Interface weakness opens servers to attacks

A critical vulnerability in the intelligent platform management interface (IPMI) used by administrators to remotely control computer systems poses a significant threat to rack servers and cloud services running on those servers, according to a security risk assessment firm. 

“There is a no authentication mode of cipher zero mode built into IPMIs by manufacturers,” said Gordon McKay, chief technology officer of Digital Defense Inc., a network security and penetration testing firm. “If this setting has not been changed, it serves as a back door for attackers to bypass operating system defenses.”
 
 
 
He said the flaw enables hackers to hijack a baseboard interface even when the power is off.

RELATED CONTENT

Who’s using spy software on Toronto Servers?

The IPMI is a messaged-based, hardware-level interface specification. It operates independently of the operating system. The flaw involves the network accessible components of rackmount hardware and is not protected by normal OS-based security controls, according to McKay.

“Hackers send out packets to the 623 UDP port. If they get a response it means the PMI Is not asking for authentication and the hackers can just go in,” said McKay. “Once they are able to log in, it would be as if they were in the computer controlling the servers.”

Among the things a hacker could do are:

  • Reboot the computer
  • Install new operating system software
  • Steal data
  • Install a malware Trojan
  • Attackers can hijack servers even when they are powered down

“Keep in mind this is a network accessible baseboard flaw, which means that it doesn’t target the primary operating system but the embedded management agent running on the server,” wrote Mike Cotton, chief network security architect for Digital Defense. “Traditional mitigation such as firewalling all ports on the primary operating system or even shutting down the server completely won’t prevent network traffic from hitting this vector (The baseboard stays on even if the rest of the system is shutdown, so long as the power cord is plugged in).”

Cotton stressed the problem is not an isolated incident involving a single vendor, and neither is it something that occurred only in the past.

“Rackmounts have been shipping with this flaw for years and continued to do so today,” he said. “If you haven’t encountered it while performing network scans on large rackmount deployments, it’s not that it isn’t there, it’s that you scanning vendor isn’t checking for it.”

Cotton provided a remediation procedure in his post which worked on all the major rack mount servers tested by Digital Defense.

To find out what to do, click on this link.

 

Would you recommend this article?

Share

Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.


Jim Love, Chief Content Officer, IT World Canada

Featured Download

Featured Articles

Cybersecurity in 2024: Priorities and challenges for Canadian organizations 

By Derek Manky As predictions for 2024 point to the continued expansion...

Survey shows generative AI is a top priority for Canadian corporate leaders.

Leaders are devoting significant budget to generative AI for 2024 Canadian corporate...

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now