Results 101 to 125 of 139
Thread: SuperMicro IPMI Security
-
10-12-2011, 10:56 AM #101Web Hosting Master
- Join Date
- Dec 2004
- Posts
- 569
Be aware that the anonymous account defaults to "admin" in lower case, as opposed to "ADMIN" for the "ADMIN" account.
HTML Code:# cat /etc/defaults/factory.xml <?xml version="1.0" encoding="UTF-8"?> <root> <IPMI> <UserModule> <User num="0" enable="01" Name="" Passwd="admin" PasswdSize="0" ChannelAccess="00000000000000000000000000000000" PrivilegeChange="00"> <IKVMInfo IKVMVideoEnable="01" IKVMKMEnable="01" IKVMKickEnable="01"/> <VUSBInfo VUSBEnable="01"/> </User> <User num="1" enable="01" Name="ADMIN" Passwd="ADMIN" PasswdSize="0" ChannelAccess="00540054000000000000000000000000" PrivilegeChange="00"> <IKVMInfo IKVMVideoEnable="01" IKVMKMEnable="01" IKVMKickEnable="01"/> <VUSBInfo VUSBEnable="01"/> </User>
Maxnet
Offering automated dedicated server provisioning software
-
10-12-2011, 11:35 AM #102Randy
- Join Date
- Aug 2006
- Location
- Ashburn VA, San Diego CA
- Posts
- 4,615
Fast Serv Networks, LLC | AS29889 | DDOS Protected | Managed Cloud, Streaming, Dedicated Servers, Colo by-the-U
Since 2003 - Ashburn VA + San Diego CA Datacenters
-
10-12-2011, 11:36 AM #103Randy
- Join Date
- Aug 2006
- Location
- Ashburn VA, San Diego CA
- Posts
- 4,615
Has anyone successfully deleted the anonymous user from ipmitools rather than the web interface?
Fast Serv Networks, LLC | AS29889 | DDOS Protected | Managed Cloud, Streaming, Dedicated Servers, Colo by-the-U
Since 2003 - Ashburn VA + San Diego CA Datacenters
-
10-12-2011, 11:36 AM #104Web Hosting Master
- Join Date
- Dec 2004
- Posts
- 569
Maxnet
Offering automated dedicated server provisioning software
-
10-12-2011, 11:44 AM #105Randy
- Join Date
- Aug 2006
- Location
- Ashburn VA, San Diego CA
- Posts
- 4,615
Fast Serv Networks, LLC | AS29889 | DDOS Protected | Managed Cloud, Streaming, Dedicated Servers, Colo by-the-U
Since 2003 - Ashburn VA + San Diego CA Datacenters
-
10-12-2011, 11:48 AM #106Rockin' the beer gut
- Join Date
- May 2006
- Location
- NJ, USA
- Posts
- 6,645
-
10-12-2011, 02:33 PM #107Web Hosting Evangelist
- Join Date
- Jul 2009
- Posts
- 451
it looks to me like the issue resolves around -f boards, ipmi built in, and apparently many are using ipmitools and such to access the stuff...
I use an add on card, never installed any tools for it, and it has no anon users or mail functions that I can see..
am I correct that this pertains to use of ipmi software in addition to the ipmi cards(add on or built in)?
-
10-12-2011, 02:49 PM #108Web Hosting Master
- Join Date
- Dec 2004
- Posts
- 569
No, it does not pertain to the use of IPMI software.
Quite to the contrary, using IPMI client software usually works better and is more secure than most web frontends.
However this particular issue seems limited to mainboard models that use the IPMI firmware developed by ATEN.
Other boards and add-on cards seem to use other firmware, created by different vendors like AMI and Raritan.Maxnet
Offering automated dedicated server provisioning software
-
10-12-2011, 02:56 PM #109Web Hosting Master
- Join Date
- Jun 2004
- Location
- Oregon
- Posts
- 1,315
so with the anonymous account hacker can gain access to admin level and get access to the server console?
-
10-12-2011, 03:00 PM #110Web Hosting Master
- Join Date
- Mar 2009
- Location
- Austin, TX
- Posts
- 935
SysAdmin.xyz
Having severs with customer data on it without proper monitoring is like having one night stand without using protections - eventually, there will be an 'oh s**t!' moment.
-
10-12-2011, 03:21 PM #111Web Hosting Master
- Join Date
- Dec 2004
- Posts
- 569
As mentioned by Lockjaw, availability of the shell command depends on your firmware version.
Be aware that even without a full shell, an attacker can cause havoc.
- e.g. turn off the server through SMASH commands.
- probably send spam using SSH tunnels.Maxnet
Offering automated dedicated server provisioning software
-
10-12-2011, 03:33 PM #112Web Hosting Master
- Join Date
- Dec 2004
- Posts
- 569
Maxnet
Offering automated dedicated server provisioning software
-
10-12-2011, 06:33 PM #113Randy
- Join Date
- Aug 2006
- Location
- Ashburn VA, San Diego CA
- Posts
- 4,615
To summarize:
* Setting anonymous user access to 'No Access' still allows SSH logins and root shell access for the anonymous user, which can then compromise the BMC and use for spam, hacking, KVM access and more. They can also create more users in shell that are undetectable in IPMI.
* One must either change the anonymous user password in the web GUI and/or disable the account slot #1 using ipmitool. Ideally you should reload the firmware to clear out any possible back doors.Fast Serv Networks, LLC | AS29889 | DDOS Protected | Managed Cloud, Streaming, Dedicated Servers, Colo by-the-U
Since 2003 - Ashburn VA + San Diego CA Datacenters
-
10-12-2011, 10:29 PM #114Web Hosting Guru
- Join Date
- Nov 2005
- Posts
- 305
Just finished changing password for anonymous accounts at all servers.
I believe that the fix that should be applied (to the new firmware) is to disable SSH access for the anonymous account when "No Access" is selected. As fastserv said, even configured with "No Access", they are still able to SSH and that is probably what caused all these issues that we have been having on this last year.
I am really happy to know that we are safe now (or at least less vulnerable ).. The only 100% safe system for me is the one that is powered off
-
10-12-2011, 10:37 PM #115Web Hosting Master
- Join Date
- Jun 2004
- Location
- Oregon
- Posts
- 1,315
yah, anonymous account should be disabled by default, web and ssh.
-
10-13-2011, 12:57 PM #116Web Hosting Guru
- Join Date
- Apr 2011
- Posts
- 311
X8SCL, X8STI fixed. Few more coming soon
-
10-13-2011, 01:00 PM #117Randy
- Join Date
- Aug 2006
- Location
- Ashburn VA, San Diego CA
- Posts
- 4,615
Fast Serv Networks, LLC | AS29889 | DDOS Protected | Managed Cloud, Streaming, Dedicated Servers, Colo by-the-U
Since 2003 - Ashburn VA + San Diego CA Datacenters
-
10-13-2011, 01:07 PM #118Web Hosting Guru
- Join Date
- Apr 2011
- Posts
- 311
-
10-13-2011, 06:42 PM #119Web Hosting Master
- Join Date
- Dec 2004
- Posts
- 569
I certainly do hope they solved it by disabling anonymous.
Given that the anonymous account also seems to work fine with protocols other than SSH that are available on the IPMI card.
Seems only the webinterface actively refuses empty usernames.
Client-side using Javascript that is...Maxnet
Offering automated dedicated server provisioning software
-
10-14-2011, 07:29 AM #120Retired Moderator
- Join Date
- Jan 2003
- Posts
- 9,049
Good thing our IPMI are on a management network that's not available to the public. I wonder which fresh out of school hacks wrote their firmware.
••• Like us on Facebook to qualify for discounts! •••
••• http://www.sprintserve.net •••
••• Offering: | Internap FCP Bandwidth! | Rebootless Kernel Updates! | Magento Optimized Hosting | Wordpress Hosting | •••
••• Services: | Managed Multiple Cores 64bit Servers | Server Management | •••
-
10-14-2011, 08:40 AM #121Web Hosting Guru
- Join Date
- Apr 2011
- Posts
- 311
-
10-14-2011, 09:08 AM #122Web Hosting Master
- Join Date
- Dec 2004
- Posts
- 569
It's easy to blame the kid that wrote the initial software.
But what about quality control and management decisions after release?
- they should start advising their customers to change the anonymous password instantly, which solves the immediate threat.
Not pretend you need new firmware.
That they may prefer that route, as you can hide the exploit details that way, I can understand.
But this thread is a year old, the bad guys already knew about the vulnerability long ago.
Full disclosure is the best policy.
- it is not the only security vulnerability related to this particular firmware.
Another one is that if you use the "backup configuration" function your admin password is made available at a public non-password protected web location.
I reported this to them 5 months ago, and received zero feedback.
Fed up with that attitude, I posted the details to the full-disclosure mailing list a few days ago: http://seclists.org/fulldisclosure/2011/Oct/522
Promptly received a reply from another hosting provider that they reported a similar issue affecting KVM screenshots to them 3 years ago, and it still has not been fixed.
- some past IPMI firmware release contained very obvious bugs.
E.g. negative temperature readings (while the sensors do work properly, as you can see the correct figures in the BIOS).
Can they honestly claim the releases go through QA before release?
Maxnet
Offering automated dedicated server provisioning software
-
10-19-2011, 03:10 AM #123WHT Addict
- Join Date
- Jun 2001
- Posts
- 139
Actually it's not necessarily a hack just out of school, it's just the way they write software in Asia. Buy any cheap Chinese gadget that comes with locally written software and it's virtually useless. Lots of good products come of China but they have westerners write the software for it.
I understand IPMI runs some sort of *nix, busybox or whatever? Is it possible to ssh into that and setup iptables or something like that? At last that would improve security somewhat.
-
10-19-2011, 03:37 AM #124Retired Moderator
- Join Date
- Jan 2003
- Posts
- 9,049
Yes it runs a version of Busybox. So theorectically, it should be able to install iptables on it. Haven't tried it though.
Historically, Asian manufacturers all started out mostly as OEM manufacturers, where the designs are given to them and they just have to make the hardware side of things. As such, all of them tend to be overly hardware focused and not enough attention is given to the software. For them, it's good enough as long as it seem to "work" never mind the security.••• Like us on Facebook to qualify for discounts! •••
••• http://www.sprintserve.net •••
••• Offering: | Internap FCP Bandwidth! | Rebootless Kernel Updates! | Magento Optimized Hosting | Wordpress Hosting | •••
••• Services: | Managed Multiple Cores 64bit Servers | Server Management | •••
-
10-19-2011, 04:14 AM #125******* Unleaded
- Join Date
- Feb 2004
- Posts
- 3,849
Let's examine your xenophobic statements.
The only accurate part of the entire post is that most implementations of ipmi run some linux derivative and often run busybox as the shell.
Given those ingredients, the software was mostly written by North Americans and Europeans. That is especially the case for busybox which is mostly the work of one person.
Of course if you don't like products that are not completely Western in content, you can always avoid those products. Your choices will be severely limited.
++edgedirector.com
managed dns global failover and load balance (gslb)
exactstate.com
uptime report for webhostingtalk.com
Similar Threads
-
Supermicro IPMI Issue
By XFactorServers in forum Colocation, Data Centers, IP Space and NetworksReplies: 9Last Post: 08-23-2010, 02:29 PM -
SuperMicro 's IPMI
By Peter-SexyWing in forum Colocation, Data Centers, IP Space and NetworksReplies: 16Last Post: 07-10-2010, 04:51 PM -
supermicro ipmi installation
By phactor in forum Systems Management RequestsReplies: 5Last Post: 04-02-2010, 02:57 PM -
Supermicro IPMI
By opax in forum Colocation, Data Centers, IP Space and NetworksReplies: 6Last Post: 04-29-2009, 12:13 PM -
Supermicro IPMI
By DevelopAl in forum Colocation, Data Centers, IP Space and NetworksReplies: 14Last Post: 03-10-2006, 02:17 PM