RE: WaPo writes about vulnerabilities in Supermicro IPMIs

["Tom Walsh - EWS" <mailinglists () expresswebsystems com>]

> -----Original Message-----
> From: Valdis.Kletnieks () vt edu [mailto:Valdis.Kletnieks () vt edu]
> Sent: Thursday, August 15, 2013 8:48 PM
> To: Jay Ashworth
> Cc: NANOG
> Subject: Re: WaPo writes about vulnerabilities in Supermicro IPMIs
>
> On Thu, 15 Aug 2013 21:00:01 -0400, Jay Ashworth said:
> > Presumably, everyone else's are very religious as well.
> >
> > Is anyone here stupid enough not to put the management interfaces
> > behind a firewall/VPN?
>
> In most cases, this requires plugging in two separate ethernet cables
> without wondering why you asked to be provisioned one IP address....

I would just like to point out that the Supermicro IPMI interface (on the
built in IPMI cards in the X8*-F boards and greater) automatically proxy the
IPMI interface with the ETH0 interface if a connection isn't present on the
physical interface. So in certain circumstances (dhcpd on eth0, IPMI
defaults to dhcp as well) you can be exposing the IPMI interface and not
even know it.

The Supermicro IPMI has an incredibly poor security history (even in its
relatively short life span). There were some initial versions of the IPMI
SSHd that allowed a complete bypass of the SSHd auth mechanism on the IPMI
interface. I believe that there was also a backdoor username and password
combination in some of the earlier firmware revisions.

Supermicro IPMI interfaces should be isolated at all costs, and many in the
dedicated server hosting industry are well aware of this fact. There has
been some in depth discussion about the security of these things for several
years on a couple of forums (WHT).