More than 32000 servers expose admin passwords in the clear


Userlevel 7
Badge +54
by paganinip on June 20th, 2014
 


 

More than 32000 servers containing motherboards manufactured by Supermicro expose admin passwords in the clear, it is a godsend for hackers.

A significant number of servers containing motherboards manufactured by Supermicro exposes administrator passwords, the situation is worrying considering that the problem is well known and a series of patches has been already released to fix the critical vulnerability, as explained by experts at CARI.net team.
The flaw relates to a component in the baseboard management controller (BMC) which allows administrators to monitor physical parameters (e.g. Temperatures, fan speed, disk and memory performance) of a large number of servers. The controller in Supermicro motherboards contains a binary file which contains remote login passwords in clear text.
 
Full Article.

15 replies

Userlevel 7
Heaven help us from Admins and IT who fail to keep up with news and announcements, not just on software, but on the hardware and Firmware as well.
 

Userlevel 7
Badge +54
I agree David totally, they should be on top of things like this, when the problems are well know there is no excuse.
Userlevel 7
@ wrote:
I agree David totally, they should be on top of things like this, when the problems are well know there is no excuse.
At the risk of sounding redundant, I know on another thread somewhere around here, I stated that it seems as if QA has gone out the window.  Rather than being "on top of" or "ahead of" the game, it feels like all we are doing is being reactive to the latest hack, virus, no longer supported OS, etc.
 
What ever happened to being "pro-active"?
 


During my final year of college, I was fortunate enough to do a part-time internship with a very small company in NJ.  The task at hand was updating their manufacturing system — written in Business Basic — to allow for [ any guesses? ] yup, Y2K. :S
 
I received my degree in December of 1998, so, they were quite proactive IMHO allowing over two and a half years to update, de-bug, test and re-test and QA the new software.  It was fun!  Boring at times, but fun.  I even followed up with the owner after the ball dropped on New Year's Eve and all "heck" was supposedly going to break loose.  All was well! :D
 
If anyone wants to reminisce, Wikipedia has quite a good read about the subject http://en.wikipedia.org/wiki/Y2K »
Userlevel 7
Badge +54
You are exactly right everyone is always playing catch up.
We may both be employed in totally different careers but are similar. I went the college and finished in 1984 and we were taught how to do a job properly from the start to the finish on the understanding that if you do it right to start with it saves going back and having to redo it later, cutting out the hassle.
I realise there are those who are on top the game but obviously there are some who are not and they make people cast doubt over the whole industry, maybe it is cost cutting I do not know but that is the route that seems to be the trend these days.
Userlevel 6
@DavidP1970 wrote:
Heaven help us from Admins and IT who fail to keep up with news and announcements, not just on software, but on the hardware and Firmware as well.
 


 
The challenge is to have the time and the money to solve every single security issue which comes up. Besides that there's still lots of work; securing the network, managing access, monitoring, Penetration tests,... That's a full time job, but how many companies can afford a CISO? For smaller companies it's even a problem to have a real IT person.
Userlevel 7
Yes, I know, and point well taken.  At the same time, this is not something that is checked daily... a regular schedule of maintaining is incredibly important.  I would not expect to see patches installed on every server affected within days of patch deploy, but time must be made for at least some form of regular checks to be made.
Userlevel 6
That's why I try to create processes for such tasks, put them on paper and assign schedules; this makes life much easier. 😉
Userlevel 7
Thanks for posting and sharing Jasper!
More than 32000? It sounds absolutely incredible :S
And what's worse, these stats are still growing...
Userlevel 7
Badge +26
Thing is companies rely on IT and it's their most precious resource to them yet they neglect it and spend as little as they can on it.
Userlevel 7
@ wrote:
Thing is companies rely on IT and it's their most precious resource to them yet they neglect it and spend as little as they can on it.
Well said @ , well said. I personally find it mind-boggling that in this day and age IT is (in some cases) just an afterthought and deemed "low man on the totem pole" when it comes to the annual budget.  :@
Userlevel 7
Badge +54
Maybe it is a case of "If it aint broke, don't fix it". Sad but maybe true, they escape being hacked and think they are OK so they just keep putting off until something happens like the big hacks over the last 6 months.
Userlevel 7
@ wrote:
Maybe it is a case of "If it aint broke, don't fix it". Sad but maybe true, they escape being hacked and think they are OK so they just keep putting off until something happens like the big hacks over the last 6 months.
Which brings me back to my initial reply LOL.
 
It IS a huge problem: tight budgets and scarce resources, yet the need to keep up to date at all times before the unthinkable happens. 
Userlevel 7
Badge +56
Part of the problem is that a lot of products have security as an afterthought, rather than a central design principle.  It leaves a lot of sysadmins scrambling to keep up.
Userlevel 7
Badge +26
Also @ they use outdated and insecure stuff like java and still rely on software that runs on old operating systems like windows xp and dated browsers like IE6. They need to get with the times!
Userlevel 7
@ wrote:
Also @ they use outdated and insecure stuff like java and still rely on software that runs on old operating systems like windows xp and dated browsers like IE6. They need to get with the times!
Sadly, sometimes you're stuck working with what they have. :@
 
I suppose this issue applies more to older, more established companies that have been around for awhile. 'cuz you know darn well that the newer beleeding edge tech companies will have all the latest toys and software. 

Reply