TA13-207A: Risks of Using the Intelligent Platform Management Interface (IPMI)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Title: TA13-207A: Risks of Using the Intelligent Platform Management Interface (IPMI)

US Computer Emergency Readiness Team banner graphic

National Cyber Awareness System:

07/26/2013 04:08 PM EDT

Original release date: July 26, 2013 | Last revised: July 30, 2013

Systems Affected

Any system connected to the internet running the Intelligent Platform Management Interface (IPMI) may be affected. IPMI is resident on many server platforms, and provides low-level access to a system that can override operating system controls.

Overview

Attackers can easily identify and access systems that run IPMI and are connected to the Internet. It is important to restrict IPMI access to specific management IP addresses within an organization and preferably separated into a separate LAN segment.

Description

What is the Intelligent Platform Management Interface (IPMI)?

IPMI is a low level interface specification that has been adopted by many hardware vendors.  It allows a system administrator to remotely manage servers at the hardware level.  IPMI runs on the Baseboard Management Controller (BMC) and provides access to the BIOS, disks, and other hardware.  It also supports remote booting from a CD or through the network, and monitoring of the server environment.  The BMC itself also runs a limited set of network services to facilitate management and communications amongst systems.

What Is the Risk?

Attackers can use IPMI to essentially gain physical-level access to the server.  An attacker can reboot the system, install a new operating system, or compromise data, bypassing any operating system controls.  Some issues identified by Dan Farmer

  • Passwords for IPMI authentication are saved in clear text.
  • Knowledge of one IPMI password gives you the password for all computers in the IPMI managed group.
  • Root access on an IPMI system grants complete control over hardware, software, firmware on the system.
  • BMCs often run excess and older network services that may be vulnerable.
  • IPMI access may also grant remote console access to the system, resulting in access to the BIOS.
  • There are few, if any, monitoring tools available to detect if the BMC is compromised.
  • Certain types of traffic to and from the BMC are not encrypted.
  • Unclear documentation on how to sanitize IPMI passwords without destruction of the motherboard.

Attackers can easily search and identify internet-connected target systems, and IPMI is no exception.

Impact

An attacker with knowledge of IPMI can search for, and find, open management interfaces. Many of these interfaces utilize default or no passwords, or weak encryption.  Further consequences depend on the type and use of the compromised system.  At the very least, an attacker can compromise confidentiality, integrity, and availability of the server once gaining access to the BMC.

Solution

Solution

Restrict IPMI to Internal Networks

Restrict IPMI traffic to trusted internal networks. Traffic from IPMI (usually UDP port 623) should be restricted to a management VLAN segment with strong network controls.  Scan for IPMI usage outside of the trusted network and monitor the trusted network for abnormal activity.

Utilize Strong Passwords

Devices running IPMI should have strong, unique passwords set for the IPMI service.  See US-CERT Security Tip ST04-002 and Password Security, Protection, and Management for more information on password security.

Encrypt Traffic

Enable encryption on IPMI interfaces, if possible.  Check your manufacturer manual for details on how to set up encryption.

Require Authentication

"cipher 0" is an option enabled by default on many IPMI enabled devices that allows authentication to be bypassed.  Disable "cipher 0" to prevent attackers from bypassing authentication and sending arbitrary IPMI commands.  Anonymous logins should also be disabled.

Sanitize Flash Memory at End of Life

Follow manufacturer recommendations for sanitizing passwords.  If none exists, destroy the flash chip, motherboard, or other areas the IPMI password may be stored. 

Identify Affected Products

  •  Most server products
    • HP Integrated Lights Out
    • Dell DRAC
    • IBM Remote Supervisor Adapter

References

Revision History

  • July 26, 2013

This product is provided subject to this Notification and this Privacy & Use policy.


This email was sent to linux-security@xxxxxxxxxxx using GovDelivery, on behalf of: United States Computer Emergency Readiness Team (US-CERT) · 245 Murray Lane SW Bldg 410 · Washington, DC 20598 · (703) 235-5110 Powered by GovDelivery

[Index of Archives]     [Fedora Announce]     [Linux Crypto]     [Kernel]     [Netfilter]     [Bugtraq]     [USB]     [Fedora Security]

  Powered by Linux