ipmi: freight train to hell #security #danfarmer

A paper on IPMI and BMC security:

ipmi: freight train to hell, plain HTML or dangerous PDF (bloated director’s cut; HTML was generated from word and edited down.)

– or –

ipmi: express train to hell, in HTML or PDF (1 page, G-rated version.)

The 2nd link is the express/single page/reader’s digest version, which has various generalities that I try to fully explain in the paper or supporting documents. Added bonus: if you buy now you’ll get free additional supporting materials along with a razor sharp virtual Ginsu knife!

Note – I’ve heard a LOT of people dismiss all this and claim that all you need to do is to secure your IPMI/BMC’s is to ensure that their network interfaces are on their own network and be careful about that critical password. This is simply incorrect. If you haven’t read the paper or heard the arguments within you might read it to find out why I belive you’re dead wrong (and if you still disagree drop me a line and tell me!) Note that any with server admin access can manage the IPMI network settings of its BMC without authentiation, attack the BMC, compromise it, and then pivot through to attack the management network.

Note #2. As if all the above weren’t enough, I just found out that the infamous Cipher Zero (0) is enabled by default on all my systems… this allows anyone to authenticate to the BMC with any password you choose (even you manage to guess the correct one, that still works.) fascinating stuff.

via All the IPMI that’s fit to print.

3 Replies to “ipmi: freight train to hell #security #danfarmer”

  1. Those links don’t appear to be working.

    I read Dan’s discussion paper, a couple of months back; I think he may be mistaken in a couple of areas, based on my recollections of the ILOMs on Sun x86 kit, but I’d need to do some testing, to be sure…

  2. From what I have played with on the . it is as bad as it sounds. I found several boxes that were supposedly only able to talk IPMI out on the management network… but a proper “ping” on the other network interfaces would reset the box to listen on that interface.

    This all sounds familiar from 2004 or so… did Dan post this back then or someone else tried to raise the Clarion call back then(?)

Leave a Reply

Your email address will not be published. Required fields are marked *