There are vulnerabilities in the Intelligent Platform Management Interface (IPMI) firmware developed by Supermicro, a U.S.-based company that provides servers.
There are seven holes identified and with over 35,000 IPMI systems the potential victim base is fairly large. Rapid7’s HD Moore discovered the vulnerabilities.
Researchers found the firmware comes with hardcoded private encryption keys and cyber criminals could leverage the vulnerabilities to launch man-in-the-middle attacks against publicly available firmware.
Researchers also found a backdoor in the OpenWSMan interface where it appears there are two sets of credentials for this interface readily available to anyone who knows where to look for them. The problem is you can’t change either one of the two.
In addition to these credential vulnerabilities, experts also found buffer overflows in the logout.cgi, close_window.cgi and the login.cgi CGI applications.
The url_redirect.cgi is vulnerable to directory traversal attacks because the url_name parameter in the GCI application is not sanitized, researchers said.
An attacker with low privileges can gain root access to a device by exploiting an issue that affects the more than 65 CGI applications available via the web interface, Rapid7 researchers said.
Initially, Supermicro only confirmed receiving the vulnerability reports, but the company didn’t provide any status updates to Rapid7. Shortly after the security firm published its findings, Supermicro clarified that a patch was available.
Researchers haven’t been able to determine if all the issues they’ve reported have been properly fixed.
Add on top of all of that, Rapid7 said it contacted Supermicro once again with a new series of security holes.