September 6, 2013
A University of Michigan team has published their research on IPMI and BMC security issues. Entitled “Illuminating the Security Issues Surrounding Lights-Out Server Management,” this article follows up on the IPMI/BMC security issues highlighted by Dan Farmer and HD Moore as summarized in my previous blog on this subject. The Department of Homeland Security’s US-CERT team has posted an alert on the IPMI security risks.
The researchers provide an introduction to the issues, note the previous research, define IPMI/BMC security risks and analyze a particular implementation and describe their successful attack on this implementation. They found “blatant textbook vulnerabilities” and concluded that the implementations “suggest either incompetence or indifference towards customer security.” They then determine the number of publicly (Internet) accessible IPMI devices, which they determine to be more than 105,000. They provide some defenses and lessons and indicate areas for future work. The Washington Post has published an article on the paper and interviewed one of the authors, who criticizes the embedded device community for their security practices.
Customers who make use of BMC and IPMI based remote management cards and systems need to be aware of these issues and take the proper steps to safeguard their implementations. Given the severity of these issues, they should consider alternative remote management solutions such as KVM-over-IP switches, which can avoid most of these risks.