A security issue with a baseband management controller (BMC) found in thousands of Supermicro motherboards has been causing problems as it continues to store easily downloadable administrative passwords in plain text. Interested parties can discover the passwords by connecting via port 49152.
Despite Supermicro's efforts, an update was released that patches the critical fault, nearly 32,000 systems are still said to be vulnerable, according to Zachary Wikholm, senior security engineer for server and cloud computing company Cari.net.
The BMC is a motherboard component which allows an admin to monitor and control a server or a group of servers. Wikholm discovered that unpatched BMCs in Supermicro motherboards hold a binary file that stores remote login passwords in clear/plain text, and can be easily downloaded by connecting to port 49152.
Wikholm went on and scanned the Internet using a specialised search engine for finding embedded systems, Shodan. Results indicated 31,964 affected vulnerable systems were online at the time. "This means at the point of this writing, there are 31,964 systems that have their passwords available on the open market," said Wikholm. "It gets a bit scarier when you review some of the password statistics. Out of those passwords, 3296 are the default combination. Since I’m not comfortable providing too much password information, I will just say that there exists a subset of this data that either contains or just was 'password'."
The flaw was verified by Tony Carothers of the SANS Internet Storm Centre, a company which monitors emerging security threats. "The vulnerability involves a plaintext password file available for download simply by connecting to the specific port, 49152," Carothers said in a handlers' diary blog. "One of our team has tested this vulnerability, and it works like a champ, so let’s add another log to the fire and spread the good word."
Wikholm said in his blog post that when the issue was brought to the attention of Supermicro, the company responded that the UPnP issue had already been patched with the newest Intelligent Platform Management Interface (IPMI) BIOS version. However, a system will need to be flashed for that to be installed and "flashing a system is not always a possibility," depending upon the system's configuration or use, he noted. So Wikholm has described a temporary fix, via the SMASH command line on his blog, this fix works until a system is rebooted.