Many servers expose insecure management interfaces to the Internet through microcontrollers embedded into the motherboard that run independently of the main OS and provide monitoring and administration functions.
These Baseboard Management Controllers (BMCs) are part of the Intelligent Platform Management Interface (IPMI), a standardized interface made up of a variety of sensors and controllers that allow administrators to manage servers remotely when they're shut down or unresponsive, but are still connected to the power supply.
BMCs are embedded systems that run inside servers and have their own firmware — usually based on Linux. They provide IPMI access through a network service accessible over UDP port 623.
Security researchers have warned in the past that most IPMI implementations suffer from architectural insecurities and other vulnerabilities that can be exploited to gain administrative access to BMCs. If attackers control the BMC they can mount attacks against the server's OS as well as other servers from the same management group.
"For over a decade major server manufacturers have harmed their customers by shipping servers that are vulnerable by default, with a management protocol that is insecure by design, and with little to no documentation about how to make things better," said Dan Farmer, a security researcher who has analyzed IPMI security over the past two years, in a paper published Wednesday. "These vendors have not only gone out of their way to make their offerings difficult to understand or audit but also neglected to supply any substantial defense tools or helpful security controls."
Farmer, together with HD Moore, chief research officer at Rapid7 and lead architect of the Metasploit penetration testing framework, ran scans on the Internet in May and identified 230,000 publicly accessible BMCs. A deeper analysis revealed that 46.8 percent of them were running IPMI version 1.5, which dates back to 2001, and 53.2 percent were running IPMI version 2.0, which was released in 2004.
"BMCs running 1.5 only had a single simple problem, but it's a whopper — nearly all server management ports had the NULL authentication option set, meaning that all accounts could be logged into without authentication," Farmer said. "Furthermore virtually all BMCs also had the NULL user enabled, by itself a problem but not a serious one, but working in tandem with the first it means that you can login to pretty much any older IPMI system without an account or a password."
About 90 percent of the BMCs connected to the Internet that were running IPMI 1.5 had the NULL authentication issue, Farmer said. The privileges associated with the NULL account vary from vendor to vendor, but in most cases they grant administrative access, and even when they don't the mere ability to execute any kind of commands without authentication is a bad thing, he said.
Sign up for Computerworld eNewsletters.