At least 32,000 servers broadcast admin passwords in the Clear Text

An alarming number of servers containing motherboards manufactured by Supermicro continue to expose administrator passwords despite the release of an update that patches the critical vulnerability, an advisory published Thursday warned.

The threat resides in the baseboard management controller (BMC), a motherboard component that allows administrators to monitor the physical status of large fleets of servers, including their temperatures, disk and memory performance, and fan speeds. Unpatched BMCs in Supermicro motherboards contain a binary file that stores remote login passwords in clear text. Vulnerable systems can be detected by performing an Internet scan on port 49152. A recent query on the Shodan search engine indicated there are 31,964 machines still vulnerable, a number that may not include many virtual machines used in shared hosting environments.

"This means at the point of this writing, there are 31,964 systems that have their passwords available on the open market," wrote Zachary Wikholm, a senior security engineer with the CARInet Security Incident Response Team. "It gets a bit scarier when you review some of the password statistics. Out of those passwords, 3,296 are the default combination. Since I'm not comfortable providing too much password information, I will just say that there exists a subset of this data that either contains or just was 'password.'"

A separate blog post from security training institute Sans confirmed the contents of the advisory.
"The vulnerability involves a plaintext password file available for download simply by connecting to the specific port, 49152," it stated. "One of our team has tested this vulnerability, and it works like a champ, so let’s add another log to the fire and spread the good word."
Other researchers chimed in with tweets such as:

The world is weird… all it takes is:
nc 49152
GET /PSBlock
for an admin password these days…

Wikholm said the Supermicro patch requires vulnerable motherboards to be "flashed" with new firmware, a process that's not feasible for many production servers. An alternative workaround involves establishing a secure shell connection to a vulnerable device and disabling all universal plug and play processes. While effective, the fix lasts only until the system is disconnected from a power source, making it possible for the vulnerability to be resurrected.
Thursday's advisory comes 10 months after security researchers warned that as many as 100,000 Internet-connected servers sold by Dell, HP, and other large manufacturers contained BMCs that were vulnerable to remote hack attacks that steal passwords and install malware on their host systems. Those vulnerabilities were contained in the intelligent platform management interface, a protocol implemented in various BMCs.