The IPMI (Intelligent Platform Management Interface) implementation found in motherboards from server manufacturer Supermicro suffers from serious vulnerabilities that could allow attackers to remotely compromise the management controllers in servers that use them.
The IPMI specification was developed by Intel and allows system administrators to manage and monitor computer systems remotely in the absence of physical access to them. IPMI supports multiple communication protocols and operates independently of the operating system running on the computer. Its central part is a microcontroller called the BMC (Baseboard Management Controller) that is usually embedded into the motherboard and is directly connected to its southbridge and a variety of sensors.
BMCs are essentially computers that run inside other computers, most commonly servers. They are usually based on ARM chips and run Linux-based firmware that implements the IPMI functions, including monitoring, rebooting, and reinstalling the host server's OS.
IPMI implementations vary from vendor to vendor, but most expose a Web-based management interface, a command-line interface via Telnet or Secure Shell, and the IPMI network protocol on port 623 UDP or TCP.
If an attacker gains administrative access to the BMC, they can reboot the host server's operating system into a root shell and introduce a backdoor or copy data from the hard drive. Gaining access to the host operating system while it's running without rebooting it might also be possible, according to a July analysis of IPMI security risks by security researchers from Rapid7.
On Aug. 22, Rapid7 researchers found several security issues in the IPMI firmware version SMT_X9_226 from Supermicro and reported them to the vendor.
Those issues included the use of hard-coded encryption keys for SSL and SSH connections that could allow an attacker to perform a man-in-the-middle attack and decrypt communication to the firmware; the use of hard-coded credentials with static passwords, including one that cannot be changed by the user; buffer overflow vulnerabilities in the login.cgi, lose_window.cgi and logout.cgi applications that can result in remote code execution as the root user account; and a directory traversal flaw in the url_redirect.cgi application that allows attackers with access to a nonprivileged account to read any file of the system, including the one that contains plain-text credentials for all users.
The researchers also found that more than 65 other CGI applications included in the firmware made unsafe function calls that could potentially be exploited. Accessing those CGI applications required authentication, which limited their exposure to attacks, but an attacker logged in as a low-privileged user could still exploit their flaws to gain root access to the BMC.
Supermicro released a new firmware version called SMT_X9_315 that fixes some of the vulnerabilities reported by Rapid7, particularly the remote code execution ones. However, it appears that some other issues remain unpatched, the Rapid7 researchers said Wednesday in a blog post.