Supermicro IPMI Security Updates November 2013

From Thomas-Krenn-Wiki
Jump to: navigation, search

IPMI controller web interfaces of Supermicro X9 generation motherboards with firmware revision v2.24 and older are affected by several vulnerabilities, including critical buffer overflows. These vulnerabilities are a result of a safety analysis of the organization Rapid7. The following analyzes describe the discovery of these vulnerabilities:

This wiki article will provide more information about these security vulnerabilities and how to perform an update of the IPMI firmware.

General Safety Information

We recommend to not operate administrative access such as IPMI and SSH services on the Internet, but rather enable access to authorized persons using a firewall/VPN. This recommendation applies regardless of the vulnerabilities described here and is reinforced by Supermicro also: Best Practices for managing servers with IPMI features enabled in Datacenters.

Affected Firmware Versions

According to Rapid7 the vulnerabilities have been discovered in connection with the IPMI version SMT_X9_226.[1] A corresponding exploit for the buffer overflow has been created using an IPMI version SMT_X9_214 by Rapid7. [2] The utilization of the vulnerability was verified by Thomas-Krenn in the close_window.cg with an IPMI web interface of revision 2.24.

The following selected Thomas Krenn motherboards are affected:

Details

The CGI scripts login.cgi and close_window.cgi of the IPMI web interface are exploitable by buffer overflows.[1] The vulnerabilities are a result of the usage of strcpy and strcat without string length validation.

For the vulnerability of the CGI script close_window.cgi a functional exploit has been published. An attacker can run root commands without previous authentication.[2][3]

Impacts

An attacker with network access to port 80 of the IPMI ip address can enforce a buffer overflow by sending arbitrary requests. If the vulnerability is exploited successfully the attacker can run commands with root privileges on the IPMI-BMC (Arbitrary Code Execution).

Counter Measures

According to Supermicro the following security vulnerabilities are fixed by revision SMT_X9_315:[4]

  • Hardcoded WSMan Credentials (CVE-2013-3620)
  • CGI: login.cgi (CVE-2013-3621)
  • CGI: close_window.cgi (CVE-2013-3623)
  • Stack-based Buffer Overflow (CVE-2013-3607)
  • Improper Input Validation (CVE-2013-3608)
  • Improper Privilege Management (CVE-2013-3609)

Attention: Supermicro states that changes in the password management algorithms will not allow a downgrade from versions 3.x to versions 2.x.[5]

The following IPMI firmware revision fixes the vulnerabilities:

Thomas Krenn strongly recommends that all affected customers apply IPMI firmware updates and not to operate administrative access such as IPMI or SSH services on the Internet. Rather allow access to authorized persons only via a firewall/VPN.

For additional information about the firmware, please refer to this article IPMI Firmware Update for Supermicro Motherboards with ATEN IPMI Software.

References

  1. 1.0 1.1 Supermicro IPMI Firmware Vulnerabilities
  2. 2.0 2.1 Exploiting the Supermicro Onboard IPMI Controller
  3. Metasploit smt_ipmi_close_window_bof.rb
  4. Supermicro Firmware Fixes to Common Vulnerabilities and Exposures
  5. Supermicro Firmware List

Author: Georg Schönberger

Related articles

ASPEED AST2400 IPMI Chip with ATEN-Software
Integrated IPMI Firewall of Supermicro Motherboards
Nuvoton WPCM450R IPMI Chip with ATEN-Software