August 12, 2013
The US Computer Emergency Readiness Team (US-CERT) issued an alert (TA13-207A) on IPMI usage on July 26th, with recommendations for IT departments. This is based on the work of Dan Farmer and HD Moore that I summarized in my previous blog on this topic.
The US-CERT alert summarizes many of the risks and issues and provides recommended solutions for administrators. Solutions include: restrict IPMI to internal networks, utilize strong passwords, require authentication, sanitize flash memory at and of life, and identify affected products. A list of BMC’s are provided, although this is not a complete list of these devices and the servers utilizing them.
While these solutions are a step in the right direction, they are not sufficient to address all of the security issues listed by Farmer and Moore. For example, using IPMI on internal networks allows it to be attacked by viruses or worms that may exist on these networks. And if strong passwords are not enforced by systems, then some passwords may not be strong. Furthermore, authentication should be sufficiently strong, and for government and military organizations, FIPS 140-2 encryption is required along with two-factor authentication (e.g. CAC).
These solutions do not address many of the structural issues with BMC’s and IPMI including direct access to the server’s motherboard, storage of clear text passwords, virtually unlimited server control, and access to the BMC from a compromised server.
IT administrators and security officers should directly consult Farmer’s (fish2.com/ipmi/bp.pdf) and Moore’s* work to understand the specific dangers to their environment and take the appropriate actions. Administrators should follow the security best practices as defined by the server manufacturer and ensure that their servers have the latest BMC firmware, such that the latest security patches are applied. It's a good idea to make sure your security scanner audits these devices for vulnerabilities.