The good folks over at CARI SIRT have discovered a vulnerability in the BMC controller shipped with many Supermicro servers. The vulnerability essentially allows an attacker to connect to port 49152 and issue a GET request for a file called PSBlock, the plaintext passwd file for the service. Now, obviously given that most people know better than to leave IPMI or other management features publically accessible and most servers at the very least ship with the management controller bound to the secondary NIC (I believe Supermicro doesn’t have this sensible default set in the BIOS), so I would assume that most competent system administrators have quarantined the BMC feature within their management network.
That said, I have on several occasions opined about the danger of both IPMI on servers and Intel’s AMT on desktops – a danger that is not helped by the fact that many people aren’t even aware that their board has the feature in the first place. Of course, disabling any and all remote management features and requiring positive action (i.e. enabling IPMI, AMT and WoL manually on a BIOS setup page) to enable them would be the sensible thing for all vendors to implement given that there are large numbers of networks that don’t even use or even want the features and the risks they pose. There is patched BMC controller firmware image available from Supermicro’s website, but the CARI article indicates that as of writing there were potentially over 31k vulnerable devices publically scannable by Shodan.
Mike the Crypto Goat 