Security – Supermicro IPMI BMC security – how to disable HTTP

ipmiSecuritysupermicro

On my Supermicro Server, using a H8SCM motherboard, I have an IPMI card.

The IPMI card is version 2.0 and it is running the 2.37 firmware.

The problem I have is that I find no feasible way to disable port 80 (HTTP access).

As user ADMIN…

Through the Web Interface, I can only change the port (1-65535)
Through the SSH login, I have no access to any relative or interesting information whatsoever
Through the ipmitool, I can only change setting relative to SOL
Through the patched SuperMicro ipmitool, there is no setting available

Am I missing something, or has Supermicro left a gaping security hole allowing plaintext password transmission???

Best Answer

Supermicro IPMI BMCs are extremely useful, but they are not engineered for security. I recommend keeping IPMI on a separate interface/VLAN. Even if you are able to disable port 80, it is highly likely that there are undocumented remote exploit vulnerabilities.

Related Solutions

Ubuntu – How to tell which interface the Supemicro IPMI is piggybacking on

You may be running in to an unfortunate effect of the Supermicro BMC firmware. When power is applied to the power supply, the BMC powers on immediately. During the boot process the BMC (via Uboot which is booting Linux on the BMC) checks to see if the dedicated IPMI NIC port sees a link state. If not, the shared NIC port will be used. The NIC port selected at BMC boot time will be the NIC port used until the BMC is power cycled, either through a direct BMC reboot or when power is removed from the power supply. Rebooting the system itself will do nothing to the BMC.

This creates a cabling time race condition between plugging in the dedicated IPMI NIC and the power cable which is very obnoxious. Or, for example, if you have a power outtage and the BMC comes up before the switch does, the BMC will select the shared NIC in spite of the dedicated NIC being wired and LAN IPMI access will, in the case of VLANed ports, will be on the wrong network. We experience this more often than we like and find it quite frustrating.

If you were able (which, you won't be able to if the BMC comes up on the "wrong" NIC) to connect over the LAN you could SSH to the BMC using the ADMIN account (default password "ADMIN). When logged on to the BMC via SSH you can see the effect of the Uboot time decision in the command line as shown by the usencsi= option at the end of the command line:

# cat /proc/cmdline 
root=/dev/ramdisk ro ip=none ramdisk_blocksize=4096 console=ttyS0,38400 rootfstype=cramfs bigphysarea=1025 usencsi=0

On my system (X8DTi-LN4F) usencsi=0 means "use the dedicated IPMI NIC."

Of course, this requires that you connect to the BMC via the LAN. I've looked pretty hard with the r1.05 firmware and can find no way to discern the selected NIC accessing IPMI from the host. I've just started to look at the r1.32 firmware for this system. In any case, I don't see your motherboard model listed on the SuperMicro IPMI firmware page here:

http://www.supermicro.com/support/bios/firmware.aspx

What's most frustrating about this is I know what two bytes I would like to hardwire in the BMC firmware letting us set the IPMI interface either to the dedicated NIC or shared NIC but as far as I can discern there is no setting allowing this.

Security – Our security auditor is an idiot. How to give him the information he wants

First, DON'T capitulate. He is not only an idiot but DANGEROUSLY wrong. In fact, releasing this information would violate the PCI standard (which is what I'm assuming the audit is for since it's a payment processor) along with every other standard out there and just plain common sense. It would also expose your company to all sorts of liabilities.

The next thing I would do is send an email to your boss saying he needs to get corporate counsel involved to determine the legal exposure the company would be facing by proceeding with this action.

This last bit is up to you, but I would contact VISA with this information and get his PCI auditor status pulled.

Best Answer

Related Solutions

Ubuntu – How to tell which interface the Supemicro IPMI is piggybacking on

Security – Our security auditor is an idiot. How to give him the information he wants

Related Topic