Security holes in server management technology create hacking opportunities almost on par with direct physical access, claims Metasploit creator HD Moore.
The issue arises from security shortcomings involving baseboard management controllers (a type of embedded computer used to provide out-of-band monitoring for desktops and servers, technology installed on nearly all servers) and the Intelligent Platform Management Interface (IPMI) protocol.
An attacker able to compromise a baseboard management controller (BMC) should be able to compromise its parent server. Compromising a server would allow miscreants to copy data from any attached storage, make changes to the operating system, install a backdoor, capture credentials passing through the server, launch denial of service attacks, or simply wipe the hard drives, among many other things.
Attacks like this are easily possible according to Moore, Rapid7's chief research officer and creator of penetrating testing software Metasploit, because vulnerable services are accessible across the net. Research by Moore found that around 308,000 IPMI-enabled BMCs were exposed on the net.
Approximately 195,000 of these devices only support IPMI 1.5, which does not provide any form of encryption. Another 113,000 of these devices support IPMI v2.0, which suffers from serious design flaws.
For example, 53,000 IPMI 2.0 systems are vulnerable to password bypass attacks because they rely upon a weak cipher suite. Passive scans by Moore separately discovered that 35,000 Supermicro BMCs expose an exploitable Universal Plug and Play (UPnP) service.
The security shortcomings under discussion are well beyond the capability of script-kiddies and could only be abused by a skilled and experienced hacker. Even so, it would be wise for sysadmins to listen to the warning implicit in Moore's research.
A blog post by Moore provides recommendations on how enterprises and hosting providers can mitigate the security risk of having their servers pwned. A lot of this comes down to fairly basic stuff: firewalling vulnerable services, disabling the vulnerable Cipher 0 cryptosuite and using complex passwords. Supermicro system users should apply an updated firmware image.
Previous research by Moore earlier this year revealed that everything from medical systems to traffic light boxes is wide open to hackers thanks to a lack of authentication checks. Flawed use of the Universal Plug and Play (UPnP) protocol meant that anything up to 50 million of devices are insecure, Rapid 7 warned in January. ®