Security researcher over at CARI.net has revealed that thousands of servers fitted with Supermicro motherboards are just waiting there, storing admin passwords in clear text, to be probed by hackers and attackers.
The plain text password threat is to do with the baseboard management controller (BMC) – a motherboard component – using which administrators can monitor physical status of servers including their temperatures, disk and memory performance, and fan speeds.
“I discovered that Supermicro had created the password file PSBlock in plain text and left it open to the world on port 49152”, noted Zachary Wikholm, Senior Security Engineer at CARI.Net.
Wikholm notes that it’s not just the password file that you download via the port, but the entire /nv directory is up for grabs and anyone can download “server.pem file, the wsman admin password and the netconfig files”.
The security researcher said that when he tried contacting Supermicro, he received a standard response that the issue had been patched in the newest IPMI BIOS version.
Query on Shodan search reveals that there are 9,867,259 devices that respond to requests on port 49152 and out of these 31,964 are vulnerable servers.
“It gets a bit scarier when you review some of the password statistics”, Wikholm added. “Out of those passwords, 3296 are the default combination. Since I’m not comfortable providing too much password information, I will just say that there exists a subset of this data that either contains or just was “password”.
The security researcher argues that flashing of new BIOS onto production servers isn’t always a viable option. For this he has developed a workaround that will enable administrators to patch this vulnerability. Administrators can establish a secure shell connection to a vulnerable device and then disable all universal plug and play processes.
However, one should keep in mind that the vulnerability will be resurrected if the server is rebooted and hence a permanent solution is a must.
