Major vulnerabilities in a protocol for remotely monitoring and
managing servers would allow attackers to hijack the computers to gain control
of them, access or erase data, or lock others out. The vulnerabilities exist in
more than 100,000 servers connected to the internet, according to two
researchers.
The vulnerabilities reside in the Intelligent Platform
Management Interface, a protocol used by Baseboard Management Controllers that
are used to remotely monitor servers for heat and electricity issues as well as
manage access to them and other functions.
The security holes would allow hackers to obtain password
hashes from the servers or bypass authentication entirely to copy content,
install a backdoor or even wipe the servers clean, according to Dan Farmer, an
independent computer security consultant who conducted the research for the
Defense Department’s DARPA.
A scan of the internet conducted by HD Moore, chief research
officer at Rapid7 and creator of the Metasploit Framework penetration testing
tool, found more than 100,000 systems online that were vulnerable to one or more
of the security issues.
The IPMI protocol standardizes communication so that management
controllers from various manufacturers can interact seamlessly with servers from
various manufacturers. BCMs provide a virtual keyboard, mouse and removable
media to remotely manage servers and are installed on nearly all servers
manufactured today.
By using the vulnerabilities in IPMI to compromise a server’s
remote management controller, an attacker can then gain access to the server
itself.
“In short – any weakness of the BMC can be used to get an
almost-physical level of access to the server,” Moore says, noting that users of
IPMI are “heavily cautioned by the vendors to never place a server’s BMC on the
internet because of the dangers it poses,” but many ignore the warning.
“Essentially every modern company and government on the planet
relies on IPMI for system management, and internal attacks would be
substantially more deadly,” he says.
Two versions of the protocol currently in use, versions 1.5
and 2.0, both have issues. Version 1.5 doesn’t require that passwords for the
BMC be encrypted. And version 2.0 has half a dozen additional
vulnerabilities.
Farmer identified six distinct vulnerabilities in version 2.0
of the protocol. One intrinsic vulnerability lies in the fact that the protocol
specifications call for passwords for the IPMI to be stored unencrypted on the
BMC. He says this is particularly foolish because organizations often configure
a single IPMI to manage large groups of servers — sometimes as many as 100,000
in the case of hosting providers — all of which would be vulnerable if someone
gained access to the clear text password.
“The exposure of clear text credentials makes it possible for
an attacker to compromise all BMCs using the same password,” he says.
“Information [about] how and where these passwords are stored has been
documented online, and has been confirmed on both Dell and Supermicro BMC
implementations.”
Another vulnerability allows anyone to obtain a cryptographic
password hash of a user’s account, allowing an attacker to perform an offline
brute-force attack to decipher the password. A Metasploit module already exists
to conduct such an attack.
“A Python script and a Metasploit Framework module exist to
test for this issue and have broken over 10 percent of the passwords with an
initial test,” Moore says.
A third vulnerability allows an attacker to bypass the
authentication process entirely if someone has Cipher 0 enabled in the BMC
configuration. Cipher 0 is often enabled by default in BMC systems to handle the
authentication handshake, but it allows anyone to bypass authentication and send
the system commands.
A fourth vulnerability would allow someone to use anonymous
logins with the username and password set to a null value to gain administrative
privileges on the control system.
Some BMCs also
enable Universal Plug and Play by default. Moore published
a paper earlier this year identifying
three sets of serious security flaws in UPnP.
After performing an internet-wide scan to determine how many
BMC systems are connected to the internet, he found more than 300,000. Of these,
195,000 were using version 1.5 of the protocol, which does not provide any
encryption. Another 113,000 of the BMCs support version 2.0, and of these,
99,000 exposed password hashes, and 53,0000 were vulnerable to the password
bypass issue due to Cipher 0 being enabled. About 35,000 BMCs from Supermico
have a Universal Plug and Play vulnerability.
“The 53,000 BMCs that allow authentication via Cipher 0 are at
immediate risk of compromise,” Moore says. “No exploit code is needed to
manipulate these systems as the standard IPMI command-line tools provide the
required functionality. An attacker could use the Cipher 0 weakness to configure
a backdoor account with administrative privileges. This backdoor could be used
to compromise the BMC and the connected server.”
Because BMCs have their own IP address, separate from the
server’s IP address, hackers could hijack the BMC and never be noticed by
network administrators who are only monitoring server IP addresses for nefarious
activity, Moore says.
Farmer began
researching the IPMI protocol in mid-2012 as part of a DARPA Cyber Fast Track
grant. Earlier this year Farmer published a list of security best practices for IPMI
(.pdf).
Moore says companies should make sure that IPMI-enabled BMCs
are not connected to the public internet, and that companies should also disable
Cipher 0, set complex passwords, and in the case of Supermicro systems, demand a
patch for the UPnP vulnerability from their vendor.
“Many folks are unaware that their systems have IPMI enabled
in the first place, the only way to tell for sure is to use some form of scanner
on the local network,” says Moore, who added an IPMI module to the open source
Metasploit Framework to help with this.
By Kim Zetter
Source:
0 yorum:
Yorum Gönderme