A significant number of servers containing motherboards manufactured by Supermicro exposes administrator passwords, the situation is worrying considering that the problem is well known and a series of patches has been already released to fix the critical vulnerability, as explained by experts at CARI.net team.
The flaw relates to a component in the baseboard management controller (BMC) which allows administrators to monitor physical parameters (e.g. Temperatures, fan speed, disk and memory performance) of a large number of servers. The controller in Supermicro motherboards contains a binary file which contains remote login passwords in clear text.
Security researchers warned IT community since 10 months ago, a hundred of thousand servers sold by principal vendors, including Dell and HP, contain a vulnerable BMC, it is a godsend for hackers that can remotely steal passwords and compromise the targeted systems.
Also the Sans Institute has published a blog post on the vulnerability:
“The vulnerability involves a plaintext password file available for download simply by connecting to the specific port, 49152,” it stated. “One of our team has tested this vulnerability, and it works like a champ, so let’s add another log to the fire and spread the good word.”
Also on twitter it is possible to find news on the BMC:
As my readers known, it is quite simple for an attacker to locate vulnerable Supermicro motherboards running an Internet scan on port 49152, tools like the Shodan search engine make this job very easy.
“After my previous attempts to gain forward momentum with this issue had failed, and after getting the advice to release from several other security professionals, I reached out to one John Matherly (Shodan) and discussed with him what I had found. Being the awesome person that he is, he provided data on every host that was responding to a web request on port 49152 and the response to “GET /PSBlock”. I was blown away by the results (below): Total Hosts responding to web requests on port 49152: 9,867,259 Vulnerable Systems: 31,964
(Now keep in mind that not everything responding on port 49152 is a Supermicro product. As it turns out, many products use the embedded UPNP software by default, but let’s get through Supermicro first)” reports as advisory published on the flaw.
The news is shocking, nearly 31,964 systems store their passwords in clear text and are exposed on the Internet.
“This means at the point of this writing, there are 31,964 systems that have their passwords available on the open market,””It gets a bit scarier when you review some of the password statistics. Out of those passwords, 3,296 are the default combination. Since I’m not comfortable providing too much password information, I will just say that there exists a subset of this data that either contains or just was ‘password.'” wrote Zachary Wikholm, a senior security engineer with the CARInet Security Incident Response Team.
To permanently resolve the problem, it is necessary to “flash” with new firmware the Supermicro motherboard, but it is a process not feasible for many production servers. Another possibility for the administrators of the flawed BMC is to use secure shell connection to a flawed device and disabling all universal plug and play processes, be aware that this process is temporary because it works until the power supply is interrupted.
(Security Affairs – BMC, SuperMicro)