The vulnerability actually resides in the Baseboard Management Controller (BMC) in the WPCM450 line of chips incorporated into the motherboards. Security Researcher at CARInet Security Incident Response Team, discovered that Baseboard Management Controller (BMC) of Supermicro motherboards contain a binary file that stores remote login passwords in clear text and the file is available for download simply by connecting to the specific port, 49152.
Baseboard Management Controller (BMC) is the central part of the microcontroller that resides on server motherboard or in the chassis of a blade server or telecom platform. The BMC links to a main processor and other onboard elements via a simple serial bus.
Baseboard management controllers are part of the Intelligent Platform Management Interface (IPMI) protocol, which defines communication protocols and a server administrator can access the BMC by using an IPMI-compliant management application loaded on a computer or via a web interface via port 49152.
In order to compromise vulnerable servers, an attacker can perform Internet scanning on port 49152 to identify exploitable servers and can download remote login passwords which is stored in a binary file location “GET /PSBlock” of the motherboard in clear plain text.
When recently an Internet scan is performed on the Shodan, a specialized search engine for finding embedded systems, approximately 31,964 machines were found still vulnerable, a count that doesn't include the vulnerable systems installed on virtual environment used in shared hosting services.
"This means at the point of this writing, there are 31,964 systems that have their passwords available on the open market," wrote Zachary Wikholm, a senior security engineer with the CARInet Security Incident Response Team.
An analysis of the passwords available for download also indicates that thousands of the passwords are really easily guessable or the default ones.
"It gets a bit scarier when you review some of the password statistics. Out of those passwords, 3,296 are the default combination. Since I'm not comfortable providing too much password information, I will just say that there exists a subset of this data that either contains or just was 'password.'"
He also found that lot of systems are running older versions of the Linux kernel. According to Shodan search, approximately 23,380 of the total hosts are running the 2.4.31.x kernel, another 112,883 are running the 2.4.30.x kernel, and 710,046 systems are running the 2.4.19.x kernel.
The vulnerable 84 firmwares are listed here and server administrators are advised to apply available patches from vendors. In order to apply patches, you need to flash the device with new firmware update. For quick and temporary fix, administrators can disable all universal plug and play processes and their related children processes using secure shell connection to a vulnerable devices.