A new security feature to encrypt passwords is available from Supermicro for systems running IPMI 1.5 & 2.0 protocols and/or BMC firmware. If you haven’t done so already, please update your firmware as soon as possible.
BMCs in older Supermicro motherboards contain a binary file which stores remote login passwords in plain text. Essentially, if you don’t update your firmware an attacker could gain credentialed access via IPMI on vulnerable systems. This does not pertain to Supermicro’s X10 series motherboards. So, if you are using the newest hardware from Supermicro – no need to update.
How to check if your system is vulnerable?
If you are using Supermicro servers with IPMI, make sure your storage system is not affected. Check if you are safe by connecting to port 49152 and downloading the file PSBlock, where you will find the exposed password.
Having access to IPMI / BMC password does not mean that we automatically have access to the root password on a certain server. However, with the help of IPMI we can manage and control the server’s ‘power state’, BIOS settings and network interface card addresses. In some systems we also have the possibility to run a system from a remotely mounted ISO disk, which can lead to a takeover of superuser’s rights or damage stored data on a server.
You have to keep in mind that this process, when it comes to High Availability production environments, can cause unappreciated downtime. In such a case, a better option would be to secure access on dedicated ports associated with IPMI from the side of a router with firewall.
Protect yourself in the future – change default passwords and update firmware regularly
On June 20th, 2014 Zachary Wikholm, a senior security engineer at CARInet Security Incident Response Team wrote interesting statistics in regards to this vulnerability: “There are 31,964 systems that have their passwords available on the open market. It gets a bit scarier when you review some of the password statistics. Out of those passwords, 3296 are the default combination. Since I’m not comfortable providing too much password information, I will just say that there exists a subset of this data that either contains or just was “password”.”