部落格

US-CERT Warning on BMC & IPMI Security Risks

Posted on August 12, 2013 by Gento

Security ShieldThe US Computer Emergency Readiness Team (US-CERT) issued an alert (TA13-207A) on IPMI usage on July 26th, with recommendations for IT departments.  This is based on the work of Dan Farmer and HD Moore that I summarized in my previous blog on this topic.

The US-CERT alert summarizes many of the risks and issues, and provides recommended solutions for administrators.  Solutions include:  restrict IPMI to internal networks, utilize strong passwords, require authentication, sanitize flash memory at and of life, and identify affected products.  A list of BMC’s are provided, although this is not a complete list of these devices and the servers utilizing them.

While these solutions are a step in the right direction, they are not sufficient to address all of the security issues listed by Farmer and Moore.  For example, using IPMI on internal networks allows it to be attacked by viruses or worms that may exist on these networks.   And if strong passwords are not enforced by systems, then some passwords may not be strong.  Furthermore, authentication should be sufficiently strong, and for government and military organizations, FIPS 140-2 encryption is required along with two-factor authentication (e.g. CAC).

These solutions do not address many of the structural issues with BMC’s and IPMI including direct access to the server’s motherboard, storage of clear text passwords, virtually unlimited server control,  and access to the BMC from a compromised server.

IT administrators and security officers should directly consult Farmer’s and Moore’s work to understand the specific dangers to their environment and take the appropriate actions.  Administrators should follow the security best practices as defined by the server manufacturer and ensure that their servers have the latest BMC firmware, such that the latest security patches are applied.   Its a good idea to make sure your security scanner audits these devices for vulnerabilities.

Other Blog Posts

從資料中心失效對企業帶來的骨牌效應──探討感測器的重要性
Posted on November 5, 2023
更高規格的電源要求加速AI市場成長與Raritan PDU的採用
Posted on October 11, 2023
資料中心服務中斷次數減少,但停機的代價仍舊可觀
Posted on September 20, 2023
意見調查:資料中心面臨能源使用與人力短缺困境
Posted on September 20, 2023
Raritan安全切換器:相容於Secure NIAP 4.0的桌上型KVM
Posted on September 20, 2023

View all Blog Posts

訂閱

近期活動

New Zealand Cloud & Datacenter Convention 2022
3 November 2022, 9am – 4pm  •  Grand Millennium Hotel, Auckland, New Zealand
Data Centre World Singapore
12th – 13th Oct 2022
Korea Cloud & Datacenter Convention 2022
6th Oct 2022
Philippines Cloud & Datacenter Convention 2022
4th Aug 2022
JANOG50 Meeting Hokkaido
3th – 15th July 2022

View all Events

Raritan最新新聞

Legrand 使用兩大創新智慧型機架 PDU 重新活化資料中心產業
Posted on May 1, 2023
Exclusive interview丨How does Huizhou upgrade its manufacturing industry?
Posted on December 2, 2021
Raritan 發表 MasterConsole® 數位雙電腦切換器
Posted on February 18, 2021
Legrand Data, Power and Control Division Announced as Finalist in Six Categories at DCS Awards 2020
Posted on November 9, 2020
Raritan 新款智慧機櫃控制器 (SRC) 可智慧管理資料中心與關鍵任務設施的環境與安全性資訊
Posted on November 9, 2020

View all news