Mindblowingly insecure SuperMicro remote management interface

This is somewhat mind boggling to me, maybe its because I'm not a professional system adminstrator, but I had no idea that this existed. I maintain a proxmox VM server running on a SuperMicro server mostly for my own use.

What happened

Our IT department told me a machine in my area was participating in a DDOS and gave me the MAC address. I couldn't find the MAC anywhere on my internal network but the manufacturer was SuperMicro.

I asked for the offending IP, and was given an external (public) IP. Now I had turned my SuperMicro off, but when I entered the given IP I was greeted with a SuperMicro login page. I noticed my server's network lights were blinking...

It turns out that SuperMicro comes with something called IPMI or Intelligent Platform Management Interface that has the following properties:

1. On by default.
2. Obtains dynamic IP by default.
3. Default username/password is DEFAULT/DEFAULT
4. The IP/Mac address is not visible to the booted operating system, at least not with netstat etc...
5. No option to disable.

A little searching reveals pages such as:

• Plaintext Supermicro IPMI Credentials Exposed
• Despite patches, Supermicro's IPMI firmware is far from secure, researchers say
• Supermicro IPMI/BMC Vulnerability Analysis
• At least 32,000 servers broadcast admin passwords in the clear, advisory warns 
• Supermicro IPMI Firmware Vulnerabilities 

Its always great to see your server on the metasploit website.

I disabled this temporarily by setting a static IP/gateway using invalid values.