Supermicro IPMI exploit - still vulnerable - GoFuckYourself.com

6South · 06-26-2014, 03:16 AM

An exploit against Supermicro IPMI that allows pulling a plain text list of users and passwords using a simple Get command to a specific port from back in November 2013 was not actually fixed in the firmware updates supplied by Supermicro, apparently.

http://arstechnica.com/security/2014...dvisory-warns/

There are a couple of more effective options for your server admins that are not being discussed:

1. Limit IPMI connections to specific IPs
2. Put IPMI behind a VPN / firewall.
3. Disable Telnet connections.

I've only seen one datacenter post an advisory on this and their solution is to helpfully null route your IPMI connection IPs.

TidalWave · 06-26-2014, 03:24 AM

Here is a detailed explanation and tips: http://blog.quadranet.com/supermicro...in-plain-text/

They are nullrouting temporarily and also filtering the effected port at their border routers to limit the effect as best as possible.
Users (idiots) all over the Internet however have had their hard drives WIPED, DATA STOLEN, and more however. I know first hand people who have had multiple servers wiped (and who knows what else with the data before being wiped), all because they wanted and whined about having their IPMI on public IP addresses.

The real solution is upgrading your firmware AND moving IPMI _OFF_ public access internet.
Only newbs want their IPMI on public, and only newb companys dont have a VPN tunnel service to the IPMI so its fully secure.

Klen · 06-26-2014, 03:29 AM

Quote:

Originally Posted by TidalWave

They are nullrouting temporarily and also filtering the effected port at their border routers to limit the effect as best as possible.
Users (idiots) all over the Internet however have had their hard drives WIPED, DATA STOLEN, and more however. I know first hand people who have had multiple servers wiped (and who knows what else with the data before being wiped), all because they wanted and whined about having their IPMI on public IP addresses.

The real solution is upgrading your firmware AND moving IPMI _OFF_ public access internet.
Only newbs want their IPMI on public, and only newb companys dont have a VPN tunnel service to the IPMI so its fully secure.

A vps server company where i have domain listed in sig is down for several days due this problem.I know it how that company is run by idiots tho didn't expect to be such a big idiots lol.But i have only domains which dont matter there so i dont care.But yes,proper way to do it is by VPN tunnel,softlayer do that if you want access IPMI,first you need to login to local VPN with your username and password,and only then you can access to IPMI.

TidalWave · 06-26-2014, 03:34 AM

Quote:

Originally Posted by KlenTelaris

A vps server company where i have domain listed in sig is down for several days due this problem.I know it how that company is run by idiots tho didn't expect to be such a big idiots lol.But i have only domains which dont matter there so i dont care.But yes,proper way to do it is by VPN tunnel,softlayer do that if you want access IPMI,first you need to login to local VPN with your username and password,and only then you can access to IPMI.

Same with QuadraNet... all access is via Private Network, and to get access into the Private Network you need to logon to their encrypted VPN tunnel.

I just looked up the IP of addtrades.com and yeah, I agree with your thoughts on them

I know who they are

06-26-2014, 03:16 AM	#1
6South Registered User Industry Role: Join Date: Jan 2011 Posts: 84	Supermicro IPMI exploit - still vulnerable An exploit against Supermicro IPMI that allows pulling a plain text list of users and passwords using a simple Get command to a specific port from back in November 2013 was not actually fixed in the firmware updates supplied by Supermicro, apparently. http://arstechnica.com/security/2014...dvisory-warns/ There are a couple of more effective options for your server admins that are not being discussed: 1. Limit IPMI connections to specific IPs 2. Put IPMI behind a VPN / firewall. 3. Disable Telnet connections. I've only seen one datacenter post an advisory on this and their solution is to helpfully null route your IPMI connection IPs. __________________ -= Software / Systems Architect and Server Geek =-

06-26-2014, 03:24 AM	#2
TidalWave Confirmed User Industry Role: Join Date: Sep 2007 Location: Los Angeles Posts: 2,706	Here is a detailed explanation and tips: http://blog.quadranet.com/supermicro...in-plain-text/ They are nullrouting temporarily and also filtering the effected port at their border routers to limit the effect as best as possible. Users (idiots) all over the Internet however have had their hard drives WIPED, DATA STOLEN, and more however. I know first hand people who have had multiple servers wiped (and who knows what else with the data before being wiped), all because they wanted and whined about having their IPMI on public IP addresses. The real solution is upgrading your firmware AND moving IPMI _OFF_ public access internet. Only newbs want their IPMI on public, and only newb companys dont have a VPN tunnel service to the IPMI so its fully secure. Last edited by TidalWave; 06-26-2014 at 03:26 AM..