Hi! > Tested hardware: > > Supermicro X8SI6-F mainboard - IPMI firmware: 2.50 > Supermicro X9SCL-F mainboard - IPMI firmware: 1.01 > > Likely affects other Supermicro boards of those generations that use the > same type of firmware. > > == > Problem > == > > Modern servers often include a feature called IPMI to remotely manage and > monitor the server. > Since setting up the IPMI card properly requires entering a dozen settings > ranging from network information, usernames and passwords, > to e-mail address that should be notified if a hardware failure occurs, > most IPMI cards offer a convenience function to backup and restore the > settings to a file. > > > In the case of these boards you can login to the IPMI webinterface and go > to "maintenance" -> "IPMI configuration" -> "save IPMI configuration" and a > configuration backup file is generated. > > This file is then available for download at: > http://ipmi-ip-address/save_config.bin > > The problem is that this file is PUBLICLY accessible to everyone, even > those NOT logged into the webinterface. > Furtermore the file remains accessible until the server chassis loses > power, which is unlikely to be anytime soon if the server is already racked > up in a datacenter.
This isnt only the issue for the passwords. But also for the screen images. Those IPMI controllers have a option to capture the actual server screen. And this isnt password protected either. We reported this ~ 3 years ago to them. And is available in about any version. My advise, put those IPMI's on private networks only. Or firewall them. Bye, Raymond. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
