The Backdoor on the Side of Your Server

By Fortra's Digital Defense

A note to our readers....

The following is a blog post our organization was withholding while privately warning companies about a set of critical IPMI vulnerabilities in their rack mount hardware and the threat they posed to their security posture.  Some of the content was covered in a B-Sides San Antonio talk two months ago by one of our researchers.

Today the full-scope of this threat was published online in WIRED and as such we felt it appropriate to release our findings as well.

The Backdoor on the Side of Your Server

 

A couple months ago,  I was reading the Intel IPMI 2.0 specification while writing a set of checks for IPMI and RMCP flaws into our vulnerability assessment engine.  One of the things that stood out at me was a correction indicating that there is a no-auth access mode built into the IPMI 2.0 protocol.  You can see 'straight-password' replaced with a clarification of 'no-password' for Cipher Suite 0:

Googling around the Internet, the only person that I saw raising any awareness of this issue was Dan Farmer (who specifically blogs on IPMI issues).  His post on it can be found here.

 

So now you're probably thinking..."Ok, this thing is in the specification, there seems to be some rack mount servers affected by it, how big a problem are we talking about here?"

 

Lets put it this way...  I bought what I believed were two of the most common rack mount servers from one of the world's largest hardware vendors last month.  Then I enabled the management interface and attempted to authenticate over the network with cipher zero...
Both rackmounts were vulnerable to the authentication bypass.

 

Then I checked some more models from other vendors... same thing.  Did some more investigations on other hardware, more of the same.  The more systems I checked, the more I found that were vulnerable to the same network accessible auth-bypass, all with admin level privileges on the rack mount baseboard.

Keep in mind this is a network accessible baseboard flaw, which means that it doesn't target the primary operating system but the embedded management agent running on the server.  Traditional mitigations such as firewalling all ports on the primary operating system or even shutting down the server completely, won't prevent network traffic from hitting this vector (the baseboard stays on even if the rest of the system is shutdown, so long as the power cord is plugged in).  It's also worth pointing out that on many of these servers, the baseboard interface shares a network jack with eth0 so simply 'not plugging it in' isn't an option.
This isn't a problem for one vendor, or one server, or something that happened long ago in the past.  Rack mounts have been shipping with this flaw for years and continue to do so today.  If you haven't encountered it while performing network scans on large rack mount deployments, it's not that it isn't there, it's that your scanning vendor isn't checking for it.  Given the severity of the issue it's something you might want to bring to their attention.

So to summarize:


"Are you telling me that there is an extremely common, hidden, no-auth network-based attack vector on major vendor rack mount servers that can silently allow attackers to bypass primary operating system defenses, hijack a baseboard interface even when the power is off, and then leverage that access all the way up to primary-operating system control?"

 

Yes.  That's exactly what I'm telling you.

 

---------

Remediation Information:

 

I haven't seen any methods posted anywhere for fixing the cipher zero flaw locally through Windows, so here's the method.  This worked on all the major vendor rack mount hardware I've tested it on, but standard disclaimers apply(check with your vendor etc.).

 

Windows Instructions:

 

1) Download ipmutil for win32: http://ipmiutil.sourceforge.net/

2) Extract the zip file and then run the following commands from the zip directory:

 

> ipmiutil lan  (display lan info)

 

verify the lines:

-----------------

Lan Param(23) Cipher Suites:  0  1  2  3  4  5  6  7  8  9 10 11 12 13 14
Lan Param(24) Cipher Suites:  A  A  A  A  A  A  A  A  A  A  A  A  A  A  A

 

> ipmiutil cmd 00 20 30 01 01 18 00 40 44 44 44 44 44 44 04
> ipmiutil lan

 

verify the lines now read:

--------------------------

 

Lan Param(23) Cipher Suites:  0  1  2  3  4  5  6  7  8  9 10 11 12 13 14
Lan Param(24) Cipher Suites:  R  A  A  A  A  A  A  A  A  A  A  A  A  A  A

Linux Instructions:

1) Install ipmitool from your linux distribution package manager:

> apt-get install ipmitool  (debian/ubuntu)

2) Restrict cipher suite 0 on the baseboard lan interface.

> ipmitool lan set 1 cipher_privs Xaaaaaaaaaaaaaa

The above instructions work on systems regardless of architecture (64bit,32bit,Intel,AMD,etc.).

Copyright © Fortra, LLC and its group of companies. Fortra™, the Fortra™ logos, and other identified marks are proprietary trademarks of Fortra, LLC. | Privacy Policy | Cookie Policy | Sitemap

Share This