Security experts are warning companies to segregate and closely monitor network traffic to a highly vulnerable protocol used in remotely monitoring and managing servers.
Independent security consultant Dan Farmer identified serious flaws in the Intelligent Platform Management Interface (IPMI) protocol that talks to the server's Baseboard Management Controller, a microcontroller embedded in the motherboard.
[ Prevent corporate data leaks with Roger Grimes' "Data Loss Prevention Deep Dive" PDF expert guide, only from InfoWorld. | Stay up to date on the latest security developments with InfoWorld's Security Central newsletter. ]
Sensors within a system report to the BMC such metrics as temperature, cooling fan speeds and power and operating system statuses. The IPMI specification, which is maintained by Intel, makes it possible to remotely monitor servers for BMC-reported problems and to manage access to the systems.
The vulnerabilities discovered by Farmer would enable a hacker to copy or erase data, reconfigure the operating system, install a backdoor, capture credentials, or wipe the hard drives.
"You really don't want vulnerabilities in such a powerful service," said Wolfgang Kandek, chief technology officer for Qualys.
Farmer, who started research on the IPMI last year through a Defense Department DARPA grant, identified half a dozen vulnerabilities. One of the most critical is in version 2.0 of the IPMI.
The flaw in the encryption method known as "Cipher 0" essentially bypasses the entire authentication process. As a result, a hacker can exploit the vulnerability using standard command-line IPMI, says Rapid7, which did an analysis of Farmer's findings.
Another critical vulnerability in version 2.0 is passing along from the BMC a cryptographic hash of the user's password to any requesting client prior to authentication. "An attacker can perform an offline brute force attack on this hash to quickly determine the correct password," said Rapid7, which estimates 100,000 Internet-connected servers are vulnerable to such an attack.
[ Tony Bradley in Salted Hash: Are you sure you're really in control of your servers? ]
Some vulnerabilities are also found in IPMI version 1.5, commonly found in servers along with 2.0. For example, both versions of the protocol specification require that IPMI passwords be stored unencrypted on the BMC. This flaw was confirmed on Dell and Supermicro systems.
"This has significant ramifications when combined with the other vulnerabilities that allow remote root access to the BMC, because organizations place servers into large -- at times exceeding 100,000 or more computers -- managed IPMI groups that all share the same password," Rapid7 said.
Plugging the vulnerabilities is not possible, given they are built into the specification. Therefore, the best solution is to have a single port dedicated only to IPMI access.
"It should be a separate network physically, having two or more network cables going into your server, one of them to the dedicated IPMI port," Kandek said.
Companies that access the IPMI port over the Internet should have a gateway in front of the system that requires a separate login and two-factor authentication.