Major vulnerabilities in a protocol for remotely monitoring and managing servers would allow attackers to hijack the computers to gain control of them, access or erase data, or lock others out. The vulnerabilities exist in more than 100,000 servers connected to the internet, according to two researchers.

The vulnerabilities reside in the Intelligent Platform Management Interface, a protocol used by Baseboard Management Controllers that are used to remotely monitor servers for heat and electricity issues as well as manage access to them and other functions.

The security holes would allow hackers to obtain password hashes from the servers or bypass authentication entirely to copy content, install a backdoor or even wipe the servers clean, according to Dan Farmer, an independent computer security consultant who conducted the research for the Defense Department's DARPA.

A scan of the internet conducted by HD Moore, chief research officer at Rapid7 and creator of the Metasploit Framework penetration testing tool, found more than 100,000 systems online that were vulnerable to one or more of the security issues.

The IPMI protocol standardizes communication so that management controllers from various manufacturers can interact seamlessly with servers from various manufacturers. BMCs provide a virtual keyboard, mouse and removable media to remotely manage servers and are installed on nearly all servers manufactured today.

By using the vulnerabilities in IPMI to compromise a server's remote management controller, an attacker can then gain access to the server itself.

"In short – any weakness of the BMC can be used to get an almost-physical level of access to the server," Moore says, noting that users of IPMI are "heavily cautioned by the vendors to never place a server’s BMC on the internet because of the dangers it poses," but many ignore the warning.

"Essentially every modern company and government on the planet relies on IPMI for system management, and internal attacks would be substantially more deadly," he says.

Two versions of the protocol currently in use, versions 1.5 and 2.0, both have issues. Version 1.5 doesn't require that passwords for the BMC be encrypted. And version 2.0 has half a dozen additional vulnerabilities.

Farmer identified six distinct vulnerabilities in version 2.0 of the protocol. One intrinsic vulnerability lies in the fact that the protocol specifications call for passwords for the IPMI to be stored unencrypted on the BMC. He says this is particularly foolish because organizations often configure a single IPMI to manage large groups of servers – sometimes as many as 100,000 in the case of hosting providers – all of which would be vulnerable if someone gained access to the clear text password.

"The exposure of clear text credentials makes it possible for an attacker to compromise all BMCs using the same password," he says. "Information [about] how and where these passwords are stored has been documented online, and has been confirmed on both Dell and Supermicro BMC implementations."

Another vulnerability allows anyone to obtain a cryptographic password hash of a user's account, allowing an attacker to perform an offline brute-force attack to decipher the password. A Metasploit module already exists to conduct such an attack.

"A Python script and a Metasploit Framework module exist to test for this issue and have broken over 10 percent of the passwords with an initial test," Moore says.

A third vulnerability allows an attacker to bypass the authentication process entirely if someone has Cipher 0 enabled in the BMC configuration. Cipher 0 is often enabled by default in BMC systems to handle the authentication handshake, but it allows anyone to bypass authentication and send the system commands.

A fourth vulnerability would allow someone to use anonymous logins with the username and password set to a null value to gain administrative privileges on the control system.

Some BMCs also enable Universal Plug and Play by default. Moore published a paper earlier this year identifying three sets of serious security flaws in UPnP.

After performing an internet-wide scan to determine how many BMC systems are connected to the internet, he found more than 300,000. Of these, 195,000 were using version 1.5 of the protocol, which does not provide any encryption. Another 113,000 of the BMCs support version 2.0, and of these, 99,000 exposed password hashes, and 53,0000 were vulnerable to the password bypass issue due to Cipher 0 being enabled. About 35,000 BMCs from Supermico have a Universal Plug and Play vulnerability.

"The 53,000 BMCs that allow authentication via Cipher 0 are at immediate risk of compromise," Moore says. "No exploit code is needed to manipulate these systems as the standard IPMI command-line tools provide the required functionality. An attacker could use the Cipher 0 weakness to configure a backdoor account with administrative privileges. This backdoor could be used to compromise the BMC and the connected server."

Because BMCs have their own IP address, separate from the server's IP address, hackers could hijack the BMC and never be noticed by network administrators who are only monitoring server IP addresses for nefarious activity, Moore says.

Farmer began researching the IPMI protocol in mid-2012 as part of a DARPA Cyber Fast Track grant. Earlier this year Farmer published a list of security best practices for IPMI (.pdf).

Moore says companies should make sure that IPMI-enabled BMCs are not connected to the public internet, and that companies should also disable Cipher 0, set complex passwords, and in the case of Supermicro systems, demand a patch for the UPnP vulnerability from their vendor.

"Many folks are unaware that their systems have IPMI enabled in the first place, the only way to tell for sure is to use some form of scanner on the local network," says Moore, who added an IPMI module to the open source Metasploit Framework to help with this.