Penetration testing is a key part of mitigating risk when using the IPMI service to monitor environmental system controls.
Many organizations proactively scan and monitor for network-based vulnerabilities as part of an ongoing vulnerability management program. Dozens of commercial vulnerability scanning engines exist. One vulnerability that is often overlooked due to its seemingly low risk level are IPMI serviced related vulnerabilities. While they may not allow for full system takeover, the potential effects on a critical system could be devastating.
We rely heavily on the Tenable Professional vulnerability scanner for network vulnerability scans and exploitation-based activities. The purpose of this blog is not to endorse a scanner but to provide additional tools and resources for testing and validating vulnerabilities.
We are going to take a deep dive into the Intelligent Platform Management (IPMI) service (Nessus plugin IDs 68931 and 80101). The IPMI services provide system monitoring and configuration capabilities absent a specific operating system.
You can use the IPMI service to monitor environmental system controls such as internal temperatures, voltage, fans, and power supplies. You can also use this service to remotely start and restart a system.
This specific attack relates to two common vulnerabilities associated with the IPMI service, include IPMI v2.0 Password Hash Disclosures (Plugin ID 68931) and IPMI Cipher Suite Zero (Plugin ID 80101).
To validate the IPMI v2.0 Password Hash Disclosure (Plugin ID 68931), a module exists (auxiliary/scanner/ipmi/ipmi_dumphashes). When run, the module attempts to dump password hashes for user accounts into a file format supported by HashCat or John the Ripper. More often than not, these default credentials are left on systems. The following is a list of known default IPMI credentials based on manufacturer.
The cool thing about the ipmi_dumphashes Metasploit module is that it will automatically detect whether a default password exists by attempting to crack the password hash using a password dictionary compromised from the default passwords listed above. It is worth noting that HP is among the only manufacturer that uses a secure(ish) password.
In addition to the IPMI v2.0 Password Hash Disclosure, another commonly observed vulnerability is IPMI Cipher Suite Zero (Plugin ID 80101). The IPMI Cipher Suite Zero enables an attacker to log into the IPMI service with only a valid username, bypassing the authentication mechanism put in place.
In our experience, Nessus does a poor job of detecting this vulnerability. Anytime we detect the IPMI service running on TCP/623, we scan the vulnerability using an NMAP script. The following command will perform a targeted vulnerability scan against the IPMI service to look for the IPMI Cipher Suite Zero vulnerability:
Nmap --script=ipmi-cipher-zero <TARGET> -p 623
In addition to the Nmap script, a Metasploit module (auxiliary/scanner/ipmi_cipher_zero) exists to scan specific systems or whole subnets for the vulnerability. After identifying the vulnerability, you can use the ipmitool to log into the IPMI service via a command terminal.
Ipmitool -l <INTERFACE> -C 0 -H <TARGET> - U <USERNAME> -P <PASSWORD> <IPMI COMMAND>
After successfully validating the Cipher Suite Zero vulnerability, it is possible to perform post-exploitation activities to add a user to the IPMI service, thereby establishing a backdoor into the system. You can use the following IPMI commands to add a user to the system:
User set name 2 <USERNAME> User set password 2 <PASSWORD> User priv 2 4 User enable 2
Upon completion, you will have successfully established a backdoor into the IPMI service and should be able to SSH into the service as an administrator.
The Risk and Mitigation of Using the IPMI Service
The IPMI service does not typically house sensitive data such as personal identifiable information (PII) or personal health information (PHI). While a persistent backdoor into a system at any level is not a good thing, an attacker is going to have a limited vantage point within the IPMI service. Possible risks include:
- An attacker remotely shuts down and restarts the system using the IPMI service, causing a loss of data or a denial-of-service situation.
- People reuse passwords if the IPMI password hashes can be successfully dumped or cracked and used in other areas of the network.
- An attacker disables environmental alerts or alarms. If an attacker can disable environmental alerting surrounding the internal temperature of the system, the system may overheat, causing damage to internal components.
- An attacker can use the backdoor to gather internal intelligence as part of a larger network attack.
Thankfully, there are some quick and easy things you can implement to harden the IPMI service to mitigate these attacks.
First and foremost, if you are not using IPMI for a business function, disable the service. The easiest way to mitigate a vulnerability in any environment is to disable unneeded and unnecessary services.
- Ensure you disable all default accounts (even HP’s). Each user who may access or monitor the service should be provided their own unique count, and the passwords should follow internal password policies (hopefully eight or more characters long and complex).
- Implement access control lists (ACLs) to only allow specific systems to access the IPMI service. If Bob from accounting does not need to access the IPMI service, block him.
- Disable Cipher Suite Zero bypass. I cannot for the life of me think of a valid business reason to provide unauthenticated access to a network-based service. Should you have one, we recommend including this in any risk assessments and creating a security exception you review on an annual basis to ensure you still have a business requirement and need for the configuration.
Use Penetration Testing to Prevent IPMI Service Vulnerabilities
IPMI is a common service we find within about every enterprise network we test. While the service may seem benign, companies can potentially do a lot of damage if they abuse the service.
While it may not allow a direct foothold into the system or give an attacker local administrator access, you should examine IPMI-based vulnerabilities nonetheless. Penetration testing functions as a proactive defense mechanism, allowing you to detect and rectify your system’s vulnerabilities before hackers can take advantage of them.