Skip to content ↓ | Skip to navigation ↓

Tens of thousands of servers that use motherboards manufactured by Supermicro store admin passwords in plain text, which can be exposed if an attacker simply connects to port 49152, writes Zachary Wikholm, Senior Security Engineer with CARI.Net.

“If you take a look at the /nv directory, you will find the file IPMIdevicedesc.xml file; a file which was already known to be downloaded via the aforementioned port. You can quite literally download the BMC password file from any UPnP enabled Supermicro motherboard running IPMI on a public interface,” Wikholm said.

Wikholm says the PSBlock password file is one of many vulnerable files, and notes that the contents of the /nv/ directory are accessible by way of a browser, including the server.pem file, the wsman admin password and the netconfig files.

“When I attempted to reach out to Supermicro, the standard response received was that the UPnP issue had already been patched with the newest IPMI BIOS version. However, flashing a system is not always a possibility,” said Wikholm.

“After my previous attempts to gain forward momentum with this issue had failed, and after getting the advice to release from several other security professionals, I reached out to one John Matherly (Shodan) and discussed with him what I had found. Being the awesome person that he is, he provided data on every host that was responding to a web request on port 49152 and the response to “GET /PSBlock”. I was blown away by the results.”

What they found was alarming, as the the number of hosts responding to web requests on port 49152 was 9,867,259, and they detected as many as 31,964 potentially vulnerable systems, assuming they were all equipped with the Supermicro motherboards.

“This means at the point of this writing, there are 31,964 systems that have their passwords available on the open market. It gets a bit scarier when you review some of the password statistics,” said Wikholm. “Out of those passwords, 3296 are the default combination. Since I’m not comfortable providing too much password information, I will just say that there exists a subset of this data that either contains or just was ‘password’.”

Read More Here…