The Raritan Blog

The Dangers of BMC’s and IPMI Highlighted by Security Researchers

Richard Dominach
July 26, 2013

Recent articles in Network World, Dark Reading, Wired, and Security Week have highlighted the shocking and widespread security vulnerabilities of Baseboard Management Controllers (BMC) (and the associated Intelligent Platform Management Interface (IPMI) protocol), used for remote server management by corporations, service providers and hosting companies.

BMC’s, available from all leading server manufacturers, have direct access to the server’s motherboard. This provides the ability to monitor, boot, and even reinstall the server. Many systems provide KVM-over-IP access and the connection of remote media. Access to the BMC provides virtually unlimited remote control of the server.

Two security researchers have identified these vulnerabilities: Dan Farmer, who originally discovered and documented the vulnerabilities (fish2.com/ipmi/), and HD Moore, who describes how to identify and test for these issues, using readily available security tools. Moore discovered over 300,000 IPMI-enabled vulnerable servers connected to the Internet, as well as additional vulnerabilities.

BMC/IPMI vulnerabilities include: Cyper 0 authentication allowing access with any password, BMC-provided password hashes which can be broken via brute force methods, BMC’s shipping with enabled “anonymous” access, a UPnP vulnerability that provides root access to the BMC, and storage of clear text passwords. Once the BMC is broken into there are multiple ways to infect, control, and take over the server. Conversely, for a compromised server, the BMC can be used to establish a backdoor user account.

All server administrators and security officers need to be aware of Farmer’s and Moore’s work and understand how it affects their servers. As IPMI and BMC implementations vary, consult your server manufacturer(s). Farmer provides IPMI security best practices (fish2.com/ipmi/bp.pdf) and Moore provides a useful FAQ.

While this research is rather new and there is much to digest, Raritan’s experts do agree that there are indeed vulnerabilities that customers should take seriously. Given the power and opacity of the BMC, this is doubly true.

Moore: “In addition to vulnerabilities in the IPMI protocol itself, most BMCs seem to suffer from issues common across all embedded devices, namely default passwords, outdated open source software, and, in some cases, backdoor accounts and static encryption keys.”
Moore: “The world of BMCs is a mess that is not likely to get better anytime soon, and we need to be crystal clear about the risk these devices pose to our networks.”
Farmer: “Imagine trying to secure a computer with a small but powerful parasitic server on its motherboard; a bloodsucker that can’t be turned off and has no documentation; you can’t login, patch, or fix problems on it; server-based defensive, audit, or anti-malware software can’t be used. Its design is secret and implementation old.”
Farmer: “It’s also the perfect spy platform: nearly invisible to its host, it can fully control the computer’s hardware and software, and it was designed for remote control and monitoring.”

Data Center Efficiency Innovation Seminar

Dorothy Ochs
July 2, 2013

Meet the creators and builders of innovative, efficient data center infrastructure solutions and learn how they can provide smart solutions to your growing data center challenges.

This event is perfect for engineers and end users looking to improve productivity and efficiency in data center power, cooling, network management, and environmental monitoring.

Please join us at IO New Jersey on Wednesday, July 24th – the largest modular data center in the New York area – for an info-packed day, complete with a keynote presentation from Syska Hennessy, networking opportunities, efficiency innovation presentations, and a tour of IO.

Keynote Speaker:
Ed Lao, P.E. - Syska Hennessy Ed is a registered professional engineer licensed in various US states and has 25+ years of specialized experience focused on electrical engineering. From electrical design, testing/commissioning, project management, to training for data center operations and maintenance, he’s been actively involved in the design of mission critical facilities worldwide.

Just in from Cisco Live!

Richard Brooke
June 28, 2013

From Cisco Live! today, Eli the Computer Guy explains what’s so cool about our intelligent power distribution units.

It’s “BEYOND pretty cool” that our iPDUs connect into active directory so you can assign users permissions into individual ports so only they can power cycle those ports.

Limited complimentary passes available for DatacenterDynamics San Francisco Show

Dorothy Ochs
June 28, 2013

Raritan has a limited number of complimentary passes valued at $495. Contact Dorothy Ochs at Dorothy.Ochs@Raritan .com or (732) 764-8886 x1220.

Don’t miss our presentation titled “Deploying High Power at the Rack – How to Determine and Design for Peak Power Demand.” Time: 2:10 - 2:50 PM, Location: Hall 3. We will be raffling an Up by Jawbone at this session.

And don’t forget to visit our booth to see the latest power management and DCIM solutions. We are also raffling a GoPro camera at the booth. Hope you can join us.

In the Hot Aisle with the Data Center Detectives…

Naim Malik
June 27, 2013

Sherlock: My Dear Wattson, Data Center Managers are raising their intake temperature in order to cut cooling costs and carbon emissions, lower their PUE, and save money. Nowadays most PDUs are installed in the hot aisle where air temperatures are often 10-20°C higher than the inlet side. With Raritan’s PDUs rated at 50-60°, higher than the PDU rating from other manufacturers, managers can safely increase their inlet temperature by many degrees. Most newer equipment can run in temperatures near 40°C so even with a headroom of 10°C, inlet air temperature can be as high as 30°C.