Immediate action called for on server management flaws

Security experts are warning companies to segregate and closely monitor network traffic to a highly vulnerable protocol used in remotely monitoring and managing servers.

Independent security consultant Dan Farmer identified serious flaws in the Intelligent Platform Management Interface (IPMI) protocol that talks to the server's Baseboard Management Controller, a microcontroller embedded in the motherboard.

Sensors within a system report to the BMC such metrics as temperature, cooling fan speeds and power and operating system statuses. The IPMI specification, which is maintained by Intel, makes it possible to remotely monitor servers for BMC-reported problems and to manage access to the systems.

The vulnerabilities discovered by Farmer would enable a hacker to copy or erase data, reconfigure the operating system, install a backdoor, capture credentials or wipe the hard drives.

"You really don't want vulnerabilities in such a powerful service," said Wolfgang Kandek, chief technology officer for Qualys.

Farmer, who started research on the IPMI last year through a Defense Department DARPA grant, identified half a dozen vulnerabilities. One of the most critical is in version 2.0 of the IPMI.

The flaw in the encryption method known as "Cipher 0" essentially bypasses the entire authentication process. As a result, a hacker can exploit the vulnerability using standard command-line IPMI, says Rapid7, which did an analysis of Farmer's findings.

Another critical vulnerability in version 2.0 is passing along from the BMC a cryptographic hash of the user's password to any requesting client prior to authentication. "An attacker can perform an offline brute force attack on this hash to quickly determine the correct password," said Rapid7, which estimates 100,000 Internet-connected servers are vulnerable to such an attack.

[Tony Bradley in Salted Hash: Are you sure you're really in control of your servers?]

Some vulnerabilities are also found in IPMI version 1.5, commonly found in servers along with 2.0. For example, both versions of the protocol specification require that IPMI passwords be stored unencrypted on the BMC. This flaw was confirmed on Dell and Supermicro systems.

"This has significant ramifications when combined with the other vulnerabilities that allow remote root access to the BMC, because organizations place servers into large -- at times exceeding 100,000 or more computers -- managed IPMI groups that all share the same password," Rapid7 said.

Plugging the vulnerabilities is not possible, given they are built into the specification. Therefore, the best solution is to have a single port dedicated only to IPMI access.

"It should be a separate network physically, having two or more network cables going into your server, one of them to the dedicated IPMI port," Kandek said.

Companies that access the IPMI port over the Internet should have a gateway in front of the system that requires a separate login and two-factor authentication.

"For the gateway, whatever the system administrator is most comfortable with [is OK]," he said. "I would use a Linux machine stripped down only to the basic functionality that's needed. Other people might be more comfortable with Windows, so they probably should do a Windows server build with the same stripped down functionality."

Finally, companies should monitor network traffic to the port closely for any abnormalities, such as an IP address for a computer that is not normally used to access the IPMI, Kandek said.

While segregation is a good solution, it isn't always possible, said HD Moore, chief research officer for Rapid7 and the creator of the open source Metasploit Framework, used to execute exploit code against a remote system for testing purposes.

Because low-end servers often have only one port for connecting to the Internet, segregating the IPMI isn't possible. An option would be to set up a virtual local area network that creates a distinct broadcast domain to carry only packets headed to the IPMI. This would enable monitoring of the network traffic.

"Most people don't do this because it's a pain in the butt and you have to have a switch that supports its," Moore said.

In general, there is no single solution to the problem. Moore recommends that system administrators scan their servers with Metasploit, find the vulnerabilities that affect their systems and then decide what to do about them.

"There's definitely a number of mitigation strategies out there," Moore said.

Read more about network security in CSOonline's Network Security section.

Join the CSO newsletter!

Error: Please check your email address.

Tags applicationssecurityIPMIDARPAflawIntelligent Platform Management InterfacesoftwareData Protection | Network Securityinteldata protectionqualys

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Antone Gonsalves

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Market Place