hosted by liquidweb


Go Back   Web Hosting Talk : Web Hosting Main Forums : Colocation and Data Centers : SuperMicro IPMI Security
Reply

Forum Jump

SuperMicro IPMI Security

Reply Post New Thread In Colocation and Data Centers Subscription
 
Send news tip View All Posts Thread Tools Search this Thread Display Modes
  #121  
Old 10-14-2011, 08:40 AM
ICC-USA ICC-USA is offline
Web Hosting Guru
 
Join Date: Apr 2011
Posts: 310
Quote:
Originally Posted by sprintserve View Post
Good thing our IPMI are on a management network that's not available to the public. I wonder which fresh out of school hacks wrote their firmware.
You are not the first who asked this question...

__________________
Colin C.

International Computer Concepts

Sponsored Links
  #122  
Old 10-14-2011, 09:08 AM
Maxnet Maxnet is offline
Aspiring Evangelist
 
Join Date: Dec 2004
Posts: 399
Quote:
Originally Posted by sprintserve View Post
I wonder which fresh out of school hacks wrote their firmware.
It's easy to blame the kid that wrote the initial software.
But what about quality control and management decisions after release?
  • they should start advising their customers to change the anonymous password instantly, which solves the immediate threat.
    Not pretend you need new firmware.
    That they may prefer that route, as you can hide the exploit details that way, I can understand.
    But this thread is a year old, the bad guys already knew about the vulnerability long ago.
    Full disclosure is the best policy.

  • it is not the only security vulnerability related to this particular firmware.
    Another one is that if you use the "backup configuration" function your admin password is made available at a public non-password protected web location.

    I reported this to them 5 months ago, and received zero feedback.
    Fed up with that attitude, I posted the details to the full-disclosure mailing list a few days ago: http://seclists.org/fulldisclosure/2011/Oct/522

    Promptly received a reply from another hosting provider that they reported a similar issue affecting KVM screenshots to them 3 years ago, and it still has not been fixed.

  • some past IPMI firmware release contained very obvious bugs.
    E.g. negative temperature readings (while the sensors do work properly, as you can see the correct figures in the BIOS).
    Can they honestly claim the releases go through QA before release?

__________________
Maxnet
Offering automated dedicated server provisioning software


  #123  
Old 10-19-2011, 03:10 AM
madsere madsere is offline
WHT Addict
 
Join Date: Jun 2001
Posts: 117
Actually it's not necessarily a hack just out of school, it's just the way they write software in Asia. Buy any cheap Chinese gadget that comes with locally written software and it's virtually useless. Lots of good products come of China but they have westerners write the software for it.

I understand IPMI runs some sort of *nix, busybox or whatever? Is it possible to ssh into that and setup iptables or something like that? At last that would improve security somewhat.

Sponsored Links
  #124  
Old 10-19-2011, 03:37 AM
sprintserve sprintserve is offline
Retired Moderator
 
Join Date: Jan 2003
Posts: 9,009
Yes it runs a version of Busybox. So theorectically, it should be able to install iptables on it. Haven't tried it though.

Historically, Asian manufacturers all started out mostly as OEM manufacturers, where the designs are given to them and they just have to make the hardware side of things. As such, all of them tend to be overly hardware focused and not enough attention is given to the software. For them, it's good enough as long as it seem to "work" never mind the security.

__________________
Like us on Facebook to qualify for discounts!
http://www.sprintserve.net
Offering: | Internap FCP Bandwidth! | Rebootless Kernel Updates! | Magento Optimized Hosting | Wordpress Hosting |
Services: | Managed Multiple Cores 64bit Servers | Server Management |

  #125  
Old 10-19-2011, 04:14 AM
plumsauce plumsauce is offline
******* Unleaded
 
Join Date: Feb 2004
Posts: 3,825
Quote:
Originally Posted by madsere View Post
Actually it's not necessarily a hack just out of school, it's just the way they write software in Asia. Buy any cheap Chinese gadget that comes with locally written software and it's virtually useless. Lots of good products come of China but they have westerners write the software for it.

I understand IPMI runs some sort of *nix, busybox or whatever? Is it possible to ssh into that and setup iptables or something like that? At last that would improve security somewhat.
Let's examine your xenophobic statements.

The only accurate part of the entire post is that most implementations of ipmi run some linux derivative and often run busybox as the shell.

Given those ingredients, the software was mostly written by North Americans and Europeans. That is especially the case for busybox which is mostly the work of one person.

Of course if you don't like products that are not completely Western in content, you can always avoid those products. Your choices will be severely limited.

++

__________________
edgedirector.com
managed dns global failover and load balance (gslb)
exactstate.com
uptime report for webhostingtalk.com

  #126  
Old 10-19-2011, 04:33 AM
OneLittleBird OneLittleBird is offline
WHT Addict
 
Join Date: Oct 2009
Posts: 129
Did I understand this correctly, that the only problem was that many users were unaware of the "anonymous" username existence, and left its default password unchanged? Did I understand it correctly, that you do not really need new firmware - you just need to change the default passwords?

If so, then I do not really understand what all this fuss is about. And what does it have to do with West, East, etc.

During your first log-in to the IPMI management web interface, you would immediately see that there are two users. And it is very obvious, that you MUST change both passwords. If you don't do that, then it's not really a "security flaw", it's your own fault. Well, ok, the design is not fool-proof. But that does not make it flawed.

  #127  
Old 10-19-2011, 04:52 AM
Maxnet Maxnet is offline
Aspiring Evangelist
 
Join Date: Dec 2004
Posts: 399
Quote:
Originally Posted by OneLittleBird View Post
Did I understand this correctly, that the only problem was that many users were unaware of the "anonymous" username existence, and left its default password unchanged? Did I understand it correctly, that you do not really need new firmware - you just need to change the default passwords?
Correct.
Just change the password (and make sure you do not use the "backup configuration" function).


Quote:
And it is very obvious, that you MUST change both passwords.
The problem being:
  • some people here assumed incorrectly that if they disabled the account in the webinterface, that was good enough, and there would not be any need to change the password. But that function does not actually work.

  • the official documentation only tells you to change the password of the "ADMIN" account.

__________________
Maxnet
Offering automated dedicated server provisioning software


  #128  
Old 10-19-2011, 06:07 AM
brc_csf brc_csf is offline
Web Hosting Guru
 
Join Date: Nov 2005
Posts: 273
Quote:
Originally Posted by OneLittleBird View Post
Did I understand this correctly, that the only problem was that many users were unaware of the "anonymous" username existence, and left its default password unchanged? Did I understand it correctly, that you do not really need new firmware - you just need to change the default passwords?

If so, then I do not really understand what all this fuss is about. And what does it have to do with West, East, etc.

During your first log-in to the IPMI management web interface, you would immediately see that there are two users. And it is very obvious, that you MUST change both passwords. If you don't do that, then it's not really a "security flaw", it's your own fault. Well, ok, the design is not fool-proof. But that does not make it flawed.


The main problem is that if you disable anonymous account it will keep working. That is the security flaw. Now, that everyone know that disabling won't work, it is just a matter of changing passwords. Before, it was impossible to know that. I tried myself anonymous at the webinterface but I could not imagine that it would work at SSH with an empty login. Who would?

So, this "only problem" is a serious issue.

  #129  
Old 10-19-2011, 08:29 AM
OneLittleBird OneLittleBird is offline
WHT Addict
 
Join Date: Oct 2009
Posts: 129
Yes, I agree, "backup configuration" is a security flaw. And also disabled account still works - that's another security flaw. But still, no new firmware is really necessary. Change the passwords, and do not use the "backup configuration" function.

I somewhat over-reacted ("much ado about nothing"), because I was very anxiously following this thread until I realized, that none of our servers were affected (as we always changed both passwords, and never used "backup configuration").

  #130  
Old 10-19-2011, 09:47 PM
brc_csf brc_csf is offline
Web Hosting Guru
 
Join Date: Nov 2005
Posts: 273
Quote:
Originally Posted by OneLittleBird View Post
Yes, I agree, "backup configuration" is a security flaw. And also disabled account still works - that's another security flaw. But still, no new firmware is really necessary. Change the passwords, and do not use the "backup configuration" function.

I somewhat over-reacted ("much ado about nothing"), because I was very anxiously following this thread until I realized, that none of our servers were affected (as we always changed both passwords, and never used "backup configuration").
We were not that lucky. These bugs caused us some problems but we are happy to finally know that everything is "ok". I realize that being paranoid may help. So, it is always useful to change passwords of an account when disabling it

  #131  
Old 10-20-2011, 08:26 AM
madsere madsere is offline
WHT Addict
 
Join Date: Jun 2001
Posts: 117
Quote:
Originally Posted by plumsauce View Post
Let's examine your xenophobic statements.

The only accurate part of the entire post is that most implementations of ipmi run some linux derivative and often run busybox as the shell.

Given those ingredients, the software was mostly written by North Americans and Europeans. That is especially the case for busybox which is mostly the work of one person.

Of course if you don't like products that are not completely Western in content, you can always avoid those products. Your choices will be severely limited.

++
Well since you want to take this off-topic. It is not about being Xenophobic, or about western content, it's about their school system. I know, I live here, I see it every day. Children are taught from they enter school to sit down and listen and not have creative thoughts, but simply memorize what they are told. They are great at copying anything down to the last detail, but they haven't learned much about programming or creative thoughts. It's just the way it is. Show me any Chinese written software (or website) that isn't a complete waste of time.

  #132  
Old 10-25-2011, 02:22 PM
mtnt mtnt is offline
New Member
 
Join Date: Jul 2009
Posts: 1
My 2cents to add to the discussion:

As you may know, the web interface page tells you that you don't have enough rights to either save/restore the config, or to access the IPMI configuration page at all when you have Operator or User rights respectively.

However that doesn't matter, because your access level is only checked when you are hitting the page with the buttons, but not when you perform the save operation. So whatever your access level may be, you just need to click the following url: impihost/cgi/save_IPMI_config.cgi , and proceed with downloading the config.

  #133  
Old 12-28-2011, 04:40 PM
MaB MaB is offline
Web Hosting Master
 
Join Date: Oct 2001
Posts: 1,248
Sorry to dredge up an old thread here - we have an IPMI interface get hacked through the anonymous user as well. Since the malicious parties already got into the IPMI card, will simply changing the password lock them out? I've already upgraded the firmware, reset to factory defaults then changed the password to anonymous - will that suffice to keep out a malicious party that already had access to it?

__________________
Avi Brender
Reliable Web Hosting by Elite Hosts, Inc
CPANEL Reseller Hosting - Fantastico - Rvskins - ClientExec


  #134  
Old 12-28-2011, 07:48 PM
Maxnet Maxnet is offline
Aspiring Evangelist
 
Join Date: Dec 2004
Posts: 399
Quote:
Originally Posted by MaB View Post
Sorry to dredge up an old thread here - we have an IPMI interface get hacked through the anonymous user as well. Since the malicious parties already got into the IPMI card, will simply changing the password lock them out? I've already upgraded the firmware, reset to factory defaults then changed the password to anonymous - will that suffice to keep out a malicious party that already had access to it?
Security purists would probably say that once something is compromised you can not trust it anymore, and suggest you destroy the thing.


But the IPMI card runs an embedded Linux flavor that has a file system that is mounted read-only with the exception of the /tmp folder (kept in memory) and the /nv folder that keeps the settings.

So the locations where a backdoor can be easily left are kinda limited.
- Loading factory defaults should have cleared the /nv folder.
- And upgrading the firmware should cause the unit to reboot, clearing the /tmp folder. (also happens if you pull the power cable)

So I think you are reasonable safe.

__________________
Maxnet
Offering automated dedicated server provisioning software


  #135  
Old 12-28-2011, 10:25 PM
FastServ FastServ is offline
Randy
 
Join Date: Aug 2006
Location: Ashburn VA, San Diego CA
Posts: 4,380
upgrading the firmware basically wipes the whole filesystem...you should be safe.

__________________
Fast Serv Networks, LLC | AS29889 | Fully Managed Cloud, Streaming, Dedicated Servers, Colo by-the-U
Ashburn VA + San Diego CA Datacenters


Reply

Similar Threads
Thread Thread Starter Forum Replies Last Post
Supermicro IPMI Issue XFactorServers Colocation and Data Centers 9 08-23-2010 02:29 PM
SuperMicro 's IPMI Peter-SexyWing Colocation and Data Centers 16 07-10-2010 04:51 PM
supermicro ipmi installation phactor Systems Management Requests 5 04-02-2010 02:57 PM
Supermicro IPMI opax Colocation and Data Centers 6 04-29-2009 12:13 PM
Supermicro IPMI DevelopAl Colocation and Data Centers 14 03-10-2006 02:17 PM

Related posts from TheWhir.com
Title Type Date Posted
Web Hosting Sales and Promos - June 13, 2014 Web Hosting News 2014-06-13 18:30:39
Limestone Networks Launches IaaS Cloud Web Hosting News 2014-04-14 09:43:21
AQUA Networks Limited Listing 2014-01-27 20:52:05
Sophos Launches Cloud-Based Managed Security Service Web Hosting News 2013-10-29 17:53:59
WHMCS Security Issue Allows for Information Disclosure Web Hosting News 2013-10-25 09:30:46


Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes
Postbit Selector

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Forum Jump
Login:
Log in with your username and password
Username:
Password:



Forgot Password?
Advertisement:
Web Hosting News:
WHT Membership
WHT Membership



 

X

Welcome to WebHostingTalk.com

Create your username to jump into the discussion!

WebHostingTalk.com is the largest, most influentual web hosting community on the Internet. Join us by filling in the form below.


(4 digit year)

Already a member?