In Which I Savagely Impugn the Honor and Monoculture of IPMI & its Friends
IPMI+ Security Paper
June 4th, 2014 - paper
A paper (11 pages) surveying IPMI and BMC security on the Internet; version 1.00 (June 4th, 2013):
A modestly lengthy paper (31 pages) on IPMI and BMC security; version 2.01 (August 12th, 2013):
IPMI: Freight Train to Hell, bloated director's cut.
- or -
The one-page version is the express/single page/reader's digest one; it has various generalities I try to fully explain in the paper or supporting documents.
Note #2. HD Moore put together a really fine set of methods to exploit various issues with IPMI. Required reading for some of the dangers. Dark times ahead (not because of his work ;))
Serious problemNote #3. Zach Wikholm reported a nigh critical vulnerability (also reported last year, and I found about 30K then in a spot scan as well, but it's high time people started actually listening) in about a zillion and one (est :)) SuperMicro BMCs, as few as some interesting other problems. If you have a SM you really need to check this out. Spot checks reveal a LOT of vulnerable BMCs because of recovered passwords - for more see: Big Trouble in little BMC land
Kudos to Zach for finding these things, and Cari.net for supporting him.
Note #4. Facebook has put out OpenBMC, an interesting looking implementation that, in theory, may be placed on BMCs. Problematically most vendors (HP, Dell, IBM, etc.) won't let you install firmware that isn't signed by them... so you're out of luck. Plus, the low-level drivers and so on... who knows. I couldn't get it to build, myself, but let's remain hopeful. If anyone knows of (publically available) hardware that this will actually run on, drop me a line.
A very small assortment of server vendors, at least to provide some context; if you haven't heard of their version of IPMI, you've at least heard of them, assuming you're reading this on a computer. Most seem to simply give out the images, which contain the BMC's operating system and basic boot environment, but a few require a service contract or relationship with the vendor (which I didn't have.) I had access to the first 3 here, and some sketchy notes to the first 4; clicking the vendor icon to see more.
|Vendor||IPMI Flavor||Latest Version||BMC Flash Images|
|iDRAC (Integrated Dell Remote Access Card)||iDRAC 7||Anyone may download|
|iLO (Integrated Lights Out)||iLO 4||Anyone|
|Supermicro Intelligent Management||? (IPMI 2.0)||Anyone|
|IMM?||IMM (legacy IBM?)||Anyone|
|IMM (Integrated Management Module)||IMM2||Requires service contract|
|iRMC (Integrated Remote Management Controller)||iRMC S3||Anyone|
|ILOM (Integrated Lights Out Manager)||ILOM 3||Requires service contract|
Source for the S5520 Server Platforms - a dozen BMCs on various Intel boards - kudos to Intel! (Presumably they have others out there, I was sent this link.)
|Nuvoton||Hong Kong and Shenzhen|
|Emulex||... at least some presence in Beijing and Shanghai|
|ATEN||HQ in Taiwan, factories in Shenzhen.|
|Winbond||Housed in Taiwan, also in Kunshan city, China.|
|Avocent||Beijing and Guangzhou|
|ASPEED||HQ'd in Taiwan, factories/subsidiary in China|
|Renesas||Mainland China and Hong Kong|