Recently, Supermicro and a number of other companies have come under fire due to the inherent vulnerabilities in their IPMI implementation. In this article, I’ll be exploring the results of the vulnerability, and the ways in which this can be exploited, as well as some important mitigation strategies.
What is cipher-suite 0?
Cipher-suite 0 is a pseudo-cipher suite used in IPMI implementations which simply ignores authentication and allows full access without valid credentials.
This allows a remote attacker to exploit the BMC IPMI interface present in many rackmount servers to gain remote console access to the hardware and a shell on the embedded controller.
How do we exploit it?
Those familiar with IPMI will be experienced with the
ipmitool command, used to locally or remotely control the IPMI controller from Linux.
ipmitool with cipher-suite 0, simply pass the
-C 0 flag to the command. For example:
# ipmitool -I lanplus -C 0 -H 10.0.0.2 -U ADMIN -P password user list
Let’s break down what this command does:
The command used to control IPMI interfaces
To specify IPMI v2 protocol
Cipher-suite 0, the subject of this article
Remote host to run the command against
Username: Use a valid username from the table below.
Password: Arbitrary, since it’s ignored anyway.
The command we wish to run. In this case, return a list of users.
This command will complete without issue despite not knowing the actual password.
Default usernames and passwords:
ipmitool, we’re able to disable cipher-suite 0. Run the following command on the local machine, or modify the flags to run it remotely:
ipmitool -I open raw 0xC 0x1 1 0x18 0 0x40 0x44 0x44 0x44 0x44 0x44 0x44 0x4
This should disable cipher-suite 0, effectively mitigating the flaw. Further, make sure you keep IPMI interfaces off public IP addresses, or addresses accessible to people who don’t need them. If you run an IDS, make sure it has cipher-suite 0 in its signature database.