Re: [Full-disclosure] Supermicro IPMI: backup function causes password to be stored at public web location

[Raymond Dijkxhoorn <raymond@xxxxxxxxxxxxxxx>]

Hi!

> Tested hardware:
>
> Supermicro X8SI6-F mainboard - IPMI firmware: 2.50
> Supermicro X9SCL-F mainboard - IPMI firmware: 1.01
>
> Likely affects other Supermicro boards of those generations that use the
> same type of firmware.
>
> ==
> Problem
> ==
>
> Modern servers often include a feature called IPMI to remotely manage and
> monitor the server.
> Since setting up the IPMI card properly requires entering a dozen settings
> ranging from network information, usernames and passwords,
> to e-mail address that should be notified if a hardware failure occurs,
> most IPMI cards offer a convenience function to backup and restore the
> settings to a file.
>
>
> In the case of these boards you can login to the IPMI webinterface and go
> to "maintenance" -> "IPMI configuration" -> "save IPMI configuration" and a
> configuration backup file is generated.
>
> This file is then available for download at:
> http://ipmi-ip-address/save_config.bin
>
> The problem is that this file is PUBLICLY accessible to everyone, even
> those NOT logged into the webinterface.
> Furtermore the file remains accessible until the server chassis loses
> power, which is unlikely to be anytime soon if the server is already racked
> up in a datacenter.

This isnt only the issue for the passwords. But also for the screen 
images. Those IPMI controllers have a option to capture the actual server 
screen. And this isnt password protected either.

We reported this ~ 3 years ago to them. And is available in about any 
version.

My advise, put those IPMI's on private networks only. Or firewall them.

Bye,
Raymond.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/