After scanning the Internet and research that 'barely scratches the surface' of server management flaws, HD Moore found about 308,000 servers with built-in backdoors, just waiting for attackers to steal or to wipe data. One of the only things worse than discovering a gaping security hole that puts about 308,000 servers at risk of being hacked is learning that there is nothing you can do to actually fix it. Some people may argue that there are mitigations, but “By definition, the technology is pretty much broken,” according to HD Moore, chief research officer at Rapid7 and creator of Metasploit. He’s talking about a widely deployed protocol, Intelligent Platform Management Interface (IPMI) that talks to a server’s baseboard management controller (BMC).The IPMI is a server management protocol designed to standardize communication between server management tools and BMCs, manufactured by various vendors. Both versions 1.5 and 2.0 have the “same core functionality,” even though each has different features. The intelligence behind the IPMI architecture is BMC; it’s like the embedded microcontroller brain on the motherboard. According to the “Widespread vulnerabilities in BMC’s and the IPMI protocol” FAQ sheet, “BMCs provide remote management capabilities for servers, and supply virtual keyboard, video, mouse, power, and removable media control for computers.”Although vendors “heavily caution” users of IPMI “to never place a server’s BMC on the internet because of the dangers it poses,” Moore said that warning is often ignored. He told Wired, “Essentially every modern company and government on the planet relies on IPMI for system management, and internal attacks would be substantially more deadly.”After Moore “pinged the whole Internet,” thereby discovering a wide range of security vulnerabilities, he said it “drew quite a lot of complaints, hate mail, and calls from law enforcement.” Yet he had previously found a plethora of vulnerable devices — about 50 million IPs — due to flaws in the Universal Plug and Play protocol. After security researcher Dan Farmer, using a Defense Department DARPA Cyber Fast Track grant, found vulnerabilities in IPMI, Moore scanned the Internet again. This time he found 308,000 IPMI-enabled BMCs exposed on the net. Of those, approximately 195,000 “only support IPMI 1.5, which does not provide any form of encryption,” reported The Register. “Another 113,000 of these devices support IPMI v2.0, which suffers from serious design flaws.” 53,000 IPMI 2.0 systems rely on a weak cipher suite and are thereby vulnerable to password bypass attacks.The FAQ sheet states: An attacker that is able to compromise a BMC should be able to compromise its parent server. Once access to the server is gained, the attacker could copy data from any attached storage, make changes to the operating system, install a permanent backdoor, capture credentials passing through the server, launch a denial of service attack, or simply wipe the hard drives.“In short – any weakness of the BMC can be used to get an almost-physical level of access to the server,” Moore told Wired. These security flaws are much more serious than other equipment he scanned and found to be exposed on the Internet, Moore told Dark Reading.“It’s one thing to be hacking some crappy home router, but it’s another thing” to see servers wide open to attack, he says. And there isn’t really a fix for the IPMI protocol problems. “By definition, the technology is pretty much broken. There’s no such thing as an IPMI secure device,” Moore says.Wolfgang Kandek, chief technology officer for Qualys, agreed that “Plugging the vulnerabilities is not possible, given they are built into the specification.” He suggested several mitigation solutions to CSO.The researchers’ FAQ sheet explains, “Perhaps the most straightforward way to break into a server through a compromised BMC is by rebooting the server from a ‘virtual’ CD-ROM and using a rescue disk…The former resets the local Windows Administrator account password and the latter does an in-memory patch that disables console authentication in both Linux and Windows. The BMC can then force the server to boot normally and provide console access to the attacker through built-in KVM functionality.”The BMC provides the equivalent of physical access to the server with many of the security exposures that this implies, such as booting to single-user mode, accessing the BIOS settings, and being able to watch the physical display. If the hard drives of the server are not encrypted, an attacker could boot the server into a rescue environment, and manipulate or copy the file system without any assistance from the server’s operating system.Chris Wysopal, CTO at Veracode, told Dark Reading, “This definitely qualifies for the moniker ‘gaping security hole.’ These management interfaces give, as Dan [Farmer] says, ‘equivalent to physical access’ and use a separate authentication scheme than IT admins typically use with centralized authentication, such as Windows Active Directory. Many admins don’t know this management interface exists.”Moore, on Rapid7’s penetration tester’s guide to IPMI and BMCs, wrote:The issues covered in this post were uncovered in a relatively short amount of time and have barely scratched the surface of possibilities. In addition to vulnerabilities in the IPMI protocol itself, most BMCs seem to suffer from issues common across all embedded devices, namely default passwords, outdated open source software, and, in some cases, backdoor accounts and static encryption keys. The world of BMCs is a mess that is not likely to get better anytime soon, and we need to be crystal clear about the risk these devices pose to our networks.Farmer’s security research is additional suggested reading about the vulnerability of IPMI, server vendors and firmware vendors. Farmer also offers a condensed one page, G-rated explanation titled “IPMI: Express Train to Hell,” but “IPMI: Freight Train to Hell” is a much more in-depth and colorful version. Like this? Here’s more posts:You might be a terrorist if…you complain about your tap waterBreaking down latest leaked PRISM slides claiming U.S. ‘bugged EU offices’Surveillance court ‘secret’ rulings slaughter Fourth Amendment to help NSA spyNSA whistleblower Snowden: Even innocent Americans are ‘being watched and recorded’Happy Independence Day: Stop Watching Us, Restore the Fourth AmendmentReporters threatened with CFAA, labeled hackers for finding security holeHacking and attacking automated homesFormer CIA, NSA director sounds off on PRISM, spying toolsRule of 7 applied to domestic surveillanceMicrosoft Research: MoodScope, a context-aware smartphone to sense and share your moodFollow me on Twitter @PrivacyFanatic Related content news Dow Jones watchlist of high-risk businesses, people found on unsecured database A Dow Jones watchlist of 2.4 million at-risk businesses, politicians, and individuals was left unprotected on public cloud server. By Ms. Smith Feb 28, 2019 4 mins Data Breach Hacking Security news Ransomware attacks hit Florida ISP, Australian cardiology group Ransomware attacks might be on the decline, but that doesn't mean we don't have new victims. A Florida ISP and an Australian cardiology group were hit recently. By Ms. Smith Feb 27, 2019 4 mins Ransomware Security news Bare-metal cloud servers vulnerable to Cloudborne flaw Researchers warn that firmware backdoors planted on bare-metal cloud servers could later be exploited to brick a different customer’s server, to steal their data, or for ransomware attacks. By Ms. Smith Feb 26, 2019 3 mins Cloud Computing Security news Meet the man-in-the-room attack: Hackers can invisibly eavesdrop on Bigscreen VR users Flaws in Bigscreen could allow 'invisible Peeping Tom' hackers to eavesdrop on Bigscreen VR users, to discreetly deliver malware payloads, to completely control victims' computers and even to start a worm infection spreading through VR By Ms. Smith Feb 21, 2019 4 mins Hacking Vulnerabilities Security Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe