Detecting Supermicro IPMI Security Breach: How to Check for Plaintext Admin Password Exposure via Web Interface


2 views

Supermicro's Baseboard Management Controller (BMC) implementations have historically shown vulnerabilities in their IPMI web interfaces. The specific vulnerability referenced allows remote attackers to retrieve plaintext administrator credentials through crafted web requests, bypassing authentication entirely.

# Quick test using curl (replace IP with your BMC IP)
curl -v "http://<IPMI_IP>/cgi/login.cgi" -d "name=ADMIN&pwd=ADMIN"
# Check response for plaintext credentials or unusual behavior

Monitor for these red flags in your web requests:

  • Unexpected 200 OK responses containing credential data
  • Base64-encoded strings in responses that decode to credentials
  • Session tokens being generated without proper authentication

For deeper investigation, examine these log locations:

# IPMI event logs
ipmitool sel list
# Web server access logs (typically in /var/log/)
grep -i "login.cgi" /var/log/lighttpd/*

Immediate actions for affected systems:

  1. Block web interface access at network perimeter
  2. Update to latest firmware (minimum v3.68 for X9/X10 systems)
  3. Implement IPMI LAN channel restrictions:
ipmitool lan set 1 ipsrc static
ipmitool lan set 1 ipaddr <new_ip>
ipmitool lan set 1 netmask <netmask>
ipmitool lan set 1 access on

Python script to periodically check for compromise indicators:

import requests
from bs4 import BeautifulSoup

def check_ipmi_vuln(ip):
    try:
        r = requests.post(f"http://{ip}/cgi/login.cgi",
                         data={"name":"ADMIN","pwd":"ADMIN"},
                         timeout=5)
        if "webm" in r.text.lower() and r.status_code == 200:
            return "VULNERABLE"
        return "PATCHED" if r.status_code == 403 else "UNKNOWN"
    except Exception as e:
        return f"ERROR: {str(e)}"
  • Disable IPMI web interface if unused
  • Implement VLAN segregation for management traffic
  • Configure IPMI to use dedicated network interfaces
  • Enable encrypted sessions only (RMCP+)

Consider replacing IPMI with these more secure options:

# SSH-based management example
ssh root@bmc-host "ipmitool sensor list"

The Supermicro IPMI (Intelligent Platform Management Interface) vulnerability described in CARI's blog post allows attackers to retrieve plaintext administrator credentials remotely. This affects the Baseboard Management Controller (BMC) firmware versions before SMT_X9_315.

To verify if your Supermicro IPMI is vulnerable:

# Check IPMI firmware version
ipmitool mc info | grep "Firmware Revision"

Versions below 3.15 are vulnerable. Additionally, check for these indicators:

  • Unexpected admin account changes
  • Unusual network traffic on port 623 (IPMI)
  • Failed login attempts in IPMI logs

Here's a Python script to test for the vulnerability:

import requests

def check_ipmi_vuln(ip):
    try:
        url = f"http://{ip}/cgi/login.cgi"
        response = requests.get(url, timeout=5)
        if "ADMIN" in response.text and "PASSWORD" in response.text:
            return True
        return False
    except Exception as e:
        print(f"Error checking {ip}: {str(e)}")
        return False
  1. Update IPMI firmware to latest version
  2. Change all default credentials
  3. Restrict IPMI network access
  4. Enable IPMI encryption

For long-term security:

# Configure IPMI network restrictions
ipmitool lan set 1 access on
ipmitool lan set 1 user
ipmitool lan set 1 cipher_privs XXXXXXXXXXX

Set up monitoring for suspicious IPMI activity:

# Sample log monitoring rule for fail2ban
[Definition]
failregex = ^<HOST>.*"POST /cgi/login.cgi.* 200