Fixing SuperMicro IPMI NTP Vulnerability»

Warning: This is at your own risk! If anything goes wrong, you may have to desolder the IPMI flash chip from the board to recover. If the IPMI controller is not responding, there is no way to correct it without an external programmer.

With my IPMI Firmware Tools, it’s pretty straightforward to correct the NTP reflection issue that’s present in SuperMicro IPMI Firmware. This vulnerability is being massively exploited to conduct large DDOS attacks, so it’s pretty important to fix. SuperMicro has been pretty slow at correcting this, even though it’s a trivial configuration change.

# I'm using the firmware for the X8SIL-F board.  Your filename will differ here.
# Grab the IPMI firmware
$ wget http://www.supermicro.com/support/resources/getfile.aspx?ID=2597 -O SMT_313.zip

# Extract the firmware image (we don't need the rest)

$ unzip SMT_313.zip SMT_313.bin
Archive:  SMT_313.zip
  inflating: SMT_313.bin

# Grab my firmware tools
$ git clone https://github.com/devicenull/ipmi_firmware_tools.git

# Extract the image
$ cd ipmi_firmware_tools; python2.7 read_header.py --extract ../SMT_313.bin
Read 16777216 bytes
Bootloader md5 matches, this parser will probably work!
Dumping bootloader to data/bootloader.bin

Firmware image: 2 Name: 1stFS Base: 0x40180000 Length: 0x7be000 (8118272) Load: 0xd00000 Exec: 0xd00000 Image Checksum: 0xaec12c0a Signature: 0xa0ffff9f Type: file (0x8) Footer Checksum: 0x279680c7 * footer checksum matches
Dumping 0x1572864 to 0x9691136 to data/1stFS.bin
Image checksum matches

Firmware image: 3 Name: kernel Base: 0x40980000 Length: 0x112aa8 (1125032) Load: 0x8000 Exec: 0x8000 Image Checksum: 0x9cccf523 Signature: 0xa0ffff9f Type: active, copy2ram, exec, compressed (0x17) Footer Checksum: 0x13160eaa * footer checksum matches
Dumping 0x9961472 to 0x11086504 to data/kernel.bin
Image checksum matches

Firmware image: 4 Name: 2ndFS Base: 0x40b80000 Length: 0x1e1000 (1970176) Load: 0xd00000 Exec: 0xd00000 Image Checksum: 0x9a9c1cac Signature: 0xa0ffff9f Type: file (0x8) Footer Checksum: 0x3b896522 * footer checksum matches
Dumping 0x12058624 to 0x14028800 to data/2ndFS.bin
Image checksum matches

Firmware footer version 2 firmware version 3.19 checksum: 0x9f29618c tag: 0x7117
Firmware checksum matches

# Extract the root filesystem.  We can't just mount and edit, as you can't edit CramFS filesystems
$ cd data; mkdir -p origfs newfs; sudo mount -o loop 1stFS.bin ./origfs/; sudo cp -r origfs/* newfs/; sudo umount ./origfs/

# Correct the vulnerability, add a sane NTP config at the same time
# The 'restrict default' lines are the important ones here!
$ cat > newfs/usr/local/etc/ntp/ntp.conf <<ENDFILE
restrict default kod limited nomodify notrap nopeer noquery
restrict -6 default kod limited nomodify notrap nopeer noquery
server 0.pool.ntp.org
server 1.pool.ntp.org
server 2.pool.ntp.org
server 3.pool.ntp.org
driftfile /tmp/ntp_drift
ENDFILE

# Regenerate the cramfs file with the updated config
$ sudo mkfs.cramfs newfs/ 1stFS.bin

# Rebuild the firmware image
$ cd ..; python2.7 rebuild_image.py
Writing bootloader...
Processing image 2
Processing image 3
Processing image 4
Done!

At this point, you will have a data/rebuilt_image.bin that contains the fixed firmware. As a quick sanity check, you should make sure that rebuild_image.bin and your original firmware are the same length. From here, you just need to flash rebuilt_image.bin to the IPMI controller via the web UI. Make sure that you check the box to wipe the existing configuration (or it won’t start using the new ntp.conf).

This is pretty straightforward, and you should not break anything doing this. It’s quite alarming that Supermicro has not yet updated all of their firmware to correct this issue.