Supermicro IPMI – password vulnerability

Intro

I love Supermicro, they make great boards and some of my favorite chassis. Typically I like to build my own servers so I’m not stuck buying hard drives just to get trays or subject to back doors out of the box. I build most servers from parts so I can pick the hardware I like and make sure I’m using what I consider to be the newest stable set. However, I recently stumbled across the fact that on older versions of Supermicro IPMI firmware the system will just give you the admin password.

The problem

IPMI is a standard remote management tool typically built into server class motherboards. This means you can remotely:

  • Power cycle the unit
  • Change some setup/BIOS options
  • Monitor sensors (temp, fan levels etc)
  • Open a console as if you plugged into VGA
  • Access the machine, even if it is off

However, besides HTTP, other ports are open. It appears that Supermicro IPMI port 49152 will just hand over all your user credentials if asked correctly.

My board and setup

Motherboard X9DRi-LN4F+
Current IPMI ver 02.34
Upgrade to IPMI ver 3.29

My test on version 2.34

root@host:/# nc ipmi_host 49152
GET /PSBlock
▒ /▒     ▒adminADMINADMINTTadminpassword_here_for_free▒▒▒}▒▒▒oDDD@h▒L
root@host:/#

It looks like there is a file “PSBlock” that contains most user info in plain text and the system will give it freely if you ask. Luckily Supermicro has already released a patch to address this issue.

You can apply the new firmware through the web interface:

IPMI firmware upgrade

Once the firmware was applied port 49152 no longer replies so I’m not sure if they’re hashing the passwords now or if they just closed the port.

NMap before patch

Not shown: 95 closed ports
PORT      STATE SERVICE    VERSION
22/tcp    open  ssh        Dropbear sshd 2012.55 (protocol 2.0)
80/tcp    open  http       lighttpd
443/tcp   open  ssl/https?
5900/tcp  open  vnc        VNC (protocol 3.8)
49152/tcp open  upnp       Portable SDK for UPnP devices 1.6.18 (Linux 2.6.17.WB_WPCM450.1.3; UPnP 1.0)

NMap after patch

PORT     STATE SERVICE    VERSION
22/tcp   open  ssh        Dropbear sshd 2013.60 (protocol 2.0)
80/tcp   open  http       lighttpd
443/tcp  open  ssl/https?
5900/tcp open  vnc        VNC (protocol 3.8)

However, once you perform the IPMI upgrade all of your settings and users will be lost. I don’t use the default ADMIN/ADMIN — and I strongly recommend disabling it — so I had to recreate my users for IPMI after the upgrade.

Password issue with IPMI firmware 3.29

I like to use complex passwords that include symbols, numbers and potentially spaces. However, when I recreated my user I found I couldn’t log in no matter how carefully I typed my password. I started to experiment and it became obvious that the HTML interface was truncating my passwords and not informing me.

I decided it would be worth figuring out exactly where the password breaks.

Why the new IPMI firmware breaks long passwords

Through trial and error I was able to determine when passwords start getting truncated

babiesbabies -- works
babiesbabiesbabies -- works 
babiesbabiesbabiesbabies -- breaks

Now we know truncation occurs between 19 and 24 characters. A quick inspection of the HTML on the change password page shows

IPMI password form

So there we go, it’s set to a max length of 19 characters in the submit. After finding this out “babiesbabiesbabiesb” works when the password was set to “babiesbabiesbabiesbabies”

How to get around the truncation and still set long passwords

After doing some digging I found that Supermicro has a Java based config utility called IPMIView.

Download this tool and launch it by calling IPMIView20.bat. You might need to add a line to the batch file that looks like:

set path=C:\Program Files (x86)\Java\jre7\bin

Chances are you if you don’t do this it won’t find your java binary.

Supermicro IPMI config tool

What the tool looks like once it works

Using the above utility you can once again set longer — 19+ — passwords.

Conclusion

Definitely upgrade to the new version of Supermicro firmware because even if it’s just your LAN port 49152 is dangerous! However, if you like passwords that are longer than 19 characters you’ll need to use their IPMIView tool to set it.

Thanks

1 comment to Supermicro IPMI – password vulnerability

  • Hi, thanks for this.

    I was preparing to reset the IPMI password via a dos applet booted from USB. This just saved me the trouble.

    I tried setting a 32ch password, and figured it was too long and got cut off. I just had to determine what the character limit was…your article helped me realize the length. I’ve logged in successfully and updated my records.

    Thanks!

Leave a Reply

You can use these HTML tags

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong> <pre lang="" line="" escaped="" cssfile="">