One of the only things worse than discovering a gaping security hole that puts about 308,000 servers at risk of being hacked, is learning that there is nothing you can do to actually fix it. Some people may argue that there are mitigations, but "By definition, the technology is pretty much broken," according to HD Moore, chief research officer at Rapid7 and creator of Metasploit. He's talking about a widely deployed protocol, Intelligent Platform Management Interface (IPMI) that talks to a server's baseboard management controller(BMC).
The IPMI is a server management protocol, designed to standardize communication between server management tools and BMCs manufactured by various vendors. Both versions 1.5 and 2.0 have the "same core functionality," even though each has different features. The intelligence behind the IPMI architecture is BMC; it's like the embedded microcontroller brain on the motherboard. According to the "Widespread vulnerabilities in BMC's and the IPMI protocol" FAQ sheet, "BMCs provide remote management capabilities for servers, and supply virtual keyboard, video, mouse, power, and removable media control for computers."
Although vendors "heavily caution" users of IPMI "to never place a server's BMC on the internet because of the dangers it poses," Moore said that warning is often ignored. He told Wired, "Essentially every modern company and government on the planet relies on IPMI for system management, and internal attacks would be substantially more deadly."
After Moore "pinged the whole Internet," thereby discovering a wide range of security vulnerabilities, he said it "drew quite a lot of complaints, hate mail, and calls from law enforcement." Yet he had previously found a plethora of vulnerable devices — about 50 million IPs — due to flaws in the Universal Plug and Play protocol. After security researcher Dan Farmer, using a Defense Department DARPA Cyber Fast Track grant, found vulnerabilities in IPMI, Moore scanned the Internet again. This time he found 308,000 IPMI-enabled BMCs exposed on the net.
Of those, approximately 195,000 "only support IPMI 1.5, which does not provide any form of encryption," reported The Register. "Another 113,000 of these devices support IPMI v2.0, which suffers from serious design flaws." 53,000 IPMI 2.0 systems rely on a weak cipher suite and are thereby vulnerable to password bypass attacks.
The FAQ sheet states:
An attacker that is able to compromise a BMC should be able to compromise its parent server. Once access to the server is gained, the attacker could copy data from any attached storage, make changes to the operating system, install a permanent backdoor, capture credentials passing through the server, launch a denial of service attack, or simply wipe the hard drives.
Sign up for CIO Asia eNewsletters.