Professionally Evil: Self Inflicted Injury at Vendor’s Request

It’s an unfortunate and still too common a vulnerability to find administrative interfaces exposed and configured with default passwords.  In some cases it doesn’t matter what else you might find like some sexy injection vulnerability;  if I can access your administrative controls and gut your infrastructure it’s game over and a resume generating event for IT staffers.

I came across an occurrence of this problem that had an interesting twist to it.  The organization had a provisioning and on-boarding process that verified that all default passwords were reset prior to going live, however in the course of my assessment, we found a significant number of “Out of Band Remote Management Devices” (e.g., HP ILO, Dell DRAC, Intel RMM2, Oracle ILOM, IBM IMM) that were configured with the default vendor password.  The worst exposure was the remote management interfaces for their blade chassis. 

These remote management devices allow an authenticated user to perform a variety of configuration and control activities that in the hands of an attacker can be devastating.  In some cases, accessing the remote management device on the chassis will also give you unchallenged access to the remote management device for each node in the chassis.  Think of the malicious possibilities.

When discussed with the client, at first they couldn’t understand how this could be since their process shouldn’t allow for the default password to be configured.  Then we found that at one point they engaged the vendor to fix a problem they were having and the vendor requested and provided instructions to reset the remote management devices back to the default password.  Unfortunately, after the work was done, the default passwords were not reset.   This was an eye-opening gap in the configuration management process.

Once identified, steps were immediately taken to reset the passwords and update their configuration management processes to regularly scan and alert for this condition.  All simple fixes for a very dangerous exposure and something all organizations need to consider.  Configuration management is a living process that requires active vigilance, evaluation and review; abundans cautela non nocet.  

Thom Dosedel is a Senior Security Consultant at Secure Ideas. If you are in need of a penetration test or other security consulting services you can contact him at thom@secureideas.com or visit the Secure Ideas – Professionally Evil site for services provided.

1 thought on “Professionally Evil: Self Inflicted Injury at Vendor’s Request”

Leave a Comment

Your email address will not be published. Required fields are marked *