Immediate action called for on server management flaws
Holes in the Intelligent Platform Management Interface (IPMI) summed up: 'You really don't want vulnerabilities in such a powerful service'
By Antone Gonsalves
July 03, 2013 — CSO — Security experts are warning companies to segregate and closely monitor network traffic to a highly vulnerable protocol used in remotely monitoring and managing servers.
Independent security consultant Dan Farmer identified serious flaws in the Intelligent Platform Management Interface (IPMI) protocol that talks to the server's Baseboard Management Controller, a microcontroller embedded in the motherboard.
Sensors within a system report to the BMC such metrics as temperature, cooling fan speeds and power and operating system statuses. The IPMI specification, which is maintained by Intel, makes it possible to remotely monitor servers for BMC-reported problems and to manage access to the systems.
The vulnerabilities discovered by Farmer would enable a hacker to copy or erase data, reconfigure the operating system, install a backdoor, capture credentials or wipe the hard drives.
"You really don't want vulnerabilities in such a powerful service," said Wolfgang Kandek, chief technology officer for Qualys.
Farmer, who started research on the IPMI last year through a Defense Department DARPA grant, identified half a dozen vulnerabilities. One of the most critical is in version 2.0 of the IPMI.
The flaw in the encryption method known as "Cipher 0" essentially bypasses the entire authentication process. As a result, a hacker can exploit the vulnerability using standard command-line IPMI, says Rapid7, which did an analysis of Farmer's findings.
Another critical vulnerability in version 2.0 is passing along from the BMC a cryptographic hash of the user's password to any requesting client prior to authentication. "An attacker can perform an offline brute force attack on this hash to quickly determine the correct password," said Rapid7, which estimates 100,000 Internet-connected servers are vulnerable to such an attack.
[Tony Bradley in Salted Hash: Are you sure you're really in control of your servers?]
Some vulnerabilities are also found in IPMI version 1.5, commonly found in servers along with 2.0. For example, both versions of the protocol specification require that IPMI passwords be stored unencrypted on the BMC. This flaw was confirmed on Dell and Supermicro systems.
"This has significant ramifications when combined with the other vulnerabilities that allow remote root access to the BMC, because organizations place servers into large -- at times exceeding 100,000 or more computers -- managed IPMI groups that all share the same password," Rapid7 said.
Plugging the vulnerabilities is not possible, given they are built into the specification. Therefore, the best solution is to have a single port dedicated only to IPMI access.
"It should be a separate network physically, having two or more network cables going into your server, one of them to the dedicated IPMI port," Kandek said.
Companies that access the IPMI port over the Internet should have a gateway in front of the system that requires a separate login and two-factor authentication.
"For the gateway, whatever the system administrator is most comfortable with [is OK]," he said. "I would use a Linux machine stripped down only to the basic functionality that's needed. Other people might be more comfortable with Windows, so they probably should do a Windows server build with the same stripped down functionality."
Finally, companies should monitor network traffic to the port closely for any abnormalities, such as an IP address for a computer that is not normally used to access the IPMI, Kandek said.
While segregation is a good solution, it isn't always possible, said HD Moore, chief research officer for Rapid7 and the creator of the open source Metasploit Framework, used to execute exploit code against a remote system for testing purposes.
Because low-end servers often have only one port for connecting to the Internet, segregating the IPMI isn't possible. An option would be to set up a virtual local area network that creates a distinct broadcast domain to carry only packets headed to the IPMI. This would enable monitoring of the network traffic.
"Most people don't do this because it's a pain in the butt and you have to have a switch that supports its," Moore said.
In general, there is no single solution to the problem. Moore recommends that system administrators scan their servers with Metasploit, find the vulnerabilities that affect their systems and then decide what to do about them.
"There's definitely a number of mitigation strategies out there," Moore said.
Read more about network security in CSOonline's Network Security section.