My little test lab
I didn't spend a lot of time trying to break into the BMCs, as I'm not a pen-tester. The Supermicro (SM) simply gave me a root prompt - I turned on IPMI, logged in via SSH, and got the "#" sign. The Dell I'll discuss later; I'm currently waiting on Dell on fixing the issue, but I found it simple to get root onto the BMC. I wasn't able to get root on the HP, but I'm confident that someone more skilled could do it. I'm including summary results of a Nessus scan - no super-serious problems, although the SM had the most findings. I look at the #'s of issues as an indication to the general maturity of a server - lots of little things probably means more problems that are waiting to be found. HP took some care in locking down their BMC at this level, at least. We'll see if their security stands up - all it takes is one bug.
| Vendor | IPMI flavor | BMC | Cipher 0 enabled? | Got root? | Output of "uname -a" on the BMC | Nessus Results |
|---|---|---|---|---|---|---|
| Dell R710 | iDRAC 6 Express/Enterprise | WPCM450 | yes | yes | [WPCM450 ~]$ uname -a Linux idrac-5XT3GQ1 2.6.23.1 #1 PREEMPT Sat Mar 12 20:17:18 UTC 2011 armv5tejl unknown |
High 0 Med 3 Low 0 Info 30 |
| HP ML150 G6 | iLO 3 | ServerEngines II | yes | no | n/a |
High 0 Med 0 Low 2 Info 12 |
| Silicon Mechanics with a Supermicro X8DTU-F motherboard | Supermicro Intelligent Management | WPCM450 | yes | yes | [WPCM450 ~]$ uname -a Linux SMC0025906E33C3 2.6.24-ami #1 Wed Dec 22 10:50:27 PST 2010 armv5tejl unknown |
High 0 Med 8 Low 1 Info 45 |
I found it interesting to note that 2 of the 3 I tested have the Winbond WCPM450 ARM-based BMC. There's a lot of mixing and matching of firmware vendors. Here's a little note discussing the partnership of Winbond & AMI (aka American Megatrends) on the firmware of the chip.