Page 5 of 6 FirstFirst ... 23456 LastLast
Results 101 to 125 of 139
  1. #101
    Join Date
    Dec 2004
    Posts
    569
    Quote Originally Posted by FastServ View Post
    Ah yes, you're right. Looks like disabling the anonymous (e.g. "" in ssh) account seems to work, tried both 'ADMIN' and blank password:
    Be aware that the anonymous account defaults to "admin" in lower case, as opposed to "ADMIN" for the "ADMIN" account.

    HTML Code:
    # cat /etc/defaults/factory.xml 
    <?xml version="1.0" encoding="UTF-8"?>
    <root>
      <IPMI>
        <UserModule>
          <User num="0" enable="01" Name="" Passwd="admin" PasswdSize="0" ChannelAccess="00000000000000000000000000000000" PrivilegeChange="00">
            <IKVMInfo IKVMVideoEnable="01" IKVMKMEnable="01" IKVMKickEnable="01"/>
            <VUSBInfo VUSBEnable="01"/>
          </User>
          <User num="1" enable="01" Name="ADMIN" Passwd="ADMIN" PasswdSize="0" ChannelAccess="00540054000000000000000000000000" PrivilegeChange="00">
            <IKVMInfo IKVMVideoEnable="01" IKVMKMEnable="01" IKVMKickEnable="01"/>
            <VUSBInfo VUSBEnable="01"/>
          </User>

  2. #102
    Join Date
    Aug 2006
    Location
    Ashburn VA, San Diego CA
    Posts
    4,615
    Quote Originally Posted by Maxnet View Post
    Be aware that the anonymous account defaults to "admin" in lower case, as opposed to "ADMIN" for the "ADMIN" account.
    You're right. Disabling anonymous account doesn't affect SSH. Hopefully SM fixes this soon.
    Fast Serv Networks, LLC | AS29889 | DDOS Protected | Managed Cloud, Streaming, Dedicated Servers, Colo by-the-U
    Since 2003 - Ashburn VA + San Diego CA Datacenters

  3. #103
    Join Date
    Aug 2006
    Location
    Ashburn VA, San Diego CA
    Posts
    4,615
    Has anyone successfully deleted the anonymous user from ipmitools rather than the web interface?
    Fast Serv Networks, LLC | AS29889 | DDOS Protected | Managed Cloud, Streaming, Dedicated Servers, Colo by-the-U
    Since 2003 - Ashburn VA + San Diego CA Datacenters

  4. #104
    Join Date
    Dec 2004
    Posts
    569
    Quote Originally Posted by FastServ View Post
    You're right. Disabling anonymous account doesn't affect SSH. Hopefully SM fixes this soon.
    Changing the password does work. So no reason to wait for SM.

  5. #105
    Join Date
    Aug 2006
    Location
    Ashburn VA, San Diego CA
    Posts
    4,615
    Quote Originally Posted by Maxnet View Post
    Changing the password does work. So no reason to wait for SM.
    Looks like disabling the user via IPMItool works (unlike the web interface):

    Code:
    ipmitool user disable 1
    Fast Serv Networks, LLC | AS29889 | DDOS Protected | Managed Cloud, Streaming, Dedicated Servers, Colo by-the-U
    Since 2003 - Ashburn VA + San Diego CA Datacenters

  6. #106
    Join Date
    May 2006
    Location
    NJ, USA
    Posts
    6,645
    Quote Originally Posted by FastServ View Post
    You're right. Disabling anonymous account doesn't affect SSH. Hopefully SM fixes this soon.
    change anonymous' password..
    AS395558

  7. #107
    Join Date
    Jul 2009
    Posts
    451
    it looks to me like the issue resolves around -f boards, ipmi built in, and apparently many are using ipmitools and such to access the stuff...

    I use an add on card, never installed any tools for it, and it has no anon users or mail functions that I can see..

    am I correct that this pertains to use of ipmi software in addition to the ipmi cards(add on or built in)?

  8. #108
    Join Date
    Dec 2004
    Posts
    569
    Quote Originally Posted by programguy View Post
    it looks to me like the issue resolves around -f boards, ipmi built in, and apparently many are using ipmitools and such to access the stuff...

    I use an add on card, never installed any tools for it, and it has no anon users or mail functions that I can see..

    am I correct that this pertains to use of ipmi software in addition to the ipmi cards(add on or built in)?
    No, it does not pertain to the use of IPMI software.
    Quite to the contrary, using IPMI client software usually works better and is more secure than most web frontends.


    However this particular issue seems limited to mainboard models that use the IPMI firmware developed by ATEN.
    Other boards and add-on cards seem to use other firmware, created by different vendors like AMI and Raritan.

  9. #109
    Join Date
    Jun 2004
    Location
    Oregon
    Posts
    1,315
    so with the anonymous account hacker can gain access to admin level and get access to the server console?

  10. #110
    Join Date
    Mar 2009
    Location
    Austin, TX
    Posts
    935
    Quote Originally Posted by Maxnet View Post
    Try the "shell" command

    Code:
    ssh ADMIN@192.168.88.245
    ADMIN@192.168.88.245's password: 
    Auth User/Pass with PS...pass.
    
    ATEN SMASH-CLP System Management Shell, version 1.00
    Copyright (c) 2008-2009 by ATEN International CO., Ltd.
    All Rights Reserved
    
    
    -> shell sh
    Change shell to sh
    # ls
    SFCB        bin         dropbear    lib         lost+found  proc        sys         usr         web
    SMASH       dev         etc         linuxrc     nv          sbin        tmp         var         wsman
    No workie for me.

    -> shell sh
    shell command not support now.
    SysAdmin.xyz
    Having severs with customer data on it without proper monitoring is like having one night stand without using protections - eventually, there will be an 'oh s**t!' moment.

  11. #111
    Join Date
    Dec 2004
    Posts
    569
    Quote Originally Posted by quad3datwork View Post
    No workie for me.
    As mentioned by Lockjaw, availability of the shell command depends on your firmware version.

    Quote Originally Posted by Lockjaw View Post
    Nice find. will need to check firmware builds for my x7spa, as 2.02 doesn't have this 'shell' available but 2.25 does.

    Be aware that even without a full shell, an attacker can cause havoc.

    - e.g. turn off the server through SMASH commands.
    - probably send spam using SSH tunnels.

  12. #112
    Join Date
    Dec 2004
    Posts
    569
    Quote Originally Posted by CNSERVERS View Post
    so with the anonymous account hacker can gain access to admin level and get access to the server console?
    At least with firmware versions that have the shell command, yes.

    You then have root access to the embedded Linux flavor running on the BMC.
    And can simply grab the password of the ADMIN account (conveniently stored in plain-text), and use that to access KVM.

  13. #113
    Join Date
    Aug 2006
    Location
    Ashburn VA, San Diego CA
    Posts
    4,615
    To summarize:

    * Setting anonymous user access to 'No Access' still allows SSH logins and root shell access for the anonymous user, which can then compromise the BMC and use for spam, hacking, KVM access and more. They can also create more users in shell that are undetectable in IPMI.

    * One must either change the anonymous user password in the web GUI and/or disable the account slot #1 using ipmitool. Ideally you should reload the firmware to clear out any possible back doors.
    Fast Serv Networks, LLC | AS29889 | DDOS Protected | Managed Cloud, Streaming, Dedicated Servers, Colo by-the-U
    Since 2003 - Ashburn VA + San Diego CA Datacenters

  14. #114
    Join Date
    Nov 2005
    Posts
    305
    Just finished changing password for anonymous accounts at all servers.

    I believe that the fix that should be applied (to the new firmware) is to disable SSH access for the anonymous account when "No Access" is selected. As fastserv said, even configured with "No Access", they are still able to SSH and that is probably what caused all these issues that we have been having on this last year.

    I am really happy to know that we are safe now (or at least less vulnerable ).. The only 100% safe system for me is the one that is powered off

  15. #115
    Join Date
    Jun 2004
    Location
    Oregon
    Posts
    1,315
    yah, anonymous account should be disabled by default, web and ssh.

  16. #116
    X8SCL, X8STI fixed. Few more coming soon

  17. #117
    Join Date
    Aug 2006
    Location
    Ashburn VA, San Diego CA
    Posts
    4,615
    Quote Originally Posted by YuriyK View Post
    X8SCL, X8STI fixed. Few more coming soon
    So what is the 'fix' exactly? I hope they have anonymous disabled by default. Just removing ssh access is also a band-aid, there could be good use for ssh.
    Fast Serv Networks, LLC | AS29889 | DDOS Protected | Managed Cloud, Streaming, Dedicated Servers, Colo by-the-U
    Since 2003 - Ashburn VA + San Diego CA Datacenters

  18. #118
    Quote Originally Posted by FastServ View Post
    So what is the 'fix' exactly? I hope they have anonymous disabled by default. Just removing ssh access is also a band-aid, there could be good use for ssh.
    It's a new firmware. It was said to me that SSH problem is fixed. I didn't have a chance to check it myself yet.

  19. #119
    Join Date
    Dec 2004
    Posts
    569
    Quote Originally Posted by FastServ View Post
    I hope they have anonymous disabled by default. Just removing ssh access is also a band-aid, there could be good use for ssh.
    I certainly do hope they solved it by disabling anonymous.
    Given that the anonymous account also seems to work fine with protocols other than SSH that are available on the IPMI card.

    Seems only the webinterface actively refuses empty usernames.
    Client-side using Javascript that is...

  20. #120
    Good thing our IPMI are on a management network that's not available to the public. I wonder which fresh out of school hacks wrote their firmware.
    ••• Like us on Facebook to qualify for discounts! •••
    ••• http://www.sprintserve.net •••
    ••• Offering: | Internap FCP Bandwidth! | Rebootless Kernel Updates! | Magento Optimized Hosting | Wordpress Hosting | •••
    ••• Services: | Managed Multiple Cores 64bit Servers | Server Management | •••

  21. #121
    Quote Originally Posted by sprintserve View Post
    Good thing our IPMI are on a management network that's not available to the public. I wonder which fresh out of school hacks wrote their firmware.
    You are not the first who asked this question...

  22. #122
    Join Date
    Dec 2004
    Posts
    569
    Quote Originally Posted by sprintserve View Post
    I wonder which fresh out of school hacks wrote their firmware.
    It's easy to blame the kid that wrote the initial software.
    But what about quality control and management decisions after release?

    • they should start advising their customers to change the anonymous password instantly, which solves the immediate threat.
      Not pretend you need new firmware.
      That they may prefer that route, as you can hide the exploit details that way, I can understand.
      But this thread is a year old, the bad guys already knew about the vulnerability long ago.
      Full disclosure is the best policy.

    • it is not the only security vulnerability related to this particular firmware.
      Another one is that if you use the "backup configuration" function your admin password is made available at a public non-password protected web location.

      I reported this to them 5 months ago, and received zero feedback.
      Fed up with that attitude, I posted the details to the full-disclosure mailing list a few days ago: http://seclists.org/fulldisclosure/2011/Oct/522

      Promptly received a reply from another hosting provider that they reported a similar issue affecting KVM screenshots to them 3 years ago, and it still has not been fixed.

    • some past IPMI firmware release contained very obvious bugs.
      E.g. negative temperature readings (while the sensors do work properly, as you can see the correct figures in the BIOS).
      Can they honestly claim the releases go through QA before release?

  23. #123
    Actually it's not necessarily a hack just out of school, it's just the way they write software in Asia. Buy any cheap Chinese gadget that comes with locally written software and it's virtually useless. Lots of good products come of China but they have westerners write the software for it.

    I understand IPMI runs some sort of *nix, busybox or whatever? Is it possible to ssh into that and setup iptables or something like that? At last that would improve security somewhat.

  24. #124
    Yes it runs a version of Busybox. So theorectically, it should be able to install iptables on it. Haven't tried it though.

    Historically, Asian manufacturers all started out mostly as OEM manufacturers, where the designs are given to them and they just have to make the hardware side of things. As such, all of them tend to be overly hardware focused and not enough attention is given to the software. For them, it's good enough as long as it seem to "work" never mind the security.
    ••• Like us on Facebook to qualify for discounts! •••
    ••• http://www.sprintserve.net •••
    ••• Offering: | Internap FCP Bandwidth! | Rebootless Kernel Updates! | Magento Optimized Hosting | Wordpress Hosting | •••
    ••• Services: | Managed Multiple Cores 64bit Servers | Server Management | •••

  25. #125
    Quote Originally Posted by madsere View Post
    Actually it's not necessarily a hack just out of school, it's just the way they write software in Asia. Buy any cheap Chinese gadget that comes with locally written software and it's virtually useless. Lots of good products come of China but they have westerners write the software for it.

    I understand IPMI runs some sort of *nix, busybox or whatever? Is it possible to ssh into that and setup iptables or something like that? At last that would improve security somewhat.
    Let's examine your xenophobic statements.

    The only accurate part of the entire post is that most implementations of ipmi run some linux derivative and often run busybox as the shell.

    Given those ingredients, the software was mostly written by North Americans and Europeans. That is especially the case for busybox which is mostly the work of one person.

    Of course if you don't like products that are not completely Western in content, you can always avoid those products. Your choices will be severely limited.

    ++
    edgedirector.com
    managed dns global failover and load balance (gslb)
    exactstate.com
    uptime report for webhostingtalk.com

Page 5 of 6 FirstFirst ... 23456 LastLast

Similar Threads

  1. Supermicro IPMI Issue
    By XFactorServers in forum Colocation, Data Centers, IP Space and Networks
    Replies: 9
    Last Post: 08-23-2010, 02:29 PM
  2. SuperMicro 's IPMI
    By Peter-SexyWing in forum Colocation, Data Centers, IP Space and Networks
    Replies: 16
    Last Post: 07-10-2010, 04:51 PM
  3. supermicro ipmi installation
    By phactor in forum Systems Management Requests
    Replies: 5
    Last Post: 04-02-2010, 02:57 PM
  4. Supermicro IPMI
    By opax in forum Colocation, Data Centers, IP Space and Networks
    Replies: 6
    Last Post: 04-29-2009, 12:13 PM
  5. Supermicro IPMI
    By DevelopAl in forum Colocation, Data Centers, IP Space and Networks
    Replies: 14
    Last Post: 03-10-2006, 02:17 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •