Hackers can wipe or steal data from security holes in 300,000 servers

After scanning the Internet and research that 'barely scratches the surface' of server management flaws, HD Moore found about 308,000 servers with built-in backdoors, just waiting for attackers to steal or to wipe data.

One of the only things worse than discovering a gaping security hole that puts about 308,000 servers at risk of being hacked is learning that there is nothing you can do to actually fix it. Some people may argue that there are mitigations, but "By definition, the technology is pretty much broken," according to HD Moore, chief research officer at Rapid7 and creator of Metasploit. He's talking about a widely deployed protocol, Intelligent Platform Management Interface (IPMI) that talks to a server's baseboard management controller (BMC).

The IPMI is a server management protocol designed to standardize communication between server management tools and BMCs, manufactured by various vendors. Both versions 1.5 and 2.0 have the "same core functionality," even though each has different features. The intelligence behind the IPMI architecture is BMC; it's like the embedded microcontroller brain on the motherboard. According to the "Widespread vulnerabilities in BMC's and the IPMI protocol" FAQ sheet, "BMCs provide remote management capabilities for servers, and supply virtual keyboard, video, mouse, power, and removable media control for computers."

Although vendors "heavily caution" users of IPMI "to never place a server's BMC on the internet because of the dangers it poses," Moore said that warning is often ignored. He told Wired, "Essentially every modern company and government on the planet relies on IPMI for system management, and internal attacks would be substantially more deadly."

After Moore "pinged the whole Internet," thereby discovering a wide range of security vulnerabilities, he said it "drew quite a lot of complaints, hate mail, and calls from law enforcement." Yet he had previously found a plethora of vulnerable devices -- about 50 million IPs -- due to flaws in the Universal Plug and Play protocol. After security researcher Dan Farmer, using a Defense Department DARPA Cyber Fast Track grant, found vulnerabilities in IPMI, Moore scanned the Internet again. This time he found 308,000 IPMI-enabled BMCs exposed on the net.

Of those, approximately 195,000 "only support IPMI 1.5, which does not provide any form of encryption," reported The Register. "Another 113,000 of these devices support IPMI v2.0, which suffers from serious design flaws." 53,000 IPMI 2.0 systems rely on a weak cipher suite and are thereby vulnerable to password bypass attacks.

The FAQ sheet states:

An attacker that is able to compromise a BMC should be able to compromise its parent server. Once access to the server is gained, the attacker could copy data from any attached storage, make changes to the operating system, install a permanent backdoor, capture credentials passing through the server, launch a denial of service attack, or simply wipe the hard drives.

"In short - any weakness of the BMC can be used to get an almost-physical level of access to the server," Moore told Wired. These security flaws are much more serious than other equipment he scanned and found to be exposed on the Internet, Moore told Dark Reading.

"It's one thing to be hacking some crappy home router, but it's another thing" to see servers wide open to attack, he says. And there isn't really a fix for the IPMI protocol problems. "By definition, the technology is pretty much broken. There's no such thing as an IPMI secure device," Moore says.

Wolfgang Kandek, chief technology officer for Qualys, agreed that "Plugging the vulnerabilities is not possible, given they are built into the specification." He suggested several mitigation solutions to CSO.

The researchers' FAQ sheet explains, "Perhaps the most straightforward way to break into a server through a compromised BMC is by rebooting the server from a 'virtual' CD-ROM and using a rescue disk...The former resets the local Windows Administrator account password and the latter does an in-memory patch that disables console authentication in both Linux and Windows. The BMC can then force the server to boot normally and provide console access to the attacker through built-in KVM functionality."

The BMC provides the equivalent of physical access to the server with many of the security exposures that this implies, such as booting to single-user mode, accessing the BIOS settings, and being able to watch the physical display. If the hard drives of the server are not encrypted, an attacker could boot the server into a rescue environment, and manipulate or copy the file system without any assistance from the server's operating system.

Chris Wysopal, CTO at Veracode, told Dark Reading, "This definitely qualifies for the moniker 'gaping security hole.' These management interfaces give, as Dan [Farmer] says, 'equivalent to physical access' and use a separate authentication scheme than IT admins typically use with centralized authentication, such as Windows Active Directory. Many admins don't know this management interface exists."

Moore, on Rapid7's penetration tester's guide to IPMI and BMCs, wrote:

The issues covered in this post were uncovered in a relatively short amount of time and have barely scratched the surface of possibilities. In addition to vulnerabilities in the IPMI protocol itself, most BMCs seem to suffer from issues common across all embedded devices, namely default passwords, outdated open source software, and, in some cases, backdoor accounts and static encryption keys. The world of BMCs is a mess that is not likely to get better anytime soon, and we need to be crystal clear about the risk these devices pose to our networks.

Farmer's security research is additional suggested reading about the vulnerability of IPMI, server vendors and firmware vendors. Farmer also offers a condensed one page, G-rated explanation titled "IPMI: Express Train to Hell," but "IPMI: Freight Train to Hell" is a much more in-depth and colorful version.

Like this? Here's more posts:

Follow me on Twitter @PrivacyFanatic

Cybersecurity market research: Top 15 statistics for 2017