
Linux Servers Appear Most Affected by IPMI Enabled JungleSec Ransomware Attacks - avivallssa
https://www.itprotoday.com/linux/linux-servers-appear-most-affected-ipmi-enabled-junglesec-ransomware-attacks
======
sofaofthedamned
This is ridiculously stupid.

First, your ipmi interface shouldn't be on the internet.

Second, of course these will identify as Linux - you wouldn't run Windows in
your ipmi server.

Third, encrypt your bootloader with a passphrase?! Good luck with that, and
dealing with each software and hardware issue getting you out of bed.

Here's a better idea - put your ipmi interface behind a hardware VPN on its
own blank and sleep soundly.

This is awful advice from an awful website.

~~~
mavhc
They're talking about putting a password on Grub to prevent booting into
single user mode, not encryption

~~~
viraptor
Not sure how effective that is, considering lots of iLOs give you the
possibility to mount a boot cd over network, so you skip the whole grub.

~~~
craftyguy
iLO is a (proprietary) HP out-of-band thing, it's not IPMI (an open
specification out-of-band thing.)

~~~
xyzzy123
Yep, point stands though, you can mount a boot cd with e.g. supermicro’s ipmi
as well.

It’s still terrible advice (password protect your boot loader!) because you
have lost pretty badly already at that point.

------
lima
Useless article - you could replace "IPMI" by "SSH".

Also, password-protecting GRUB won't do much. An attacker can just boot to a
small rescue ISO (you can change the boot order via IPMI even if there's a
BIOS password - if your IPMI is owned, you lost).

------
ShakataGaNai
I am super confused here. Is there a particular vendors brand of IPMI that is
compromised or being targeted? What does this have to do with Linux?

My SuperMicro server has IPMI. My Linux does not, unless you count SSH, which
wouldn't make any dang sense.

------
damm
Some cloud providers got this right; some didn't exactly...

Had a few Hetzner baremetal dell servers with iDrac/IPMI exposed to the world.
It did have a good password.

Softlayer/IBM makes me login to a VPN to get into IPMI

(at least for me)

Exposing IPMI on the internet is stupid easy; just as it is stupid. It's the
lazyness of hey I need to be able to get into the KVM console and i'm working
at home today...

For example.

~~~
toast0
You can hit the Softlayer IPMI from the private network on your other servers
(which is way more convenient than the VPN, but also a little scary).

Also, off topic, ipmitool pretty much works, including serial over lan if you
configure your host os properly. After I got that setup, I can usually avoid
the java ipmi viewer!

~~~
vetrom
The article does a poor job of explaining the threat model, but I think you
hit on the exact problem here. OOB baseboard management should not have direct
access to other OOB management nodes, lest you invite that as an attack
vector.

Unfortunately I'm going to bet a notable amount of networks conflate say
routing layer and OOB management traffic and don't segregate the two (where
often routing protocols need to cross communicate but OOB baseboard management
does not.)

------
simula67
IPMI implementations seems to be a mess in general

Mathew Garret did an excellent presentation on the security horrors he faced
with IPMI :
[https://www.youtube.com/watch?v=GZeUntdObCA](https://www.youtube.com/watch?v=GZeUntdObCA)

Does anyone know if RedFish implementations have a better track record ?

------
naner
Can't find any details on this, the details provided don't paint a clear
picture. Best I can guess is they are referring to implementations that
support virtual kvm access: Gain control of ipmi user, issue power cycle
command, use virtual kvm to take control of system on reboot.

