Supermicro BMC Vulnerability

I have recently been experimenting with my Supermicro X7SPA-HF-D525, and found a very serious issue with the BMC. I bought my board in September, and it had a very old firmware on it. It should be noted that the board was marked built in July 2011, so it seems that Supermicro are not burning current versions of the firmware to new boards. The same BMC firmware is shared by all Supermicro boards having the Winbond WPCM450 BMC, most of the 'F' boards. The issue is prior to version 2.54 of the BMC firmware it was possible to log into the BMC's SMASH console using no password at all. I'll explain this in detail.

 

If you have used the web interface for the BMC you may have noticed the "Anonymous" user, and disabled it as I did. The problem is this does not stop this user being used with the SMASH console. In their infinite wisdom the developers gave the user a blank password, so you can log in to SMASH by SSHing to port 22 on the BMC's IP address. Log in with "Anonymous" and no password. You then have access to SMASH. All it takes from that point is to type "shell sh" and you will have root access to the BMC's linux OS. Note that on some earlier versions of the BMC firmware the shell command was disabled, but for the majority it is available. From the OS you can pretty much do what you like to the system, as you have full access to the main system though the BMC.

 

There are several options you have to mitigate this vulnerability:

• Upgrade your BMC firmware to the latest version, clearing all user configuration. This automatically disables the Anonymous account.
  
• Set a password on the Anonymous account. Disabling login is not sufficient!
  
• Ensure the BMC port is not connected to a network that has access to the internet.
  
• Disable the BMC entirely.
  

 

This assumes you have also changed the default ADMIN:ADMIN login as otherwise it is just as easy to get in that way.

 

Don't ignore this thinking it won't happen to you. The exploit is in the wild, and people are using it to hack machines and subvert the BMC OS for their own purposes (mostly sending spam and DDOS it appears). Supermicro have not publicised this issue which, given their market segment, I consider a heinous failure.

Trying to figure this out...

 

What exactly is the BMC ip address?  Is it the same IP addrses as the IPMI console?

 

I tried ssh'ing to that ip from my unraid box and no response.  Perhaps I just need to specify the port....  I'll try that next.

 

This is also news to me.  BMC is just another name for IPMI, correct?

BMC is the acronym for the controller chip(s) used (Baseboard Management Controller).  IPMI is the communication (and more) standards used to communicate with the remote box (Intelligent Platform Management Interface).  The IP address is the IP address setup in the BIOS for IPMI.  Graphic shows access from web browser.  For some reason I've yet to find out - I cannot do anything even though I got past the login just fine.  Don't need this since the Supermicro app IPMIView works quite well.

We put all of the IPMI port address at work on their own subnet running in separate VLANs.

 

I cant even ping the management ports at work. I have to  log into a management PC to gain access (although I can remote into the management PC..).

 

I guess there was reason to this madness.

 

We put all of the IPMI port address at work on their own subnet running in separate VLANs.

 

I cant even ping the management ports at work. I have to  log into a management PC to gain access (although I can remote into the management PC..).

 

I guess there was reason to this madness.

 

Which was my point in another thread that had a post about this.  It is only a real problem if you connect it to a public network.  Behind a router with a firewall you are only as vulnerable as the firewall and the people using the computers.  In a home environment on a private network this is a non-issue.  For a business it is an issue and you would think Supermicro would fix it.  My guess is it isn't a problem there either because everybody took steps similar to yours.

I totally agree BobPhoenix, but I have seen a few cases of people posting to forums after having their BMC hacked and used to bounce spam. These were people that were using the motherboard in enterprise environments (who should clearly know better than having an IPMI on a public network), so I felt it was worth mentioning. Supermicro has taken steps to correct the issue, and as I mentioned the current version of the firmware does not have the vulnerability. I do feel however that it is a major failing that they continue to ship new boards with old firmwares.

 

JackBauer - The IP address is the same as the one at which you access the IPMI, using port 22 if you want to ssh.

 

BobPhoenix - if you have access to the SMASH terminal try typing "shell sh". This should kick you out of SMASH into bash as a root user.

I totally agree BobPhoenix, but I have seen a few cases of people posting to forums after having their BMC hacked and used to bounce spam. These were people that were using the motherboard in enterprise environments (who should clearly know better than having an IPMI on a public network), so I felt it was worth mentioning. Supermicro has taken steps to correct the issue, and as I mentioned the current version of the firmware does not have the vulnerability. I do feel however that it is a major failing that they continue to ship new boards with old firmwares.

I agree they should be upgrading the firmware.  Are you sure they are NEW boards manufactured after the upgraded firmware was created?  It is possible (not likely because I think they are just lazy or negligent) that boards with the new firmware are out there in the chain but haven't been purchased yet.

 

BobPhoenix - if you have access to the SMASH terminal try typing "shell sh". This should kick you out of SMASH into bash as a root user.

Assuming you are talking Linux here - which I only know enough to get me into trouble.  Which is why I have my network behind a firewall router on a private network.  I don't want to take any chances with my systems.  I only browse the internet from my laptop and 1 desktop both of which have the firewalls turned on and anti-virus loaded.  All other computers do not access the internet except to get EPG updates for SageTV.  I don't even have port forwarding or VPN services enabled on my router - just incase.