-----Original Message----- From: Valdis.Kletnieks@vt.edu [mailto:Valdis.Kletnieks@vt.edu] Sent: Thursday, August 15, 2013 8:48 PM To: Jay Ashworth Cc: NANOG Subject: Re: WaPo writes about vulnerabilities in Supermicro IPMIs
On Thu, 15 Aug 2013 21:00:01 -0400, Jay Ashworth said:
Presumably, everyone else's are very religious as well.
Is anyone here stupid enough not to put the management interfaces behind a firewall/VPN?
In most cases, this requires plugging in two separate ethernet cables without wondering why you asked to be provisioned one IP address....
I would just like to point out that the Supermicro IPMI interface (on the built in IPMI cards in the X8*-F boards and greater) automatically proxy the IPMI interface with the ETH0 interface if a connection isn't present on the physical interface. So in certain circumstances (dhcpd on eth0, IPMI defaults to dhcp as well) you can be exposing the IPMI interface and not even know it. The Supermicro IPMI has an incredibly poor security history (even in its relatively short life span). There were some initial versions of the IPMI SSHd that allowed a complete bypass of the SSHd auth mechanism on the IPMI interface. I believe that there was also a backdoor username and password combination in some of the earlier firmware revisions. Supermicro IPMI interfaces should be isolated at all costs, and many in the dedicated server hosting industry are well aware of this fact. There has been some in depth discussion about the security of these things for several years on a couple of forums (WHT).