Vulnerabilities IPMI/BMC
Date : October 16, 2013
This article deals with the security threats in Intelligent Platform Management Interface (IPMI) and Baseboard Management Controller (BMCs).
The security vulnerabilities of IPMI and BMC were first disclosed by Dan Farmer in early 2013. They caught media attention during summer 2013, first when HD Moore published an article on this topic (titled A Penetration Tester's Guide to IPMI and BMCs), and later when researchers from Michigan University presented (at the Usenix WOOT’13 conference) a practical demonstration of IPMI vulnerabilities against the IPMI implementation by manufacturer « SuperMicro ».
After a brief description of IPMI and BMC, this article describes the discovered security vulnerabilities, and then the attack scenarios that can be used by attackers. Finally, this article proposes workarounds and recommendations associated to these threats.
1- Introduction to IPMI and BMC
IPMI (Intelligent Platform Management Interface) is a remote administration protocol designed to manage computer systems at low level (mainly focused on computer hardware), regardless of the installed OS:
- Monitor and display hardware components status (performance of the disk and memory, temperatures, …)
- Obtain information about the state of the hardware server
- Manage system sensors
- Reboot the computer, etc.
IPMI is very widespread, and known under various brand names, such as: HP iLo, Dell iDrac, Oracle/SUN iLOM, Lenovo/IBM IMM, etc.
IPMI relies on a hardware component (an Integrated circuit) which exists on the computer main board: the BMC (Baseboard Management Controller).
2- Security flaws
In early 2013, Dan Farmer discovered vulnerabilities he disclosed in a study he performed in 2012. He demonstrated that many issues existed with IPMI and BMC:
- Most vendors turn on by default dangerous features in IPMI.
- Users do not understand BMC.
- No audit or forensic tools exist for this environment.
- Firmware backup is not always available. The consequence is that no rollback is possible.
- Vendors install default permanent backdoors in order to easily access to servers to carry on support requests.
Following is a description of the major security flaws found:
- In several IPMI version 2.0 implementations, if a client requests “Cipher0” for authentication, this actually results in the authentication to be bypassed. In that case, just knowing the name of a valid BMC account is enough to remotely execute any IPMI command (e.g. thanks to the Linux “ipmitool”.command) without providing any password!
- The remote authentication process RAKP (Remote Authenticated Key-Exchange) enables an unauthenticated client to retrieve the hash (MD5 or SHA1) of the user’s password from the IPMI server. If the user’s password is not strong enough, it could be found from the hash via brute-force or dictionary attacks. Fixing this issue is not easy because it comes directly from the IPMI specification. However, a workaround is to isolate all BMCs into a separated network.
- Many BMC are delivered with an "anonymous" access enabled by default, and this is not always documented. This means that the first account has been created with both the username and the password set to null.
- UPnP (Universal Plug and Play) protocol is turned on by default on many BMC, and some of them have no option to disable it. The interesting thing is that it is possible to have a complete root access to BMC, which is difficult to obtain otherwise. As vulnerabilities exist in the UPnP protocol, this could result in an attacker taking the full control of the BMC.
Note: In the February 2013 bulletin, the Cert-IST published an article on UPnP vulnerabilities titled “Rapid7 study on UPnP protocol vulnerabilities”.
- Implementing the IPMI 2.0 specifications requires storing a clear-text version of all user passwords somewhere in the BMC non-volatile storage. For some implementations (such as Supermicro's ones), the clear-text password could easily be retrieved by dumping the BMC memory.
The BMC is an embedded system, often based on Linux, which runs autonomously from the Operating System installed on the server. It can be activated from the network even if the main OS is off. If an attacker takes the control of the BMC (using one of the vulnerabilities listed above), they can try to attack the OS from there.
3- IPMI attacks scenarios
HD Moore and researchers of the Michigan University describe a number of dangerous attack scenarios. For example, an attacker can guess the default passwords or exploit the vulnerabilities and flash malicious firmware. Following are the most dangerous attack scenarios that applied once IMPI has been subverted:
- Subverting the host system: IPMI provides a remote virtual console feature, which is a KVM (Keyboard Video and Mouse) server that redirects keyboard, video and mouse streams. It also offers virtual USB disk features, which can be used to import and export files or provide new boot media. All these features can permit an attacker who gained an illegal access to the IPMI layer, to gain control of most OS.
- BMC spyware: If an attacker can install a spyware on the BMC, he can eavesdrop the whole system and manage it. That way, the BMC spyware can collect the passwords used during the remote management sessions, or those used to access other systems on the network, or those typed on the physical server console.
- Persistent BMC rootkits: The installation of persistent BMC rootkits enables an attacker to access a BMC with a backdoor, in a way that is not visible in IPMI access logs.
- Attacking the BMC from the host system: If an attacker has access to the host system, he can use it to compromise the BMC. For example, tests have been performed on Supermicro servers: they shown that a piece of software running on the host can “freely” reflash the BMC firmware via the KCS (keyboard-controller style) interface, without code signing or authentication.
- IPMI botnets: An attacker can also decide to install “bots” on BMC devices. That way, they could create IPMI botnets that take advantage of the large bandwidth available at that level.
4- Workaround / Recommendation / Best practices
A list of best practices and recommendations for system operators in order to help them to improve the security on their system is proposed below:
- Update IPMI firmware. However, these updates could be difficult because they must be performed manually.
Note: Cert-IST recently published 2 advisories about IPMI:
- CERT-IST/AV-2013.704 : Multiple vulnerabilities in Cisco Unified Computing System (UCS)
- CERT-IST/AV-2013.568 : Vulnerability in HP Integrated Lights-Out (iLO)
- Do not connect IPMI enabled devices on the Internet.
- Use segregated network or dedicated VLAN.
- Change the default passwords and the certificates.
- Do not use the same password for all IPMI devices, because if one device is compromised the others can be compromised too.
- Monitor the traffic on the management network.
- Create an inventory that lists all the hosts that embed a BMC.
- Disable IPMI if it is not necessary.
The system operators must apply best practices and recommendations in order to improve the security of their system. The developers of IPMI solutions must do the same. IPMI securing requires security expertise from the developers and specific studies during the different phases of the project (including design, engineering and testing phases). The standard defense mechanisms to be used are:
- Password salting and hashing.
- Automatic firmware updates with security protections that permit to sign and verify the firmware.
- DEP (Data Execution Prevention) is a security feature included in numerous operating systems (Linux, Microsoft Windows …). It allows to prevent the exploitation of vulnerabilities (e.g. buffer overflow, etc.) while a program is executed. This technology prevents attack programs from inserting and executing malicious code within certain memory portions normally reserved for non-executable code.
- ASLR (Address Space Layout Randomization) is a technique that consists to randomize data on the RAM. ASLR helps to prevent buffer overflows attack for example. This technique is based upon the fact the key data areas of a program are located randomly.
- Stack canaries is a method that permit to detect the stack overflow before the execution of the malicious code occurs. The principle is to store in memory a randomly generated value when a program starts right before the return stack pointer. If this value is altered the execution is failed.
- Penetration tests must be performed to assess the security of the system.
5- Conclusions
While IPMI plays an important role for system management, security of these systems shall not be neglected. Indeed, as shown by Dan Farmer’s research study, the security of IPMI must be considered as a major concern, and the presentation of practical attacks against IPMI, done by researchers of Michigan, demonstrates that this is not only a theoretical issue.
It is essential that these vulnerabilities are better known. Strong security measures must be applied to protect servers from the currently known vulnerabilities.
For more information:
http://www.darkreading.com/management/new-gaping-security-holes-found-exposing/240157724
http://magazine.qualys.fr/menaces-alertes/vulnerabilite-ipmi-bmc/#sthash.j3aOOGmU.dpuf
http://arstechnica.com/security/2013/08/remote-admin-tool-imperils-servers/
http://www.wired.com/threatlevel/2013/07/ipmi/
