32,000 Supermicro motherboard passwords exposed as plain text

by Mark Tyson on 20 June 2014, 12:52

Tags: SuperMicro (NASDAQ:SMCI)

Quick Link: HEXUS.net/qacfuv

Add to My Vault: x

A security issue with a baseband management controller (BMC) found in thousands of Supermicro motherboards has been causing problems as it continues to store easily downloadable administrative passwords in plain text. Interested parties can discover the passwords by connecting via port 49152.

Despite Supermicro's efforts, an update was released that patches the critical fault, nearly 32,000 systems are still said to be vulnerable, according to Zachary Wikholm, senior security engineer for server and cloud computing company Cari.net.

The BMC is a motherboard component which allows an admin to monitor and control a server or a group of servers. Wikholm discovered that unpatched BMCs in Supermicro motherboards hold a binary file that stores remote login passwords in clear/plain text, and can be easily downloaded by connecting to port 49152.

Wikholm went on and scanned the Internet using a specialised search engine for finding embedded systems, Shodan. Results indicated 31,964 affected vulnerable systems were online at the time. "This means at the point of this writing, there are 31,964 systems that have their passwords available on the open market," said Wikholm. "It gets a bit scarier when you review some of the password statistics. Out of those passwords, 3296 are the default combination. Since I’m not comfortable providing too much password information, I will just say that there exists a subset of this data that either contains or just was 'password'."

The flaw was verified by Tony Carothers of the SANS Internet Storm Centre, a company which monitors emerging security threats. "The vulnerability involves a plaintext password file available for download simply by connecting to the specific port, 49152," Carothers said in a handlers' diary blog. "One of our team has tested this vulnerability, and it works like a champ, so let’s add another log to the fire and spread the good word."

Wikholm said in his blog post that when the issue was brought to the attention of Supermicro, the company responded that the UPnP issue had already been patched with the newest Intelligent Platform Management Interface (IPMI) BIOS version. However, a system will need to be flashed for that to be installed and "flashing a system is not always a possibility," depending upon the system's configuration or use, he noted. So Wikholm has described a temporary fix, via the SMASH command line on his blog, this fix works until a system is rebooted.



HEXUS Forums :: 2 Comments

Login with Forum Account

Don't have an account? Register today!
Any large company exploited for storing user's passwords in plain text should be dragged into court and made to explain themselves. It's just not acceptable.

I've been coding since I was 12 (I'm now 27) and I wouldn't have even dreamed of storing passwords in plain text, even as a 12 year old. It defies belief that a large organisation would think it okay.
AlexKitch
I've been coding since I was 12 (I'm now 27) and I wouldn't have even dreamed of storing passwords in plain text, even as a 12 year old.

That's good for you, but not all developers / companies / APIs / platforms / SDKs / etc come from an era when easy access to hashing algorithms is common place.

For all we know the actual code that stores and checks passwords is literally DECADES old.

But… The year is currently 2014 not 1984. The team behind the code TODAY should have known about this and fixed it. Sounds like an ancient backdoor someone left in (or switched back on) by accident.

Old code should have been audited and purged where needed.