
IPMI: Freight Train to Hell (2013) [pdf] - angersock
http://fish2.com/ipmi/itrain.pdf
======
contingencies
It's good that you posted this, unfortunately most people remain blissfully
unaware of this information despite this paper dating from 2013 and other
public discussions also having taken place.

Dan Farmer, the author, wrote the original SATAN host security scanner. I had
some emails with Dan about IPMI circa 2013. His paper is a good restatement of
many of the problems of IPMI.

However, in my mind the biggest problem with IPMI, which is not really well
elucidated in this paper, is that it turns every machine in to two machines,
and compromising either one means you can automatically compromise the other:
ie. own the host, own the BMC by flashing it with vendor tools. Own the BMC,
own the host by any number of ways including memory manipulation, old-school
keyboard input, presenting fake devices to the running kernel, etc.

Unfortunately, it's therefore impossible to ever be completely sure you've got
control of a system. In the face of _any_ suspected attack you cannot ever
regain control with any confidence whatsoever, even by flashing firmware.

~~~
spotman
Yeah, so true.

Just had to retire a server a couple weeks ago, because of a new vulnerability
discovered in its IPMI firmware.

It's a bummer, because if your support contract runs out, sometimes you have
to pay to upgrade, which leaves you in a bind. In my case it made more sense
to just replace this one server.

But, ultimately I guess my point is that even if IPMI is patchable, there is
another hurdle, you can't as easily maintain it yourself as you can a linux
host.

~~~
jlgaddis
I have a few old servers that don't get IPMI firmware updates anymore.
Fortunately, the IPMI interfaces are on their own small, isolated VLAN that's
behind a proper hardware firewall and only accessible from a handful of
management hosts.

------
mjg59
Things are a little better now - most vendors have disabled cipher 0, and
they're at least starting to pay attention to vulnerabilities (everything I've
reported in vendor firmware has been fixed within 6 months or so, which is
pretty impressive for groups that gave no fucks about security until
recently).

As far as the industry goes, with luck we're seeing a transition away from
IPMI and to the re-use of more general protocols. Redfish handles many bits of
IPMI functionality[1] using standard web technologies rather than reinventing
authentication and encryption, so ought to be less bad than hand-rolled
crypto.

[1] Serial over LAN is probably the biggest missing piece

------
bcoates
This is a little bit overblown--the security failings are unfortunate but not
surprising and realistically it's on a separate physical port for a reason.

Have an administrative VLAN for your physical box control plane and maintain
physical-level control of the ports with access to it and you're way ahead of
the game. Treat it like you would an unauthenticated KVM-over-IP device
because that's pretty much what it is. (you _should_ change away from the
default username/password, but if you're horrified about the idea of not doing
that, evaluate why because _that 's_ the real issue)

That said, 300k IPMI devices on the public Internet is a travesty. Don't be
one of those guys.

~~~
skuhn
It's pretty telling that 20% of the public IPMI hosts are Supermicro. I
suspect that a lot of that is completely unintentional.

Supermicro has a completely brain dead default behavior, where if you connect
power to the machine and the management Ethernet port doesn't have a link, it
migrates the IPMI interface to the first host Ethernet port. You can only fix
this by power cycling the BMC.

Since it will just ask DHCP for an IP address and might wind up on the
production VLAN, bad things can happen in environments that aren't prepared
for that.

~~~
bcoates
Wow. That's bad. I did not know that, thanks.

