lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Wed, 12 Oct 2011 11:26:57 +0200 (CEST)
From: Raymond Dijkxhoorn <raymond@...location.net>
To: Floris Bos <bos@...eigen-domein.nl>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: Supermicro IPMI: backup function causes
 password to be stored at public web location

Hi!

> Tested hardware:
>
> Supermicro X8SI6-F mainboard - IPMI firmware: 2.50
> Supermicro X9SCL-F mainboard - IPMI firmware: 1.01
>
> Likely affects other Supermicro boards of those generations that use the
> same type of firmware.
>
> ==
> Problem
> ==
>
> Modern servers often include a feature called IPMI to remotely manage and
> monitor the server.
> Since setting up the IPMI card properly requires entering a dozen settings
> ranging from network information, usernames and passwords,
> to e-mail address that should be notified if a hardware failure occurs,
> most IPMI cards offer a convenience function to backup and restore the
> settings to a file.
>
>
> In the case of these boards you can login to the IPMI webinterface and go
> to "maintenance" -> "IPMI configuration" -> "save IPMI configuration" and a
> configuration backup file is generated.
>
> This file is then available for download at:
> http://ipmi-ip-address/save_config.bin
>
> The problem is that this file is PUBLICLY accessible to everyone, even
> those NOT logged into the webinterface.
> Furtermore the file remains accessible until the server chassis loses
> power, which is unlikely to be anytime soon if the server is already racked
> up in a datacenter.

This isnt only the issue for the passwords. But also for the screen 
images. Those IPMI controllers have a option to capture the actual server 
screen. And this isnt password protected either.

We reported this ~ 3 years ago to them. And is available in about any 
version.

My advise, put those IPMI's on private networks only. Or firewall them.

Bye,
Raymond.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists