Supermicro IPMI exploit - still vulnerable

Collapse
X
 
  • Time
  • Show
Clear All
new posts
  • 6South
    Registered User
    • Jan 2011
    • 84

    #1

    Supermicro IPMI exploit - still vulnerable

    An exploit against Supermicro IPMI that allows pulling a plain text list of users and passwords using a simple Get command to a specific port from back in November 2013 was not actually fixed in the firmware updates supplied by Supermicro, apparently.

    http://arstechnica.com/security/2014...dvisory-warns/

    There are a couple of more effective options for your server admins that are not being discussed:

    1. Limit IPMI connections to specific IPs
    2. Put IPMI behind a VPN / firewall.
    3. Disable Telnet connections.

    I've only seen one datacenter post an advisory on this and their solution is to helpfully null route your IPMI connection IPs.
    -= Software / Systems Architect and Server Geek =-
  • TidalWave
    Confirmed User
    • Sep 2007
    • 2706

    #2
    Here is a detailed explanation and tips: http://blog.quadranet.com/supermicro...in-plain-text/

    They are nullrouting temporarily and also filtering the effected port at their border routers to limit the effect as best as possible.
    Users (idiots) all over the Internet however have had their hard drives WIPED, DATA STOLEN, and more however. I know first hand people who have had multiple servers wiped (and who knows what else with the data before being wiped), all because they wanted and whined about having their IPMI on public IP addresses.

    The real solution is upgrading your firmware AND moving IPMI _OFF_ public access internet.
    Only newbs want their IPMI on public, and only newb companys dont have a VPN tunnel service to the IPMI so its fully secure.
    Last edited by TidalWave; 06-26-2014, 02:26 AM.
    www.SwiftNode.com

    Comment

    • Klen
      • Aug 2006
      • 32235

      #3
      Originally posted by TidalWave
      They are nullrouting temporarily and also filtering the effected port at their border routers to limit the effect as best as possible.
      Users (idiots) all over the Internet however have had their hard drives WIPED, DATA STOLEN, and more however. I know first hand people who have had multiple servers wiped (and who knows what else with the data before being wiped), all because they wanted and whined about having their IPMI on public IP addresses.

      The real solution is upgrading your firmware AND moving IPMI _OFF_ public access internet.
      Only newbs want their IPMI on public, and only newb companys dont have a VPN tunnel service to the IPMI so its fully secure.
      A vps server company where i have domain listed in sig is down for several days due this problem.I know it how that company is run by idiots tho didn't expect to be such a big idiots lol.But i have only domains which dont matter there so i dont care.But yes,proper way to do it is by VPN tunnel,softlayer do that if you want access IPMI,first you need to login to local VPN with your username and password,and only then you can access to IPMI.

      Comment

      • TidalWave
        Confirmed User
        • Sep 2007
        • 2706

        #4
        Originally posted by KlenTelaris
        A vps server company where i have domain listed in sig is down for several days due this problem.I know it how that company is run by idiots tho didn't expect to be such a big idiots lol.But i have only domains which dont matter there so i dont care.But yes,proper way to do it is by VPN tunnel,softlayer do that if you want access IPMI,first you need to login to local VPN with your username and password,and only then you can access to IPMI.
        Same with QuadraNet... all access is via Private Network, and to get access into the Private Network you need to logon to their encrypted VPN tunnel.

        I just looked up the IP of addtrades.com and yeah, I agree with your thoughts on them
        I know who they are
        www.SwiftNode.com

        Comment

        Working...