lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <alpine.LFD.2.00.1110121125110.15500@noc.prolocation.net> Date: Wed, 12 Oct 2011 11:26:57 +0200 (CEST) From: Raymond Dijkxhoorn <raymond@...location.net> To: Floris Bos <bos@...eigen-domein.nl> Cc: full-disclosure@...ts.grok.org.uk Subject: Re: Supermicro IPMI: backup function causes password to be stored at public web location Hi! > Tested hardware: > > Supermicro X8SI6-F mainboard - IPMI firmware: 2.50 > Supermicro X9SCL-F mainboard - IPMI firmware: 1.01 > > Likely affects other Supermicro boards of those generations that use the > same type of firmware. > > == > Problem > == > > Modern servers often include a feature called IPMI to remotely manage and > monitor the server. > Since setting up the IPMI card properly requires entering a dozen settings > ranging from network information, usernames and passwords, > to e-mail address that should be notified if a hardware failure occurs, > most IPMI cards offer a convenience function to backup and restore the > settings to a file. > > > In the case of these boards you can login to the IPMI webinterface and go > to "maintenance" -> "IPMI configuration" -> "save IPMI configuration" and a > configuration backup file is generated. > > This file is then available for download at: > http://ipmi-ip-address/save_config.bin > > The problem is that this file is PUBLICLY accessible to everyone, even > those NOT logged into the webinterface. > Furtermore the file remains accessible until the server chassis loses > power, which is unlikely to be anytime soon if the server is already racked > up in a datacenter. This isnt only the issue for the passwords. But also for the screen images. Those IPMI controllers have a option to capture the actual server screen. And this isnt password protected either. We reported this ~ 3 years ago to them. And is available in about any version. My advise, put those IPMI's on private networks only. Or firewall them. Bye, Raymond. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists