CIO & Smart Grid Master: Bloodsucking leech puts 100,000 servers at risk of potent attack

Tuesday, August 20, 2013

Bloodsucking leech puts 100,000 servers at risk of potent attack

And naive computer companies continue to want the Smart Grid to rely on their years of security experience. This article proves why managing mission-critical communications networks related to the Smart Grid can not be open and should not be touching the Internet in any way.

NIST, NERC, SGIP and other Energy Standard Agencies should push hard to fix this problem.

Andres Carvallo

----

Bloodsucking leech puts 100,000 servers at risk of potent attack

Think IPMI admin tool is secure and no one connects it to public addresses? Nope.

by Dan Goodin - Aug 16 2013, 9:25am CDT

ARS Technica

At least 100,000 Internet-connected servers sold by Dell, HP, and other large manufacturers contain hardware that is vulnerable to potent remote hack attacks that steal passwords and install malware on their host systems, researchers said.

The threat stems from Baseboard Management Controllers (BMCs) that are embedded onto the motherboards of most servers. Widely known as BMCs, the microcontrollers allow administrators to monitor the physical status of large fleets of servers, including their temperatures, disk and memory performance, and fan speeds. But serious design flaws in the underlying Intelligent Platform Management Interface, or IPMI, make BMCs highly susceptible to hacks that can cascade throughout a network, according to a paper presented at the Usenix Workshop on Offensive Technologies.

Heightening the risk, a recent Internet scan detected at least 100,000 IPMI-enabled servers running on publicly accessible addresses, despite long-standing admonitions from security professionals never to do so.

"IPMI can be a convenient administrative tool, but under the control of attackers, it can also serve as a powerful backdoor," the scientists from the University of Michigan wrote in the paper, which was titled Illuminating the Security Issues Surrounding Lights-out Server Management. "Attackers who take control of the BMC can use it to attack the host system and network in a variety of ways."

"Parasitic server"

One possibility, the paper continued, is the installation of BMC-resident spyware that captures administrative passwords when an operator remotely accesses a host server. Another scenario: attackers could gain unfettered "root" access to the host by remotely booting the server into recovery mode. Worse yet, attackers could abuse vulnerable BMCs to run an unauthorized operating system on the host that gives raw access to the server disks.

The researchers aren't the first to warn of the threats posed by widely used IPMI and BMC technologies. Last month, Dan Farmer, the highly regarded white-hat hacker, posted his own manifesto that used even stronger language to describe the lurking danger. At one point he wrote:

Imagine trying to secure a computer with a small but powerful parasitic server on its motherboard; a bloodsucking leech that can't be turned off and has no documentation; you can't login, patch, or fix problems on it; server-based defensive, audit, or anti-malware software can't be used for protection; its design is secret, implementation old, and it can fully control the computer's hardware and software; and it shares passwords with a bunch of other important servers, stores them in clear text for attackers to access.

HD Moore, chief research officer of security firm Rapid7 and chief architect of the Metasploit project used by penetration testers and hackers, provides an equally bleak security assessment of IPMI and BMC here.

BMCs contain different names and specifications depending on the server they're bundled with, and there's little public material documenting their inner workings. But because each runs the same IMPI protocol, they're all believed to be susceptible to the same threats. The University of Michigan researchers tested this hypothesis by selecting one such controller, which came embedded on the Super X9SCL-F motherboard of a Supermicro SYS-5017C-LF 1U rack-mounted server. After performing a thorough analysis of the device, the scientists found that its firmware (designed by a firm called ATEN Technology) contained "numerous textbook security flaws, including exploitable privilege escalation, shell injection, and buffer overflow vulnerabilities." The researchers developed proof-of-concept attack code that exploited the vulnerabilities to remotely obtain root access on the BMC. (Supermicro has since issued BMC firmware updates that fix some or all of the vulnerabilities.)

They went on to catalog a list of attack scenarios malicious hackers could mount when exploiting the bugs. They included:

Subverting the host system or other machines on the management network
Installing BMC spyware that eavesdrops on remote management sessions to sniff passwords or even the physical server console
Installing persistent BMC rootkits that provide attackers with backdoor access that remains hidden from IPMI logs
The creation of IPMI botnets to take advantage of the large amount of network bandwidth at their disposal

In all, the scientists detected more than 100,000 Internet-exposed IMPI devices, 40,000 of which used the Supermicro BMC they tested at length.

"We conservatively estimate that it would take less than an hour to launch successful parallel attacks against all of the 40,000 ATEN-based Supermicro IPMI devices that we observed listening on public IP addresses," they reported.

Either incompetence or indifference

The paper includes a list of defenses that should be required reading for anyone who administers a server anywhere. Suggestions include keeping IPMI firmware up to date, changing default passwords, and never, ever running IPMI devices on public IP addresses. This last admonition is widely repeated—often by the manufacturers of the servers that are put at risk by the vulnerabilities. The scientists' Internet scans provide convincing evidence that this advice is frequently ignored, so unfortunately, it's worth repeating often.

But the researchers also take engineers at original equipment manufacturers (OEMs) to task for, among other things, building devices that have IPMI capabilities turned on by default. The researchers go on to direct some harsh words at the people developing IPMI devices and the servers they go into.

"Given the power that IPMI provides, the blatant textbook vulnerabilities we found in a widely used implementation suggest either incompetence or indifference towards customers' security," the paper states. "While some OEMs recommend helpful precautions such as dedicated management networks, this should not be an excuse to shift blame to users who fail to heed this advice and suffer damage because of vulnerabilities in IPMI firmware. We believe that properly securing IPMI will require OEMs to take a defense-in-depth approach that combines hardening the implementations with encouraging users to properly isolate devices."

No comments:

Andres Carvallo BIO

Andres Carvallo is an award winning engineer, speaker, author, and executive. Andres is globally recognized by the IEEE as one of the early developers of the smart grid concept and technology. Andres championed Austin Energy's industry leading smart grid program design and implementation from 2003 – 2010 and he architected the Pecan Street Project in 2009. Andres co-authored the best selling book "The Advanced Smart Grid", has received 34 industry awards since 2005, and is a popular speaker and guest lecturer. Andres is currently the EVP of Energy Solutions and Chief Strategy Officer at Proximetry. Andres has over 27 years of experience in the Energy, Telecommunications, Computer and Software industries. Andres has held since 1992 P&L responsibilities and senior executive titles while being responsible for the strategy, development, and commercialization of over 40 products at six start-ups and leading global companies like Philips Electronics, Digital Equipment, and Borland. Furthermore, Andres started his career as a product manager for Microsoft Windows in Redmond, WA.

How to Run IT as a Business?

It all starts with my focus on the customer as the center of the lifecycle. The Lifecycle rules a discovery, planning, and maturity model process that orchestrates a framework. The framework, called RunITbiz, is made out of the 12 critical elements for Running IT as a Business. The elements are rationalized into demand and supply modules. At the core of the RunITbiz framework is a Service Oriented Architecture that leverages all legacy systems while powering new systems built on new open standards (Web Services, XML, BPEL, etc) including cutting edge Web 2.0 tools (Blogs, Wikis, AJAX, RSS, etc).

My RunITbiz Framework has two main modules. One module focuses on Managing IT Demand as a Business and the second one on Managing IT Supply as a Business. Each module has six critical elements to master. Here are the modules and critical elements:

Running IT Demand As A Business: 1. IT Governance, 2. IT Structure, 3. Portfolio Management, 4. Business Alignment, 5. Financial Management, 6. Marketing & PR

Running IT Supply As A Business: 7. Enterprise Architecture, 8. Vendor Management, 9. Process Management, 10. Project Management, 11. Service Management, 12. Quality Management

I wish you great success in your transformation. And if you have any questions, don't hesitate to reply to any post in this blog or contact me.

Top 20 Geek Blogs

1) Lifehacker - http://www.lifehacker.com/ - Lifehackers' motto says it all: "Don't live to geek, geek to live." This blog offers timesavers of just about every stripe, from Firefox shortcuts to tips from the "Getting things done" faithful.

2) IT Toolbox Blogs - http://blogs.ittoolbox.com/ - IT Toolbox has a number of "in the trenches" IT pros who talk about technology and management issues. There are specialist blogs dealing with security, databases and project management, among other subjects. It's a versatile site.

3) Valleywag - http://valleywag.com/ - Bring in the noise, bring in the snark. Valleywag is for those who believe that the tech industry lives or dies by the scuttlebutt pinging around Silicon Valley. And it's amusing for those of us who prefer that the lotus-eaters of Northern California stick with the dishing and tongue-wagging, leaving the rest of us to get the real work done.

4) Kotaku - http://kotaku.com/ - Kotaku is the snarky, gamer uber-blog. It has everything from reviews and gossip to cheat tips. Just about anything you'll ever need, including which game to buy and how to play it.

5) Danger Room - http://blog.wired.com/defense/ - Wired's military and defense blog writes about some of the coolest and scariest military technologies -- not to mention scandals, debates and other military news. Lots of video and imagery are included.

6) Gizmodo - http://gizmodo.com/ - Gizmodo's got the scoop on all the latest toys and cool and wacky inventions -- from high-def TVs and coffee makers to booze belts and USB drives. You've got to love a site that publishes photos of a solar-powered bathing suit. Yeah, they also blog about serious technology news too.

7) O'Reilly Radar - http://radar.oreilly.com/ - This is where you can read Tim O'Reilly (founder of O'Reilly publishing) and others discuss networking, programming, open source, intellectual property, politics and Web 2.0, emerging technology.

8) Techdirt - http://www.techdirt.com/ - Techdirt is a newsy, "tell it like it is" blog that frequently features debates on the hot issues in the Internet and computer fields. Scandals are a specialty. Simplicity is its hallmark.

9) Groklaw - http://www.groklaw.net/ - Groklaw's raison d'etre is needling SCO in its long-running patent fights against IBM and Novell, but the discussion sometimes veers toward other issues that involve technology, intellectual property, and government regulations.

10) Hack a Day - http://www.hackaday.com/ - Want to learn how to add USB to a cheap Linux router? Create a snake robot? How about an XBox 360 laptop? Hack a Day has these basement projects and many more. This site is for the serious techie. At the same time, it's good for a laugh or a new hobby.

11) Engadget - http://www.engadget.com/ - As Coke is to Pepsi, so Engadget is to Gizmodo. It's all about gear, gossip, techish issues and the occasional rant. It's got great product photos, and the editors have access to pre- and early-release gadgetry. Also, some really funny home-made junk. But we prefer Gizmodo.

12) Feedster - www.feedster.com/feedpapers/Technology - Like drinking from the hose. This Web page brings together blog sites about technology, sports, celebrity gossip, food, personal experiences -- you name it. It also offers a blog search feature that allows you to input words or phrases, and it has a very cool RSS aggregator for news feeds. It also injects some great humor into technology news. An all-around great site.

13) Forever Geek - http://forevergeek.com - Forever Geek is a great site with a myriad blogs on diverse topics, from technology and general interest news to movie and game reviews. Definitely a geek paradise. If you want to learn about the upcoming Iron Man movie or read a review of Photoshop CS3, this is the place to go.

14) Rough Type - http://www.roughtype.com/ - Nick Carr -- of "Does IT Matter?" fame -- has a sharp-minded blog that discusses all manner of issues and trends relating to technology. Always an entertaining read, Rough Type often locks horns with companies, people, technologies and policies that rub Carr the wrong way.

15) Smorgasbord - http://www.smorgasbord.net/ - Billed as a site for gadget- and game-loving geeks, this blog also serves up articles that cross over into the political and celebrity news of the day. The combination of entertainment value and tech news make Smorgasbord a top contender.

16) The Unofficial Apple Weblog (TUAW) - http://www.tuaw.com/ - TUAW offers collection of independent bloggers -- that is independent but not undecided or uninformed. It's a good source for Apple-related news. The only reason it didn't make the top 15 was its singular topic focus.

17) Elliot Back's blog - http://elliottback.com/wp/ - A self-professed computer scientist, Elliot posts everything from his opinions on why XML sucks, to the Titanic's passenger list and reviews of movies like 300. This site is diverse and well composed, offering great tips on topics such as increasing system performance and blocking spam.

18) Ed Foster's Gripelog - http://www.gripe2ed.com/scoop/ - There is a new crop of blogs that highlight poor customer service for consumer electronics, bad UIs and outright rip-offs, but Ed Foster has been doing it longer than anyone else. Check out these recent topics: Defective DRM, tricky warranties on plasma TVs and bad mobile phone service.

19) Gadgetell - http://www.gadgetell.com/ - This is a great site if you want to get the latest gadget and game news along with some topical opinion pieces.

20) 4sysops - http://4sysops.com/ - This is a very useful with well-written tips and how-to's for Windows admins.

Favorite Books

Blink - Malcolm Gladwell
Building the Real-Time Enterprise - Michael Hugos
Built to Last - Jim Collins
Crossing The Chasm - Geoffrey Moore
Dealing With Darwin - Geoffrey Moore
Earth: The Sequel - Fred Krupp
Freakonomics - Steven Levitt
Good to Great - Jim Collins
Hot, Flat, and Crowded - Thomas Friedman
Information Revolution - Jim Davis
Jack - Jack Welch
Perfect Power - Robert Galvin
Player Manager - Joy Palmer
Synchronocity - Joseph Jaworski
The Tipping Point - Malcom Gladwell
The World is Flat - Thomas Friedman
Transparent IT - Jack Wilson

About Proximetry

Proximetry develops and commercializes AirSync™, a comprehensive communications network and device management software platform for the energy industry. AirSync delivers secure, scalable, closed-loop control, and policy-based management of devices to build and manage large complex networks built upon multiple vendor platforms that incorporate a vast array of communications technologies. AirSync™ provides the essential tools for energy organizations to provision and manage mission-critical devices and networks. Founded in 2005, Proximetry is privately held, headquartered in San Diego, California, and backed by Munich Venture Partners, Aeris Capital, Investec, and Rembrandt Venture Partners. For more information, please visit www.proximetry.com

Cisco on Proximetry

Why is AirSync Better?

1) ALL other NMS/OSS products in the market use only SNMP to provide monitoring and alarms for devices, AirSync supports SNMP and it also uses a lightweight protocol (pre-CoAP) to manage devices with closed-loop control and policy-based functionality via an agent. AirSync’s pre-CoAP protocol solves the disadvantages of SNMP for the Smart Grid (i.e. too chatty, non-stop polling, and no integrated firmware management).

2) All other NMS/OSS products are focused on telecom WAN management only (i.e. routers, switches in telco domain) while AirSync can manage the WAN and its elements, it also can go deeper into the FAN, LAN, and PAN (including the AMI network). Furthermore, AirSync manages all devices hanging on those networks(e.g. electric/gas/water meters, inverters, IDEs, RTUs, Programmable Logic Controllers, premise gateways, premise routers, and sensors in general). It is important to note that All other NMS/OSS products in the market do not manage smart meters and/or any sensors on the edge of a FAN, LAN, or PAN, but AirSync does.

3) All other NMS/OSS products in the market do NOT provide any firmware management capabilities or if they do it is very limited. And they DO NOT support FANs, LANs, and PANs. And they DO NOT provide closed-loop control of any edge devices from any vendor on any network using any topology. AirSync delivers all of the above.

4) AirSync has unique features to manage ALL networks with many configurable enhancements like shaping the traffic and QoS management by having an agent on the device side unlike All other NMS/OSS products in the market which depend only on SNMP and lack such an ability.

Bottom line: All other NMS/OSS products in the market deliver only classical and limited WAN NMS/OSS capabilities. AirSync delivers all that far better and it can also support FAN/LAN/PAN/device/firmware management functions and help manage deeper into all the networks. AirSync has a well-defined NBI that can be used to interface with any NMS/OSS and provide the utility with an integrated management system with the utility's preferred GUI but with all the advantages of AirSync.