In Which I Savagely Impugn the Honor and Monoculture of IPMI & its Friends
IPMI+ Security Paper
June 4th, 2014 - new paper
A paper (11 pages) surveying IPMI and BMC security on the Internet; version 1.00 (June 4th, 2013):
A modestly lengthy paper (31 pages) on IPMI and BMC security; version 2.01 (August 12th, 2013):
IPMI: Freight Train to Hell, bloated director's cut.
- or -
The one-page version is the express/single page/reader's digest one; it has various generalities I try to fully explain in the paper or supporting documents.
Note #2. HD Moore put together a really fine set of methods to exploit various issues with IPMI. Required reading for some of the dangers. Dark times ahead (not because of his work ;))
New serious problemNote #3. Zach Wikholm reported a nigh critical vulnerability (also reported last year, and I found about 30K then in a spot scan as well, but it's high time people started actually listening) in about a zillion and one (est :)) SuperMicro BMCs, as few as some interesting other problems. If you have a SM you really need to check this out. Spot checks reveal a LOT of vulnerable BMCs because of recovered passwords - for more see: Big Trouble in little BMC land
Kudos to Zach for finding these things, and Cari.net for supporting him.
A very small assortment of server vendors, at least to provide some context; if you haven't heard of their version of IPMI, you've at least heard of them, assuming you're reading this on a computer. Most seem to simply give out the images, which contain the BMC's operating system and basic boot environment, but a few require a service contract or relationship with the vendor (which I didn't have.) I had access to the first 3 here, and some sketchy notes to the first 4; clicking the vendor icon to see more.
|Vendor||IPMI Flavor||Latest Version||BMC Flash Images|
|iDRAC (Integrated Dell Remote Access Card)||iDRAC 7||Anyone may download|
|iLO (Integrated Lights Out)||iLO 4||Anyone|
|Supermicro Intelligent Management||? (IPMI 2.0)||Anyone|
|IMM?||IMM (legacy IBM?)||Anyone|
|IMM (Integrated Management Module)||IMM2||Requires service contract|
|iRMC (Integrated Remote Management Controller)||iRMC S3||Anyone|
|ILOM (Integrated Lights Out Manager)||ILOM 3||Requires service contract|
Source for the S5520 Server Platforms - a dozen BMCs on various Intel boards - kudos to Intel! (Presumably they have others out there, I was sent this link.)
|Nuvoton||Hong Kong and Shenzhen|
|Emulex||... at least some presence in Beijing and Shanghai|
|ATEN||HQ in Taiwan, factories in Shenzhen.|
|Winbond||Housed in Taiwan, also in Kunshan city, China.|
|Avocent||Beijing and Guangzhou|
|ASPEED||HQ'd in Taiwan, factories/subsidiary in China|
|Renesas||Mainland China and Hong Kong|