My little test lab

I didn't spend a lot of time trying to break into the BMCs, as I'm not a pen-tester. The Supermicro (SM) simply gave me a root prompt - I turned on IPMI, logged in via SSH, and got the "#" sign. The Dell I'll discuss later; I'm currently waiting on Dell on fixing the issue, but I found it simple to get root onto the BMC. I wasn't able to get root on the HP, but I'm confident that someone more skilled could do it. I'm including summary results of a Nessus scan - no super-serious problems, although the SM had the most findings. I look at the #'s of issues as an indication to the general maturity of a server - lots of little things probably means more problems that are waiting to be found. HP took some care in locking down their BMC at this level, at least. We'll see if their security stands up - all it takes is one bug.

Vendor IPMI flavor BMC Cipher 0 enabled? Got root? Output of "uname -a" on the BMC Nessus Results
Dell R710 iDRAC 6 Express/Enterprise WPCM450 yes yes [WPCM450 ~]$ uname -a
Linux idrac-5XT3GQ1 #1 PREEMPT Sat Mar 12 20:17:18 UTC 2011 armv5tejl unknown
High 0
Med 3
Low 0
Info 30
HP ML150 G6 iLO 3 ServerEngines II yes no n/a High 0
Med 0
Low 2
Info 12
Silicon Mechanics with a Supermicro X8DTU-F motherboard Supermicro Intelligent Management WPCM450 yes yes [WPCM450 ~]$ uname -a
Linux SMC0025906E33C3 2.6.24-ami #1 Wed Dec 22 10:50:27 PST 2010 armv5tejl unknown
High 0
Med 8
Low 1
Info 45

I found it interesting to note that 2 of the 3 I tested have the Winbond WCPM450 ARM-based BMC. There's a lot of mixing and matching of firmware vendors. Here's a little note discussing the partnership of Winbond & AMI (aka American Megatrends) on the firmware of the chip.