Page 6 of 6 FirstFirst ... 3456
Results 126 to 139 of 139
  1. #126
    Did I understand this correctly, that the only problem was that many users were unaware of the "anonymous" username existence, and left its default password unchanged? Did I understand it correctly, that you do not really need new firmware - you just need to change the default passwords?

    If so, then I do not really understand what all this fuss is about. And what does it have to do with West, East, etc.

    During your first log-in to the IPMI management web interface, you would immediately see that there are two users. And it is very obvious, that you MUST change both passwords. If you don't do that, then it's not really a "security flaw", it's your own fault. Well, ok, the design is not fool-proof. But that does not make it flawed.

  2. #127
    Join Date
    Dec 2004
    Posts
    569
    Quote Originally Posted by OneLittleBird View Post
    Did I understand this correctly, that the only problem was that many users were unaware of the "anonymous" username existence, and left its default password unchanged? Did I understand it correctly, that you do not really need new firmware - you just need to change the default passwords?
    Correct.
    Just change the password (and make sure you do not use the "backup configuration" function).


    And it is very obvious, that you MUST change both passwords.
    The problem being:

    • some people here assumed incorrectly that if they disabled the account in the webinterface, that was good enough, and there would not be any need to change the password. But that function does not actually work.

    • the official documentation only tells you to change the password of the "ADMIN" account.

  3. #128
    Join Date
    Nov 2005
    Posts
    305
    Quote Originally Posted by OneLittleBird View Post
    Did I understand this correctly, that the only problem was that many users were unaware of the "anonymous" username existence, and left its default password unchanged? Did I understand it correctly, that you do not really need new firmware - you just need to change the default passwords?

    If so, then I do not really understand what all this fuss is about. And what does it have to do with West, East, etc.

    During your first log-in to the IPMI management web interface, you would immediately see that there are two users. And it is very obvious, that you MUST change both passwords. If you don't do that, then it's not really a "security flaw", it's your own fault. Well, ok, the design is not fool-proof. But that does not make it flawed.


    The main problem is that if you disable anonymous account it will keep working. That is the security flaw. Now, that everyone know that disabling won't work, it is just a matter of changing passwords. Before, it was impossible to know that. I tried myself anonymous at the webinterface but I could not imagine that it would work at SSH with an empty login. Who would?

    So, this "only problem" is a serious issue.

  4. #129
    Yes, I agree, "backup configuration" is a security flaw. And also disabled account still works - that's another security flaw. But still, no new firmware is really necessary. Change the passwords, and do not use the "backup configuration" function.

    I somewhat over-reacted ("much ado about nothing"), because I was very anxiously following this thread until I realized, that none of our servers were affected (as we always changed both passwords, and never used "backup configuration").

  5. #130
    Join Date
    Nov 2005
    Posts
    305
    Quote Originally Posted by OneLittleBird View Post
    Yes, I agree, "backup configuration" is a security flaw. And also disabled account still works - that's another security flaw. But still, no new firmware is really necessary. Change the passwords, and do not use the "backup configuration" function.

    I somewhat over-reacted ("much ado about nothing"), because I was very anxiously following this thread until I realized, that none of our servers were affected (as we always changed both passwords, and never used "backup configuration").
    We were not that lucky. These bugs caused us some problems but we are happy to finally know that everything is "ok". I realize that being paranoid may help. So, it is always useful to change passwords of an account when disabling it

  6. #131
    Quote Originally Posted by plumsauce View Post
    Let's examine your xenophobic statements.

    The only accurate part of the entire post is that most implementations of ipmi run some linux derivative and often run busybox as the shell.

    Given those ingredients, the software was mostly written by North Americans and Europeans. That is especially the case for busybox which is mostly the work of one person.

    Of course if you don't like products that are not completely Western in content, you can always avoid those products. Your choices will be severely limited.

    ++
    Well since you want to take this off-topic. It is not about being Xenophobic, or about western content, it's about their school system. I know, I live here, I see it every day. Children are taught from they enter school to sit down and listen and not have creative thoughts, but simply memorize what they are told. They are great at copying anything down to the last detail, but they haven't learned much about programming or creative thoughts. It's just the way it is. Show me any Chinese written software (or website) that isn't a complete waste of time.

  7. #132
    My 2cents to add to the discussion:

    As you may know, the web interface page tells you that you don't have enough rights to either save/restore the config, or to access the IPMI configuration page at all when you have Operator or User rights respectively.

    However that doesn't matter, because your access level is only checked when you are hitting the page with the buttons, but not when you perform the save operation. So whatever your access level may be, you just need to click the following url: impihost/cgi/save_IPMI_config.cgi , and proceed with downloading the config.

  8. #133
    Join Date
    Oct 2001
    Posts
    1,319
    Sorry to dredge up an old thread here - we have an IPMI interface get hacked through the anonymous user as well. Since the malicious parties already got into the IPMI card, will simply changing the password lock them out? I've already upgraded the firmware, reset to factory defaults then changed the password to anonymous - will that suffice to keep out a malicious party that already had access to it?
    Avi B

  9. #134
    Join Date
    Dec 2004
    Posts
    569
    Quote Originally Posted by MaB View Post
    Sorry to dredge up an old thread here - we have an IPMI interface get hacked through the anonymous user as well. Since the malicious parties already got into the IPMI card, will simply changing the password lock them out? I've already upgraded the firmware, reset to factory defaults then changed the password to anonymous - will that suffice to keep out a malicious party that already had access to it?
    Security purists would probably say that once something is compromised you can not trust it anymore, and suggest you destroy the thing.


    But the IPMI card runs an embedded Linux flavor that has a file system that is mounted read-only with the exception of the /tmp folder (kept in memory) and the /nv folder that keeps the settings.

    So the locations where a backdoor can be easily left are kinda limited.
    - Loading factory defaults should have cleared the /nv folder.
    - And upgrading the firmware should cause the unit to reboot, clearing the /tmp folder. (also happens if you pull the power cable)

    So I think you are reasonable safe.

  10. #135
    Join Date
    Aug 2006
    Location
    Ashburn VA, San Diego CA
    Posts
    4,615
    upgrading the firmware basically wipes the whole filesystem...you should be safe.
    Fast Serv Networks, LLC | AS29889 | DDOS Protected | Managed Cloud, Streaming, Dedicated Servers, Colo by-the-U
    Since 2003 - Ashburn VA + San Diego CA Datacenters

  11. #136
    Join Date
    Feb 2002
    Location
    New York, NY
    Posts
    4,618
    Quote Originally Posted by Maxnet View Post
    So the locations where a backdoor can be easily left are kinda limited.
    - Loading factory defaults should have cleared the /nv folder.
    - And upgrading the firmware should cause the unit to reboot, clearing the /tmp folder. (also happens if you pull the power cable)
    Unless it re-inserts a backdoor into the new firmware before it applies it
    Scott Burns, President
    BQ Internet Corporation
    Remote Rsync and FTP backup solutions
    *** http://www.bqbackup.com/ ***

  12. #137
    Join Date
    Dec 2004
    Posts
    569
    Quote Originally Posted by bqinternet View Post
    Unless it re-inserts a backdoor into the new firmware before it applies it
    It has also been proven through proof of concepts that malware can be hidden in regular computer BIOSes.
    Yet I do not see anyone reflashing them (with an external eeprom programmer) every time a customer's box has a security issue.
    Let alone every time a dedicated server changes customers, as the previous customer could have planted a backdoor there (or on the ipmi unit) as well.

    Have to be a bit realistic about the likelyhood of certain attacks.

  13. #138
    As a note since I didn't see it mentioned here. I was looking into securing my supermicro IPMI and noticed it accepted ssh connections with the wrong password, and closed them (firmware version 2.01, X8SIL-F mb):

    ADMIN@192.168.1.115's password: [type anything]
    Auth User/Pass with PS...fail...Please reconnect!.

    The problem with this is someone can setup a ssh port forward between entering the password and the authentication failing. I sent an email (including a proof of why this is a security bug) to supermicro on Nov 11, 2010 and never heard back from them. I suspect this (as well as the default anonymous user) is how people were getting spam reports from their IPMI IPs.

    Checking for firmware updates, I found firmware 2.60 does not have this problem, and I suspect it was fixed in 2.54 (6-22-2011) with:
    5. Bug fix SMASH login without password

    So if you have IPMI exposed to the internet, please make sure you've updated the firmware. You can verify if your IPMI has this bug based on how it deals with ssh password failures. If you get "Permission denied, please try again." and another password prompt, you're set. If you get the "Auth User/Pass with PS..." message, you have a problem.

  14. #139
    Join Date
    Aug 2006
    Location
    Ashburn VA, San Diego CA
    Posts
    4,615
    Yea that's awesome. Yet another reason to keep IPMI on RFC1918 space.
    Fast Serv Networks, LLC | AS29889 | DDOS Protected | Managed Cloud, Streaming, Dedicated Servers, Colo by-the-U
    Since 2003 - Ashburn VA + San Diego CA Datacenters

Page 6 of 6 FirstFirst ... 3456

Similar Threads

  1. Supermicro IPMI Issue
    By XFactorServers in forum Colocation, Data Centers, IP Space and Networks
    Replies: 9
    Last Post: 08-23-2010, 02:29 PM
  2. SuperMicro 's IPMI
    By Peter-SexyWing in forum Colocation, Data Centers, IP Space and Networks
    Replies: 16
    Last Post: 07-10-2010, 04:51 PM
  3. supermicro ipmi installation
    By phactor in forum Systems Management Requests
    Replies: 5
    Last Post: 04-02-2010, 02:57 PM
  4. Supermicro IPMI
    By opax in forum Colocation, Data Centers, IP Space and Networks
    Replies: 6
    Last Post: 04-29-2009, 12:13 PM
  5. Supermicro IPMI
    By DevelopAl in forum Colocation, Data Centers, IP Space and Networks
    Replies: 14
    Last Post: 03-10-2006, 02:17 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •