In Which I Savagely Impugn the Honor of IPMI & its Friends
IPMI+ Security Paper
A paper on IPMI and BMC security:
IPMI: Freight Train to Hell, plain HTML or dangerous PDF (bloated director's cut; HTML was generated from word and edited down.)
- or -
IPMI: Express Train to Hell, in HTML or PDF (1 page, G-rated version.)
The 2nd link is the express/single page/reader's digest version, which has various generalities that I try to fully explain in the paper or supporting documents. Added bonus: if you buy now you'll get free additional supporting materials along with a razor sharp virtual Ginsu knife!
Note - I've heard a LOT of people dismiss all this and claim that all you need to do is to secure your IPMI/BMC's is to ensure that their network interfaces are on their own network and be careful about that critical password. This is simply incorrect. If you haven't read the paper or heard the arguments within you might read it to find out why I belive you're dead wrong (and if you still disagree drop me a line and tell me!) Note that any with server admin access can manage the IPMI network settings of its BMC without authentiation, attack the BMC, compromise it, and then pivot through to attack the management network.Note #2. As if all the above weren't enough, I just found out that the infamous Cipher Zero (0) is enabled by default on all my systems... this allows anyone to authenticate to the BMC with any password you choose (even you manage to guess the correct one, that still works.) fascinating stuff.
Note #3. You want into your iDRAC's BMC? A small writeup on how you can do this, at least on some BMCs.
- Feedback
- Agree or no, feel free to drop me a line: zen @ either fish2.com or trouble.org.
- If you've done development/guts work with IPMI/BMCs and would care to chat, let me know!
- Q's, FAQs, WTFs
- Tech Notes/Addendums
- IPMI protocol notes (coming ASAP)
- BMC notes (coming ASAP)
- A few methods to extract or capture an IPMI password
- Notes on breaking into/after IPMI stuff (work in progress)
- Misc paper additions
- Very small bits of ipmi related software by me
Server Vendors
A very small assortment of server vendors, at least to provide some context; if you haven't heard of their version of IPMI, you've at least heard of them, assuming you're reading this on a computer. Most seem to simply give out the images, which contain the BMC's operating system and basic boot environment, but a few require a service contract or relationship with the vendor (which I didn't have.) I had access to the first 3 here, and some sketchy notes to the first 4; clicking the vendor icon to see more.
| Vendor | IPMI Flavor | Latest Version | BMC Flash Images |
|---|---|---|---|
 | iDRAC (Integrated Dell Remote Access Card) | iDRAC 7 | Anyone may download |
 | iLO (Integrated Lights Out) | iLO 4 | Anyone |
 | Supermicro Intelligent Management | ? (IPMI 2.0) | Anyone |
 | IMM? | IMM (legacy IBM?) | Anyone |
 | IMM (Integrated Management Module) | IMM2 | Requires service contract |
 | iRMC (Integrated Remote Management Controller) | iRMC S3 | Anyone |
 | ILOM (Integrated Lights Out Manager) | ILOM 3 | Requires service contract |
Firmware Vendors
| Vendor | Manufactured in... |
|---|---|
| Nuvoton | Hong Kong and Shenzhen |
| Emulex | ... at least some presence in Beijing and Shanghai |
| ATEN | HQ in Taiwan, factories in Shenzhen. |
| Winbond | Housed in Taiwan, also in Kunshan city, China. |
| Avocent | Beijing and Guangzhou |
| ASPEED | HQ'd in Taiwan, factories/subsidiary in China |
| Renesas | Mainland China and Hong Kong |
