New vulnerability has been released by the CARI.net team regarding Supermicro’s implementation of IPMI/BMC for management. The vulnerability involves a plaintext password file available for download simply by connecting to the specific port, 49152. Almost 31,964 servers are vulnerable with this vulnerability, total Hosts responding to web requests on port 49152: 9,867,259. The UPnP issue had already been patched with the newest IPMI BIOS version. However, flashing a system is not always a possibility.
The vulnerability actually resides in the Baseboard Management Controller (BMC) in the WPCM450 line of chips incorporated into the motherboards.
Cari team said "Now keep in mind that not everything responding on port 49152 is a Supermicro product. As it turns out, many products use the embedded UPNP software by default, but let’s get through Supermicro first)."
31,964 systems that have their passwords available on the open market. It gets a bit scarier when you review some of the password statistics. Out of those passwords, 3296 are the default combination.
Most of the systems affected by this particular issue also have their “sh” shell accessible from the SMASH command line. If you login to the SMASH via ssh and run the command “shell sh”, you can drop into a functional SH shell.
From there you can actually kill all “upnp” processes and their related children, which provides a functional fix. That is of course until the system is completely disconnected from power and reconnected, during which the IPMI module will reboot.
Another very disturbing discovery was that a lot of systems are running older versions of the Linux kernel. Approximately 23,380 of the total hosts are running the 2.4.31.x kernel, another 112,883 are running the 2.4.30.x kernel, and 710,046 systems are running the 2.4.19.x kernel.
The largest number of systems responding to an HTTP GET request were systems running under the banner of AT&T U-Verse with a total of 6,448,716. However, they do not broadcast any information, and they respond with the HTTP code “200 OK”.
If you find a vulnerability, reach out to the respective vendor first. If the vendor is unresponsive or does not share your urgency, there are organizations such as the US Department of Homeland Security’s Computer Emergency Readiness Team (US-CERT) and the MITRE Corporation who will assist.
If they determine the issue does not meet their criteria for assistance, try subscribing to a security-minded mailing list and see if somebody there will assist you.
As for the devices you have around your home or workplace, an interesting adventure is to search them and append the word “vulnerability”.
