I reported a security issue in Supermicro's IPMI implementation to them. They dismissed the issue and never fixed it.<p>These companies don't care if there's no way to stop a remote control service (iLo, iDRAC, IPMI) from binding to a motherboard ethernet port. In the case of Supermicro, you can't configure via the built-in BIOS, there are no jumpers you can use, and you must have a full network setup and installed tools to configure a new machine. This makes deploying in the field much, much more problematic.<p>If the BIOS battery dies and settings set are lost, the motherboard defaults to joining whichever ethernet is active, with default credentials. It's incredibly stupid and insecure.<p>I will never buy Supermicro again, but for the hardware that was already bought, I mandated loopback plugs for all IPMI ports so the IPMI wouldn't switch to the system ethernet.
BMCs are slightly different I think (more powerful!) but at my previous workplace we once had a server provided to us by our hosting provider that had its BMC exposed on the internet with default credentials. They never told us the machine even had one (most of our servers from them didn’t). We only figured it out once we found a Monero miner on the machine.<p>People on here love promoting dedicated servers over cloud VMs, but it’s so much easier for this sort of thing to go wrong with dedicated hosting.
This is actually really much lower than I expected..<p>Though what helps is that most servers have a dedicated iLO interface and you really have to choose to configure it on the regular ones along with normal traffic. So out of band is default.<p>So in this case it's only people who have deliberately configured this. I think this is why it's not hundreds of thousands.
if you want to be really scared read:<p><a href="http://fish2.com/ipmi/itrain.pdf" rel="nofollow">http://fish2.com/ipmi/itrain.pdf</a><p>all servers in a datacenter have this management interface (iLO is just one type).<p>if the management network these sit on is poorly secured (like here) your servers are literally powned.
The amount of access that BMCs have to the system seems nuts to me. How about a BMC-esque thing whose only function is to provide remote access to the host machine's essential interfaces?<p>On one side, an ethernet port, that you plug into your management plane. On the other side, a serial port, to access the host's console, a device-side SATA port, so it can present a virtual boot disk to the host, and a wire to the power supply, to turn the host on and off. Maybe also some read-only interface to motherboard-level monitoring like SMART and so on; maybe you get that by cooperation with the host's firmware, over the serial or SATA interface. That would let you bring a machine up and configure it, reboot it remotely, force it to boot from a recovery disk, etc. But a hacked BMC couldn't be used to subtly interfere with the host.<p>Also, does anyone know what Oxide are doing about BMC?
The older iLO2 and 3 were from the Gen7/8 HP rack mount servers, which were released around 2013 or something like that. I'd have thought that the majority of commercial uses have long passed, so I was wondering if these generation of machines are really being used for home labs, that sort of thing, as they are passed their use by date (I think the gen7 machines were EOSL'd in 2018 so they'll have been chucked out of datacentres).<p>Actually, I can imagine a fair few are still in use as small enterprise servers, with iLO being visible for remote admin, which is a shame, as that suggests they are not behind a tunnel, so those addresses probably indicate larger problems than a visible iLO.
I've had the bad fortune of dealing with iLO in the past. There's absolutely nothing surprising to me that it would be remotely exploitable, as well as default remote accessible.
First things I did on my own server at home:<p>1. Disable public ipv6 on the iLO interface<p>2. change all the passwords<p>3. Set-up tls on the web interface and force http to https redirection.<p>Ironically, point 3 alone is really most of the protection: the web interface is so slow in https it's basically unusable.
Seems to me that we'd get some pretty good infosec bang-for-buck to hire some new FBI agents to just wear badges and knock on doors of businesses with such abjectly shittastic security.<p>Either their IT people have been begging to fix it and management won't give them the resources, or they don't have IT people who even see it as a problem. Either way, a couple special agents having a sit-down with the CEO might change some course real fast.<p>Discuss.
Sometimes people don't have choice - it's colocation, dc doesn't offer management vpn/firewalling, you can't install separate vpn router unless you pay for another unit in a rack. And iLO/LOM/WTF at least offers https... what can you do? Well, some people call dc to have their LOs (un-)plugged for maintenance time.
Is there a consensus on whether it's ok to port forward from the firewall to port 22 (SSH) on the BMC, with a strong admin password? I guess this should be safer than exposing the web interface.
I love how iDrac shipped with a password everyone knows. I would have thought it was trivial to make it a 1-time passthrough to change it, to stop this being the cartoon character we know and love.
I looked at this sometime ago. Here is what I found.<p><a href="https://github.com/tg12/rapid7_OSINT" rel="nofollow">https://github.com/tg12/rapid7_OSINT</a>