Recently discovered security flaws in the firmware of servers from Supermicro could be putting around 35,000 publicly accessible servers at risk, according to researchers from Rapid7. The security firm recently publicly disclosed seven flaws in the Supermicro firmware. While the vendor has released a patch, some of the issues appear to remain unaddressed, prompting some onlookers to call for better efforts on the part of vendors to improve software security.
Rapid7’s research focused on the Intelligent Platform Management Interface protocol implementation in the baseboard management controller of many Supermicro motherboards. IPMI is the server management protocol that allows users to control the BMC, an integrated component on most servers designed to offer remote management capabilities. The IPMI protocol has been an ongoing focus of Rapid7 and its chief security officer H.D. Moore, with the research team uncovering sweeping IPMI problems that affected as many as 100,000 publicly accessible servers earlier this year, according to Dark Reading.
The vulnerabilities were found in Supermicro firmware version SMT_X9_226 and include backdoors resulting from hardcoded OpenWSMan credentials and static encryption keys, as well as buffer overflow vulnerabilities in the login.cgi, close_window.cgi and logout.cgi CGI applications. Each of the latter set could allow for remote code execution as the root user account.
Other vulnerabilities include the potential for a directory traversal attack in the url_redirect.cgi CGI application, which could give an attacker access to the contents of any file on the system, and the use of a number of insecure, unbounded functions that expose many CGI applications to unauthenticated users. Overall, these flaws account for a level of remote access close to what an attacker could achieve in person, making them a substantial threat.
The majority of these issues appear to have been fixed by the release of a new firmware version, SMT_X9_315. Nonetheless, some vulnerabilities appear to remain unfixed, and the chances that the zero-days will persist on user systems unpatched remains high as well, according to Tod Beardsley, the engineering manager for Rapid7’s Metasploit tool. As a result, many organizations will likely be targeted.
“Exploiting [these bugs] is going to give you control over the BMC, which is then a short walk to the server itself,” Beardsley told Dark Reading. “You can enable a [kernel-based virtual machine] and have a remote mouse as if you are standing in the data center … then you can steal all the data.”
According to Robert Graham, CEO of security research firm Errata, companies should be paying closer attention the findings of Rapid7’s team. But he also applauded the disclosure from the point of view of its effect on vendors, explaining that vendors have a responsibility to improve the security of vulnerable devices. Even if the Supermicro flaws go largely unpatched, there’s an important element of security that arises simply from making a big deal about the risk, he told Dark Reading. He equated vendors letting vulnerabilities go undisclosed and unaddressed to hurting their users.
“When they say [to researchers], ‘Please don’t disclose this vulnerability because it affects my users’ … it means, ‘I’m holding my users hostage,'” Graham told Dark Reading.
As companies look to improve the security of their firmware in response to such incidents, using approaches such as a secure development lifecycle that leverages static analysis software is essential. By regularly scanning and reviewing new code, companies can catch and address the kinds of errors, such as the unbounded functions in Supermicro’s CGI applications, that can expose systems to attackers. With an increasing range of devices left publicly exposed to the Internet, vendors have a responsibility to shore up security in their products the best they can.
Software news brought to you by Klocwork Inc., dedicated to helping software developers create better code with every keystroke.