On Wed, Dec 24, 2025, 02:59 Saku Ytti via NANOG .
Personally, I don't care about BMC security, it's not important. People are asking it to be CLI only, it was, so was CMP, BMC and CMP were what we wanted, we just didn't bother figuring it out.
I mean it's not like a serious flaw was ever found[0] on the thing that grants access to "ring -4" and above. I'm sure those security guys are just giving you a hard time for funzies, those scoundrels! [0] a. http://fish2.com/ipmi/cipherzero.html https://nvd.nist.gov/vuln/detail/CVE-2013-4782 https://nvd.nist.gov/vuln/detail/CVE-2013-4783 https://nvd.nist.gov/vuln/detail/CVE-2013-4784 https://nvd.nist.gov/vuln/detail/CVE-2014-2955 b. https://eclypsium.com/blog/virtual-media-vulnerability-in-bmc-opens-servers-... c. https://nvd.nist.gov/vuln/detail/cve-2019-6260