Passwords Open to Public

Monday, June 23, 2014 @ 09:06 AM gHale


If you knew where to look, administrator password were available on over 30,000 servers with Supermicro baseboard management controllers (BMCs) on their motherboards, researchers said.

This usual confidential information was available because the company created the password file in plain text, and the file can end up downloaded by connecting to port 49152, said Zachary Wikholm, a senior security engineer with the Security Incident Response Team of hosting provider CARI.net.

RELATED STORIES
FAA: 737s Need Hacker Protection
Breaking Down a Costly Hack Attack
Attackers Eye Cloud Systems
Highway Sign Fix: Change Default Password

“You can quite literally download the BMC password file from any UPnP enabled Supermicro motherboard running IPMI on a public interface,” said Wikholm in a blog post. He said this is not the only file that is vulnerable to such an attack. “All the contents of the /nv/ directory are accessible via browser including the server.pem file, the wsman admin password and the netconfig files.”

The vulnerability still endangers servers despite Supermicro fixing the issue with a new IPMI BIOS version, as the fix requires administrators to reflash their systems with the new IPMI BIOS and this is not always possible.

For those that do the quick fix, Wikholm created a temporary fix.

“Most of the systems affected by this particular issue also have their ‘sh’ shell accessible from the SMASH command line. If you login to the SMASH via ssh and run the command ‘shell sh’, you can drop into a functional SH shell. From there you can actually kill all ‘upnp’ processes and their related children, which provides a functional fix,” he said. That fix, though, lasts just as long as the system does not end up disconnected or rebooted.

With the help of John Matherly — the creator of Shodan, the search engine for finding Internet-connected devices — Wikholm decided to check just how many vulnerable systems there are on the Internet. He found 31,964.

“This means at the point of this writing, there are 31,964 systems that have their passwords available on the open market,” he said in the blog. “It gets a bit scarier when you review some of the password statistics. Out of those passwords, 3,296 are the default combination.”



Leave a Reply

You must be logged in to post a comment.