[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <alpine.LFD.2.00.1110121125110.15500@noc.prolocation.net>
Date: Wed, 12 Oct 2011 11:26:57 +0200 (CEST)
From: Raymond Dijkxhoorn <raymond@...location.net>
To: Floris Bos <bos@...eigen-domein.nl>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: Supermicro IPMI: backup function causes
password to be stored at public web location
Hi!
> Tested hardware:
>
> Supermicro X8SI6-F mainboard - IPMI firmware: 2.50
> Supermicro X9SCL-F mainboard - IPMI firmware: 1.01
>
> Likely affects other Supermicro boards of those generations that use the
> same type of firmware.
>
> ==
> Problem
> ==
>
> Modern servers often include a feature called IPMI to remotely manage and
> monitor the server.
> Since setting up the IPMI card properly requires entering a dozen settings
> ranging from network information, usernames and passwords,
> to e-mail address that should be notified if a hardware failure occurs,
> most IPMI cards offer a convenience function to backup and restore the
> settings to a file.
>
>
> In the case of these boards you can login to the IPMI webinterface and go
> to "maintenance" -> "IPMI configuration" -> "save IPMI configuration" and a
> configuration backup file is generated.
>
> This file is then available for download at:
> http://ipmi-ip-address/save_config.bin
>
> The problem is that this file is PUBLICLY accessible to everyone, even
> those NOT logged into the webinterface.
> Furtermore the file remains accessible until the server chassis loses
> power, which is unlikely to be anytime soon if the server is already racked
> up in a datacenter.
This isnt only the issue for the passwords. But also for the screen
images. Those IPMI controllers have a option to capture the actual server
screen. And this isnt password protected either.
We reported this ~ 3 years ago to them. And is available in about any
version.
My advise, put those IPMI's on private networks only. Or firewall them.
Bye,
Raymond.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists