Results 126 to 139 of 139
Thread: SuperMicro IPMI Security
-
10-19-2011, 04:33 AM #126WHT Addict
- Join Date
- Oct 2009
- Posts
- 129
Did I understand this correctly, that the only problem was that many users were unaware of the "anonymous" username existence, and left its default password unchanged? Did I understand it correctly, that you do not really need new firmware - you just need to change the default passwords?
If so, then I do not really understand what all this fuss is about. And what does it have to do with West, East, etc.
During your first log-in to the IPMI management web interface, you would immediately see that there are two users. And it is very obvious, that you MUST change both passwords. If you don't do that, then it's not really a "security flaw", it's your own fault. Well, ok, the design is not fool-proof. But that does not make it flawed.
-
10-19-2011, 04:52 AM #127Web Hosting Master
- Join Date
- Dec 2004
- Posts
- 569
Correct.
Just change the password (and make sure you do not use the "backup configuration" function).
And it is very obvious, that you MUST change both passwords.
- some people here assumed incorrectly that if they disabled the account in the webinterface, that was good enough, and there would not be any need to change the password. But that function does not actually work.
- the official documentation only tells you to change the password of the "ADMIN" account.
Maxnet
Offering automated dedicated server provisioning software
-
10-19-2011, 06:07 AM #128Web Hosting Guru
- Join Date
- Nov 2005
- Posts
- 305
The main problem is that if you disable anonymous account it will keep working. That is the security flaw. Now, that everyone know that disabling won't work, it is just a matter of changing passwords. Before, it was impossible to know that. I tried myself anonymous at the webinterface but I could not imagine that it would work at SSH with an empty login. Who would?
So, this "only problem" is a serious issue.
-
10-19-2011, 08:29 AM #129WHT Addict
- Join Date
- Oct 2009
- Posts
- 129
Yes, I agree, "backup configuration" is a security flaw. And also disabled account still works - that's another security flaw. But still, no new firmware is really necessary. Change the passwords, and do not use the "backup configuration" function.
I somewhat over-reacted ("much ado about nothing"), because I was very anxiously following this thread until I realized, that none of our servers were affected (as we always changed both passwords, and never used "backup configuration").
-
10-19-2011, 09:47 PM #130Web Hosting Guru
- Join Date
- Nov 2005
- Posts
- 305
-
10-20-2011, 08:26 AM #131WHT Addict
- Join Date
- Jun 2001
- Posts
- 139
Well since you want to take this off-topic. It is not about being Xenophobic, or about western content, it's about their school system. I know, I live here, I see it every day. Children are taught from they enter school to sit down and listen and not have creative thoughts, but simply memorize what they are told. They are great at copying anything down to the last detail, but they haven't learned much about programming or creative thoughts. It's just the way it is. Show me any Chinese written software (or website) that isn't a complete waste of time.
-
10-25-2011, 02:22 PM #132New Member
- Join Date
- Jul 2009
- Posts
- 1
My 2cents to add to the discussion:
As you may know, the web interface page tells you that you don't have enough rights to either save/restore the config, or to access the IPMI configuration page at all when you have Operator or User rights respectively.
However that doesn't matter, because your access level is only checked when you are hitting the page with the buttons, but not when you perform the save operation. So whatever your access level may be, you just need to click the following url: impihost/cgi/save_IPMI_config.cgi , and proceed with downloading the config.
-
12-28-2011, 04:40 PM #133Web Hosting Master
- Join Date
- Oct 2001
- Posts
- 1,319
Sorry to dredge up an old thread here - we have an IPMI interface get hacked through the anonymous user as well. Since the malicious parties already got into the IPMI card, will simply changing the password lock them out? I've already upgraded the firmware, reset to factory defaults then changed the password to anonymous - will that suffice to keep out a malicious party that already had access to it?
Avi B
-
12-28-2011, 07:48 PM #134Web Hosting Master
- Join Date
- Dec 2004
- Posts
- 569
Security purists would probably say that once something is compromised you can not trust it anymore, and suggest you destroy the thing.
But the IPMI card runs an embedded Linux flavor that has a file system that is mounted read-only with the exception of the /tmp folder (kept in memory) and the /nv folder that keeps the settings.
So the locations where a backdoor can be easily left are kinda limited.
- Loading factory defaults should have cleared the /nv folder.
- And upgrading the firmware should cause the unit to reboot, clearing the /tmp folder. (also happens if you pull the power cable)
So I think you are reasonable safe.Maxnet
Offering automated dedicated server provisioning software
-
12-28-2011, 10:25 PM #135Randy
- Join Date
- Aug 2006
- Location
- Ashburn VA, San Diego CA
- Posts
- 4,615
upgrading the firmware basically wipes the whole filesystem...you should be safe.
Fast Serv Networks, LLC | AS29889 | DDOS Protected | Managed Cloud, Streaming, Dedicated Servers, Colo by-the-U
Since 2003 - Ashburn VA + San Diego CA Datacenters
-
12-30-2011, 10:49 PM #136Backup Guru
- Join Date
- Feb 2002
- Location
- New York, NY
- Posts
- 4,618
Scott Burns, President
BQ Internet Corporation
Remote Rsync and FTP backup solutions
*** http://www.bqbackup.com/ ***
-
12-31-2011, 03:55 AM #137Web Hosting Master
- Join Date
- Dec 2004
- Posts
- 569
It has also been proven through proof of concepts that malware can be hidden in regular computer BIOSes.
Yet I do not see anyone reflashing them (with an external eeprom programmer) every time a customer's box has a security issue.
Let alone every time a dedicated server changes customers, as the previous customer could have planted a backdoor there (or on the ipmi unit) as well.
Have to be a bit realistic about the likelyhood of certain attacks.
-
02-15-2012, 10:52 AM #138New Member
- Join Date
- Feb 2012
- Posts
- 1
As a note since I didn't see it mentioned here. I was looking into securing my supermicro IPMI and noticed it accepted ssh connections with the wrong password, and closed them (firmware version 2.01, X8SIL-F mb):
ADMIN@192.168.1.115's password: [type anything]
Auth User/Pass with PS...fail...Please reconnect!.
The problem with this is someone can setup a ssh port forward between entering the password and the authentication failing. I sent an email (including a proof of why this is a security bug) to supermicro on Nov 11, 2010 and never heard back from them. I suspect this (as well as the default anonymous user) is how people were getting spam reports from their IPMI IPs.
Checking for firmware updates, I found firmware 2.60 does not have this problem, and I suspect it was fixed in 2.54 (6-22-2011) with:
5. Bug fix SMASH login without password
So if you have IPMI exposed to the internet, please make sure you've updated the firmware. You can verify if your IPMI has this bug based on how it deals with ssh password failures. If you get "Permission denied, please try again." and another password prompt, you're set. If you get the "Auth User/Pass with PS..." message, you have a problem.
-
02-15-2012, 11:16 AM #139Randy
- Join Date
- Aug 2006
- Location
- Ashburn VA, San Diego CA
- Posts
- 4,615
Yea that's awesome. Yet another reason to keep IPMI on RFC1918 space.
Fast Serv Networks, LLC | AS29889 | DDOS Protected | Managed Cloud, Streaming, Dedicated Servers, Colo by-the-U
Since 2003 - Ashburn VA + San Diego CA Datacenters
Similar Threads
-
Supermicro IPMI Issue
By XFactorServers in forum Colocation, Data Centers, IP Space and NetworksReplies: 9Last Post: 08-23-2010, 02:29 PM -
SuperMicro 's IPMI
By Peter-SexyWing in forum Colocation, Data Centers, IP Space and NetworksReplies: 16Last Post: 07-10-2010, 04:51 PM -
supermicro ipmi installation
By phactor in forum Systems Management RequestsReplies: 5Last Post: 04-02-2010, 02:57 PM -
Supermicro IPMI
By opax in forum Colocation, Data Centers, IP Space and NetworksReplies: 6Last Post: 04-29-2009, 12:13 PM -
Supermicro IPMI
By DevelopAl in forum Colocation, Data Centers, IP Space and NetworksReplies: 14Last Post: 03-10-2006, 02:17 PM