Addressing the security vulnerabilities of IPMI-enabled systems

The Intelligent Platform Management Interface (IPMI) protocol presents a number of security vulnerabilities. Uncover how to mitigate the risks.

Security researchers have discovered that thousands of Web-connected servers are utilizing the highly vulnerable...

Intelligent Platform Management Interface protocol. Why is the IPMI protocol vulnerable, and what can we do to secure systems that use it against potential threats?

Ask the Expert

Do you have a network security question? Submit it now via email! (All questions are anonymous.)

First, a little background on IPMI may be in order. IPMI is an interface used by system administrators to communicate with the Baseboard Management Controller (BMC) on a server. This is critical when an operating system has had some sort of failure and access to the OS is no longer possible.

Prior to deploying a given server, the BMC is given an IP address within the BIOS settings and, upon system failure, administrators can easily access the failed system via the BMC's assigned IP address. All communication is conducted via the IPMI protocol as the system administrator attempts to bring the system back up.

Clearly, any access to the BMC by nefarious individuals can be devastating to a server.

During a collaborative effort between the Defense Advanced Research Projects Agency and Rapid7, the IPMI was determined to be vulnerable on six different fronts. I will focus on the two most profoundly critical instances.

The first vulnerability entails a concept known as Cipher 0. Within the IPMI specification developed by Intel Corp., 15 Cipher suites are available. The first Cipher suite, Cipher 0, allows full access to the BMC. Authentication is not required when accessing the BMC via Cipher 0, and on many BMCs, Cipher 0 is left on by default, creating a huge vulnerability. If an attacker obtains connectivity to the BMC while Cipher 0 is on, they could potentially change a litany of kernel settings and downgrade firmware versions to levels where known vulnerabilities exist.

The second vulnerability lies in the IPMI 2.0 RAKP authentication mechanism. This vulnerability involves the sending of salted password hashes to the client prior to authentication. In normal authentication, the client sends a password to the server, and the server verifies the password matches the hash in its password file. If the hashes match, the client is considered authenticated, and can then communicate securely. Within the IPMI 2.0 RAKP authentication vulnerability, an attacker can submit a password guess and receive a salted hash. The attacker can then simply take the hash he received, and begin crack attempts offline.

The first step any organization should take to secure IPMI-enabled systems against these and other vulnerabilities is to ensure that Cipher 0 is turned off. The second step involves connectivity to the BMC. In many cases the BMC is accessed via an RJ45 port, and in other cases it is accessed via a separate Ethernet port. Either way, ensure that the IP address assigned to the BMC port is an internal IP address as opposed to an external one. This way, system administrators can ensure that the port can ONLY be accessed from inside the LAN and not from the Internet.

This was last published in April 2014

Dig Deeper on IPv6 security and network protocols security