTW I got ipmitool working even on VMWare 5.1 :(

Counter:

    We (PCIDSS hat) always check for those management interfaces and
"proposed" to move those interfaces into they own VLANs+Subnets. 
Meaning: PCI DMZ Zone has its own DMZ iBMC VLAN/Subnet/FW Rules, PCI DB
Zone has its own iBMC VLAN/Subnet/FW Rules, etc.

    It is a few more VLAN/Subnets... but modern Firewall can handle this
easy.

    PS: "proposed" as in not giving them a choice =D

-----
Alain Hebert                                ahebert () pubnix net   
PubNIX Inc.        
50 boul. St-Charles
P.O. Box 26770     Beaconsfield, Quebec     H9W 6G7
Tel: 514-990-5911  http://www.pubnix.net    Fax: 514-990-9443

On 08/16/13 00:22, Kyle Creyts wrote:

just so we're all clear, SuperMicro wasn't the only one...

link: http://pastebin.com/syXHLuC5

1.  CVE-2013-4782 CVSS Base Score = 10.0
2.  The SuperMicro BMC implementation allows remote attackers to
bypass authentication and execute arbitrary IPMI commands by using
cipher suite 0 (aka cipher zero) and an arbitrary password.
3.
4.  CVE-2013-4783 CVSS Base Score = 10.0
5.  The Dell iDRAC 6 BMC implementation allows remote attackers to
bypass authentication and execute arbitrary IPMI commands by using
cipher suite 0 (aka cipher zero) and an arbitrary password.
6.
7.  CVE-2013-4784 CVSS Base Score = 10.0
8.  The HP Integrated Lights-Out (iLO) BMC implementation allows
remote attackers to bypass authentication and execute arbitrary IPMI
commands by using cipher suite 0 (aka cipher zero) and an arbitrary
password.
9.
10. CVE-2013-4785 CVSS Base Score = 10.0
11. iDRAC 6 firmware 1.7, and possibly other versions, allows remote
attackers to modify the CLP interface for arbitrary users and possibly
have other impact via a request to an unspecified form that is
accessible from testurls.html.
12.
13. CVE-2013-4786 CVSS Base Score = 7.8
14. The IPMI 2.0 specification supports RMCP+ Authenticated
Key-Exchange Protocol (RAKP) authentication, which allows remote
attackers to obtain password hashes and conduct offline password
guessing attacks by obtaining the HMAC from a RAKP message 2 responses
from a BMC.


References:

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-4782
=>  http://fish2.com/ipmi/cipherzero.html

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-4783
=> http://fish2.com/ipmi/cipherzero.html

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-4784
=>  http://fish2.com/ipmi/cipherzero.html

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-4785
=>  http://fish2.com/ipmi/dell/secret.html

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-4786
=>  http://fish2.com/ipmi/remote-pw-cracking.html

On Thu, Aug 15, 2013 at 6:00 PM, Jay Ashworth <jra () baylink com> wrote:

Presumably, everyone else's are very religious as well.

Is anyone here stupid enough not to put the management interfaces behind
a firewall/VPN?

  
http://www.washingtonpost.com/blogs/the-switch/wp/2013/08/14/researchers-figure-out-how-to-hack-tens-of-thousands-of-servers/

And should I be nervous that Usenix pointed me *there* for the story,
rather than a tech press outlet?

Cheers,
-- jra
--
Jay R. Ashworth                  Baylink                       jra () baylink com
Designer                     The Things I Think                       RFC 2100
Ashworth & Associates     http://baylink.pitas.com         2000 Land Rover DII
St Petersburg FL USA               #natog                      +1 727 647 1274

Current thread:

RE: WaPo writes about vulnerabilities in Supermicro IPMIs, (continued)
- - RE: WaPo writes about vulnerabilities in Supermicro IPMIs Tom Walsh - EWS (Aug 15)
- Re: WaPo writes about vulnerabilities in Supermicro IPMIs Brandon Martin (Aug 15)
  - Re: WaPo writes about vulnerabilities in Supermicro IPMIs Jay Ashworth (Aug 15)
    - Re: WaPo writes about vulnerabilities in Supermicro IPMIs Jonathan Lassoff (Aug 15)
    - Re: WaPo writes about vulnerabilities in Supermicro IPMIs Jay Ashworth (Aug 15)
    - Re: WaPo writes about vulnerabilities in Supermicro IPMIs Andrew Jones (Aug 15)
    - Re: WaPo writes about vulnerabilities in Supermicro IPMIs Jay Ashworth (Aug 15)
  - Re: WaPo writes about vulnerabilities in Supermicro IPMIs Leo Bicknell (Aug 16)
    - Re: WaPo writes about vulnerabilities in Supermicro IPMIs Charles N Wyble (Aug 25)
- Re: WaPo writes about vulnerabilities in Supermicro IPMIs Kyle Creyts (Aug 15)
  - Re: WaPo writes about vulnerabilities in Supermicro IPMIs Alain Hebert (Aug 16)
    - Message not available
    - Message not available
    - Message not available
    - Message not available
    - Re: WaPo writes about vulnerabilities in Supermicro IPMIs Anthony Bonkoski (Aug 17)
- Re: WaPo writes about vulnerabilities in Supermicro IPMIs Scott Weeks (Aug 15)
- Re: WaPo writes about vulnerabilities in Supermicro IPMIs Larry Sheldon (Aug 15)