Supermicro IPMI/BMC Vulnerability

Systems Affected
All Supermicro servers connected to the Internet and running Supermicro’s implementation of Intelligent Platform Management Interface (IPMI)/Baseboard Management Controller (BMC) may be affected. IPMI enables low-level access to a system that can override OS controls. It runs on the BMC.

This vulnerability allows attackers to remotely scan, identify, and access servers running Supermicro’s IPMI/BMC if they are connected to the Internet. While waiting for the official Supermicro patch, configure the firewall to block TCP port 49152, the known entry point attackers are likely to use.


What are IPMI and BMC?
IPMI allows a system administrator to remotely manage servers at the hardware level. It runs on BMC, a motherboard component. Essentially, IPMI/BMC helps monitor and manage the physical status of servers including their temperature, disk and memory performance, and fan speeds.

IPMI also supports remote booting from a CD or through the network. In addition, administrators can utilize BMC to run a limited set of network services to ease management and communication among several systems.

Where is the vulnerability?
Unpatched BMCs in Supermicro motherboards has a binary file that stores remote login passwords in clear text. Attackers can search for vulnerable systems by performing an Internet scan on port 49152. They can then download the said binary file using the same port and use the listed passwords to gain remote access to target systems.

What are the risks?
Access to IPMI/BMC equates to physical-level access to the target server. Attackers can therefore use this vulnerability to compromise data confidentiality, integrity, and availability of a system.

Supermicro is already aware of this security flaw. They announced that they are going to release a firmware update within the next few weeks. While waiting for the official patch, Alnitech has configured firewalls to block TCP port 49152 on all of the management networks.

For other recommended measures, visit the solution section of this US-CERT announcement.

Comments are closed.