Introduction



This post summarizes the results of a limited security analysis of the Supermicro IPMI firmware. This firmware is used in the baseboard management controller (BMC) of many Supermicro motherboards.


The majority of our findings relate to firmware version SMT_X9_226. The information in this post was provided to Supermicro on August 22nd, 2013 in accordance with the Rapid7 vulnerability disclosure policy. More information on this policy can be found online at http://www.rapid7.com/disclosure.jsp. Note that this assessment did not include the actual IPMI network services and was primarily focused on default keys, credentials, and the web management interface.


Although we have a number of Metasploit modules in development to test these issues, they are not quite ready for production use yet, so stay tuned for next week's Metasploit update. At our last count, over 35,000 Supermicro IPMI interfaces were exposed to the public internet.


Supermicro has published a new firmware version (SMT_X9_315) that appears to address many of the issues listed identified below, as well those reported by other researchers. We have updated each entry to indicate how the new firmware version impacts these issues.


A cursory review of the new firmware shows significant improvements, but we still recommend disconnecting the IPMI interface from untrusted networks and limiting access through another form of authentication (VPN, etc).



 

Static Encryption Keys (CVE-2013-3619)

 

The firmware ships with harcoded private encryption keys for both the Lighttpd web server SSL interface and the Dropbear SSH daemon. An attacker with access to the publicly available Supermicro firmware can perform man-in-the-middle and offline decryption of communication to the firmware. The SSL keys can be updated by the user, but there is no option available to replace or regenerate SSH keys.

 

We have not been able to determine if firmware version SMT_X9_315 resolves this issue.


 

 

 

Hardcoded WSMan Credentials (CVE-2013-3620)

 

The firmware contains two sets of credentials for the OpenWSMan interface. The first is the digest authentication file, which contains a single account with a static password. This password cannot be changed by the user and is effectively a backdoor. The second involves the basic authentication password file stored in the nv partition – it appears that due to a bug in the firmware, changing the password of the ADMIN account leaves the OpenWSMan password unchanged (still set to admin).

 

We have not been able to determine if firmware version SMT_X9_315 resolves this issue.


 

 

CGI: login.cgi (CVE-2013-3621)

 

 

The login.cgi CGI application is vulnerable to two buffer overflows. The first occurs when processing the name parameter, the value is copied with strcpy() into a 128 byte buffer without any length checks. The second issue relates to the pwd parameter, the value is copied with strcpy() into a 24 byte buffer without any length checks. Exploitation of these vulnerabilities would result in remote code execution as the root user account. The vulnerable code is shown below (auto-generated from IDA Pro + HexRays).

 

if ( cgiGetVariable("name") )

{

  v2 = (const char *)cgiGetVariable("name");

  strcpy(&dest, v2);

}

if ( cgiGetVariable("pwd") )

{

  v3 = (const char *)cgiGetVariable("pwd");

  strcpy(&v13, v3);

}

 

Firmware version SMT_X9_315 removes the use of strcpy() and limits the length of the name and pwd values to 64 and 20 respectively.

 

 

CGI: close_window.cgi (CVE-2013-3623)

 

The close_window.cgi CGI application is vulnerable to two buffer overflows. The first issue occurs when processing the sess_sid parameter, this value is copied with strcpy() to a 20-byte stack buffer without any length checks. The second issue occurs when processing the ACT parameter, this value is copied with strcpy() to a 20-byte stack buffer without any length checks. Exploitation of these vulnerabilities would result in remote code execution as the root user account. The vulnerable code is shown below (auto-generated from IDA Pro + HexRays).


if ( cgiGetVariable("sess_sid") )

{

  v1 = (const char *)cgiGetVariable("sess_sid");

  strcpy(&v19, v1);

}

 

...

if ( cgiGetVariable("ACT") )

{

  v3 = (const char *)cgiGetVariable("ACT");

  strcat(&nptr, v3);

  ...

 

Firmware version SMT_X9_315 completely removes this CGI from the web interface.

 

 

 

CGI: logout.cgi (CVE-2013-3622) [ authenticated ]

 

 

The logout.cgi CGI application is vulnerable to two buffer overflows. The first occurs when processing the SID parameter, the value is copied with strcpy() into a 20 byte buffer without any length checks. The second issue relates to further use of the SID parameter, the value is appended with strcat() into a 32 byte buffer without any length checks. Exploitation of these vulnerabilities would result in remote code execution as the root user account.The vulnerable code is shown below (auto-generated from IDA Pro + HexRays).



if ( cgiGetVariable("SID") )

{

  v4 = (const char *)cgiGetVariable("SID");

  strcpy(&s, v4);

}

 

Firmware version SMT_X9_315 switches to a GetSessionCookie() function that limits the length of the SID variable returned to this code and no longer calls strcpy().

 



CGI: url_redirect.cgi (NO CVE) [ authenticated ]

 

 

The url_redirect.cgi CGI application appears to be vulnerable to a directory traversal attack due to lack of sanitization of the url_name parameter. This may allow an attacker with a valid non-privileged account to access the contents of any file on the system. This includes the /nv/PSBlock file, which contains the clear-text credentials for all configured accounts, including the administrative user. The vulnerable code is shown below (auto-generated from IDA Pro + HexRays).


sprintf(&v23, "%s/%s", *(_DWORD *)&ext_name_table[12 * i + 8], s);

v18 = fopen(&v23, "r");


Firmware version SMT_X9_315 appears to fix this issue.

 

 

CGI: miscellaneous (NO CVE) [ authenticated ]

 

 

Numerous unbounded strcpy(), memcpy(), and sprint() calls are performed by the other 65+ CGI applications available through the web interface. Most of these applications verify that the user has a valid session first, limiting exposure to authenticated users, but the review was not comprehensive. All instances of unsafe string and system command handling should be reviewed and corrected as necessary. Exploitation of these issues allows a low-privileged user to gain root access to the device.


Firmware version SMT_X9_315 has reorganized the web root, adding quite a few new CGI applications, removing many more, and generally purging the use of insecure functions like strcpy(). In addition, the config_tftpd.cgi and snmp_config.cgi CGI applications now validate that the user has a valid session first. They did not before, but it wasn't clear what risk this posed. In fact, the only two CGI applications that are now exposed to unauthenticated users are vmstatus.cgi and login.cgi.

 





Disclosure Timeline

 

2013-08-22 (Thu) : Initial discovery and disclosure to vendor

2013-09-07 (Fri) : Vendor response

2013-09-09 (Mon) : Disclosure to CERT/CC

2013-10-23 (Wed) : Planned public disclosure (delayed)

2013-11-06 (Wed) : Public disclosure

2013-11-06 (Wed) : Scanner modules written

2013-11-06 (Thu) : Vendor indicates a fix is available