Did the world listen?
Historically speaking, vulnerability release follow-ups are usually pretty dismal. Honestly, I figured this would be the same old song and dance; “It’s been a year and nothing has changed”. I couldn’t be more wrong.
On June 19th 2014, we exposed possibly the worst type of vulnerability you could have in any device; Unauthenticated Plaintext Username and Password Exposure. For those who didn’t read our original posting about this, please see here for more info. The team at Supermicro was incredibly responsive with pushing patched firmware as well as notifying their own customers. A total of 31,964 Supermicro Motherboards were exposing their credentials via port 49152 as of the original posting last year. By the end of July, I was able to capture the malware specifically written for the vulnerable group of motherboards. A great response from both the end-users and the manufacturer facilitated a relatively quick mitigation policy. However, the response was not immediate. By December of 2014, the number of devices still exposed on public interfaces with their password files able to be downloaded was around 16k. This was quite a surprise; over half of the vulnerable devices had been patched, removed from public interface or had port 49152 blocked. As you can see from this report, the highest offender was the Nobis Technology group and their subsidiary, Ubiquity Solutions. This was also the case in original data set.
So how many vulnerable devices are left on public interfaces? As of 6/18/2015, I have not been able to find a single host from the original scan data that is still vulnerable, and no new devices have been added to the Shodan interface. Does these mean there are no further devices left on public interfaces? Not necessarily, but we can say with confidence that the number has dropped to a point where it no longer poses the threat it once did. We here at CARI.net were astonished by the response from the internet as a whole; a total of 31,964 devices across 2,571 organizations in 101 countries are no longer susceptible to this particular vulnerability!
While doing the follow-up research, I noticed a lot of providers just started blocking port 49152, leaving IPMI running on public interfaces. If you do a Shodan search for the the uPNP string, you can see that there are still plenty of SuperMicro BMC devices still on public interfaces. Since BMC is built for out-of-band management, to expect people to not have these on public interfaces is a bit unrealistic. We can all agree that exposing out-of-band solutions like iLo, iDrac and the SM BMC platforms on public interfaces should be avoided whenever possible, but we should also keep in mind that it is a necessary evil for some people. Out of the 6k Supermicro BMC platforms that still appear to be on public interfaces, none have port 49152 open.
Malware
I set up a honeypot for capturing attacks utilizing this particular vulnerability using a spare Supermicro motherboard we had here at CARI.net. With the exception of a spike in September, they were few and far between. This incident of note occurred early in September, when a piece of malware called “gay” was dropped onto the honeypot. Basic analysis of the malware showed that it was fairly rudimentary in both engineering and function. It appears to have been built for a single function – to DDoS the four IPs hard-coded in the file. We worked with the company who was targeted by this malware, and they were able to verify they were under attack. If you would like a sample of this malware, please email us at sirt@cari.net. You can also view the results from VirusTotal here.
One reason I think we did not see as many attacks utilizing this particular vulnerability was due to dwindling numbers of exposed systems. If you compared the 31k of exposed Supermicro systems to the volume of exploitable Ubiquiti routers or Hikvision DVRs, you are looking at a fairly small overall target group. Upon further review, most imperiled Supermicro BMC devices were compromised via default credentials and/or IPMI-related vulnerabilities such as the null cipher attack. In order to gather better statistics regarding how attacks on Supermicro BMC were facilitated, I decided to setup three Supermicro motherboards. The first board (X8SIE) was setup with the default admin credentials but with 49152 and null cipher disabled. The second board (X9SCL) was setup with unique credentials but vulnerable to the null cipher attack and uPNP turned off. The final board (X8DTL) was setup with both a set of unique credentials, null cipher disabled but vulnerable to the password file download on port 49152. It should also be noted that the anonymous user was disabled on all these boards. The results were surprising. The first server had multiple types of malware dropped within 24 hours, some of which was built for x86 systems. The second server only got compromised twice and was turned into an open relay for mail. The final server was never compromised. All three servers have been taken down and the test ran from November 10th 2014 through January 10th 2015. If you want more information regarding the attacks we saw, please shoot us an email at sirt@cari.net
What’s next?
Cybersecurity is becoming more and more difficult every day. Attacks are getting bigger and better at a faster rate than ever before. One of the largest DDoS threats facing everyone today is the use of reflection attacks. During the course of the original research in June 2014, we discovered there were over 9 million devices responding on port 49152, the majority of which were uPnP responses. While this number has dropped significantly to around 3 million, we still have a ways to go. The primary issue we encounter is that many of these devices belong to residential ISPs spread around the world, which makes it nigh impossible to fix. Furthermore, a quick search for SSDP devices on Shodan is incredibly revealing, marking the number at around 11M. Outside various types of reflection attacks, there are countless “website stresser” services, botnets for hire, and other DDoS technologies springing up on a regular basis.
The question remains, where do we start? Well, we already have! As a community, we mitigated a vulnerability that not only posed a threat to those who used the technology but the internet as a whole. The best advice I can give is to keep up to date on the latest issues; Read forums, join mailing lists and read blogs from firms such as Rapid7 and Cisco. One of the best starting points is isc.sans.edu. The only way the cybersecurity community stands a chance to make a difference is if we work together. If you have any questions or concerns regarding this particular article or just want to discuss cybersecurity with our team, feel free to shoot us an email at sirt@cari.net.
Regards, Zachary Wikholm Head Of Security Incident Response Team (CARISIRT) sirt@cari.net CARI.net