Interface weakness opens servers to attacks

nestor e. arellano

11 years ago

A critical vulnerability in the intelligent platform management interface (IPMI) used by administrators to remotely control computer systems poses a significant threat to rack servers and cloud services running on those servers, according to a security risk assessment firm.

“There is a no authentication mode of cipher zero mode built into IPMIs by manufacturers,” said Gordon McKay, chief technology officer of Digital Defense Inc., a network security and penetration testing firm. “If this setting has not been changed, it serves as a back door for attackers to bypass operating system defenses.”

He said the flaw enables hackers to hijack a baseboard interface even when the power is off.

The IPMI is a messaged-based, hardware-level interface specification. It operates independently of the operating system. The flaw involves the network accessible components of rackmount hardware and is not protected by normal OS-based security controls, according to McKay.

“Hackers send out packets to the 623 UDP port. If they get a response it means the PMI Is not asking for authentication and the hackers can just go in,” said McKay. “Once they are able to log in, it would be as if they were in the computer controlling the servers.”

Among the things a hacker could do are:

Reboot the computer
Install new operating system software
Steal data
Install a malware Trojan
Attackers can hijack servers even when they are powered down

“Keep in mind this is a network accessible baseboard flaw, which means that it doesn’t target the primary operating system but the embedded management agent running on the server,” wrote Mike Cotton, chief network security architect for Digital Defense. “Traditional mitigation such as firewalling all ports on the primary operating system or even shutting down the server completely won’t prevent network traffic from hitting this vector (The baseboard stays on even if the rest of the system is shutdown, so long as the power cord is plugged in).”

Cotton stressed the problem is not an isolated incident involving a single vendor, and neither is it something that occurred only in the past.

“Rackmounts have been shipping with this flaw for years and continued to do so today,” he said. “If you haven’t encountered it while performing network scans on large rackmount deployments, it’s not that it isn’t there, it’s that you scanning vendor isn’t checking for it.”

Cotton provided a remediation procedure in his post which worked on all the major rack mount servers tested by Digital Defense.

To find out what to do, click on this link.