Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Many servers expose insecure out-of-band management interfaces to the Internet

Lucian Constantin | June 9, 2014
Many servers expose insecure management interfaces to the Internet through microcontrollers embedded into the motherboard that run independently of the main OS and provide monitoring and administration functions.

In addition, IPMI version 1.5 doesn't encrypt the connection between a user and a BMC so man-in-the-middle and other network attacks can be used to sniff passwords or hijack the connection. "You might think of the security of version 1.5 as something akin to using the old, reviled, unencrypted, and easily subverted telnet command for remote logins," Farmer said.

IPMI version 2 includes cryptographic protection and supports 16 ciphers groups, but it has security issues of its own.

For example, the first cipher option, known cipher zero, provides no authentication, integrity or confidentiality protection, Farmer said. A valid user name is required for logging in, but no password is required. "The majority of servers have cipher zero enabled on their BMC by default, and HP [Hewlett-Packard], who is one of the largest, if not the largest vendor of BMCs, had apparently never allowed you to turn it off until just recently."

The researcher found that around 60 percent of the publicly accessible BMCs running IPMI version 2 had the cipher zero vulnerability.

Another serious issue introduced by IPMI 2.0 stems from its RAKP key-exchange protocol that's used when negotiating secure connections. The protocol allows an anonymous user to obtain password hashes associated with any accounts on the BMC, as long as the account names are known.

"This is an astonishingly bad design, because it allows an attacker to grab your password's hash and do offline password cracking with as many resources as desired to throw at the problem," Farmer said.

The analysis showed that 83 percent of the identified BMCs were vulnerable to this issue and a test with John the Ripper, a brute-force password guessing application, using a modest 4.7 million-word dictionary successfully cracked password hashes obtained from 30 percent of the BMCs.

"Of course numerous past studies have shown the effectiveness of what a serious attacker can do, and with orders of magnitudes faster speeds than I could muster on my consumer grade iMac," Farmer said. "I'd say that even a well-chosen non-dictionary based password of a dozen characters or less is suspect."

Farmer calculated that between 72.8 and 92.5 percent, depending on password cracking success rate, of BMCs running IPMI 2.0 had authentication issues and were vulnerable to unauthorized access.

"While a quarter of a million BMCs is only a tiny sliver of the total computing power in the world, it's still an important indicator as a kind of canary in the coalmine," because BMCs that are behind corporate firewalls share the same issues, Farmer said. "While management systems are often not directly assailable from the outside they're often left open once the outer thin hard candy shell of an organization is breached."

 

Previous Page  1  2  3  Next Page 

Sign up for Computerworld eNewsletters.