"In short - any weakness of the BMC can be used to get an almost-physical level of access to the server," Moore told Wired. These security flaws are much more serious than other equipment he scanned and found to be exposed on the Internet, Moore told Dark Reading.
"It's one thing to be hacking some crappy home router, but it's another thing" to see servers wide open to attack, he says. And there isn't really a fix for the IPMI protocol problems. "By definition, the technology is pretty much broken. There's no such thing as an IPMI secure device," Moore says.
Wolfgang Kandek, chief technology officer for Qualys, agreed that "Plugging the vulnerabilities is not possible, given they are built into the specification." He suggested several mitigation solutions to CSO.
The researchers' FAQ sheet explains, "Perhaps the most straightforward way to break into a server through a compromised BMC is by rebooting the server from a 'virtual' CD-ROM and using a rescue disk...The former resets the local Windows Administrator account password and the latter does an in-memory patch that disables console authentication in both Linux and Windows. The BMC can then force the server to boot normally and provide console access to the attacker through built-in KVM functionality."
The BMC provides the equivalent of physical access to the server with many of the security exposures that this implies, such as booting to single-user mode, accessing the BIOS settings, and being able to watch the physical display. If the hard drives of the server are not encrypted, an attacker could boot the server into a rescue environment, and manipulate or copy the file system without any assistance from the server's operating system.
Chris Wysopal, CTO at Veracode, told Dark Reading, "This definitely qualifies for the moniker 'gaping security hole.' These management interfaces give, as Dan [Farmer] says, 'equivalent to physical access' and use a separate authentication scheme than IT admins typically use with centralized authentication, such as Windows Active Directory. Many admins don't know this management interface exists."
Moore, on Rapid7's penetration tester's guide to IPMI and BMCs, wrote:
The issues covered in this post were uncovered in a relatively short amount of time and have barely scratched the surface of possibilities. In addition to vulnerabilities in the IPMI protocol itself, most BMCs seem to suffer from issues common across all embedded devices, namely default passwords, outdated open source software, and, in some cases, backdoor accounts and static encryption keys. The world of BMCs is a mess that is not likely to get better anytime soon, and we need to be crystal clear about the risk these devices pose to our networks.
Sign up for CIO Asia eNewsletters.