Full Disclosure mailing list archives
Re: Supermicro IPMI: backup function causes password to be stored at public web location
From: Raymond Dijkxhoorn <raymond () prolocation net>
Date: Wed, 12 Oct 2011 11:26:57 +0200 (CEST)
Hi!
Tested hardware: Supermicro X8SI6-F mainboard - IPMI firmware: 2.50 Supermicro X9SCL-F mainboard - IPMI firmware: 1.01 Likely affects other Supermicro boards of those generations that use the same type of firmware. == Problem == Modern servers often include a feature called IPMI to remotely manage and monitor the server. Since setting up the IPMI card properly requires entering a dozen settings ranging from network information, usernames and passwords, to e-mail address that should be notified if a hardware failure occurs, most IPMI cards offer a convenience function to backup and restore the settings to a file. In the case of these boards you can login to the IPMI webinterface and go to "maintenance" -> "IPMI configuration" -> "save IPMI configuration" and a configuration backup file is generated. This file is then available for download at: http://ipmi-ip-address/save_config.bin The problem is that this file is PUBLICLY accessible to everyone, even those NOT logged into the webinterface. Furtermore the file remains accessible until the server chassis loses power, which is unlikely to be anytime soon if the server is already racked up in a datacenter.
This isnt only the issue for the passwords. But also for the screen images. Those IPMI controllers have a option to capture the actual server screen. And this isnt password protected either. We reported this ~ 3 years ago to them. And is available in about any version. My advise, put those IPMI's on private networks only. Or firewall them. Bye, Raymond. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Supermicro IPMI: backup function causes password to be stored at public web location Floris Bos (Oct 12)
- Re: Supermicro IPMI: backup function causes password to be stored at public web location Raymond Dijkxhoorn (Oct 12)