Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Despite patches, Supermicro's IPMI firmware is far from secure, researchers say

Lucian Constantin | Nov. 8, 2013
The Intelligent Platform Management Interface (IPMI) implementation found in motherboards from server manufacturer Supermicro suffers from serious vulnerabilities that could allow attackers to remotely compromise the management controllers in servers that use them.

"Firmware version SMT_X9_315 has reorganized the web root, adding quite a few new CGI applications, removing many more, and generally purging the use of insecure functions like strcpy()," the researchers said. In addition, accessing most CGI applications now requires authentication, with the exception of vmstatus.cgi and login.cgi, they said.

However, the Rapid7 researchers identified new issues that could allow remote root access without authentication though many of the CGI applications and those issues have now also been reported to Supermicro.

"A cursory review of the new firmware shows significant improvements, but far more work is needed to provide a secure management console," the researchers said. "In the meantime, please treat the Supermicro IPMI web management interface the same way you would an unprotected root shell on the server it is attached to; disconnected from untrusted networks with access limited through another form of authentication (VPN, etc)."

According to the Rapid7 researchers, there are over 35,000 Supermicro IPMIs exposed to the Internet.

 

Previous Page  1  2 

Sign up for CIO Asia eNewsletters.