www.belgium.be Logo of the federal government

Description

This report identifies hosts that have the Intelligent Platform Management Interface (IPMI) service open (port 623/udp) and accessible from the Internet. IPMI is the base of most of the Out Of Band / Lights Out management suites and is implemented by the server’s Baseboard Management Controller (BMC). The BMC has near-complete access and control of the server’s resources, including, but not limited to, memory, power, and storage. Anyone that can control your BMC (via IPMI) can control your server. IPMI instances, in general, are known to contain a variety of vulnerabilities, some more serious than others. In short, you really do not want to expose IPMI to the Internet.

Assessment

The entries in this report are hosts that have an IPMI service open towards the internet. Also included are the IPMI version, and security related IPMI parameters of the host. IPMI is a total disaster with regards to security. It can be compared to persistent malware with total server control. Opening IPMI (on the standard port) towards the internet is a very dangerous move and will certainly attract malicious attacks. An IPMI can be configured to allow anonymous logins and will almost always easily leak stored credentials. There are plenty of known exploits available for IPMI. It is such an attractive target with weak security, the likelihood is rated as high. Due to the nature of IPMI, the impact of a compromise is a complete server takeover, including the OS and data which runs on the server. Additionally, it is relatively easy to extract any stored credentials. Therefore, it is rated as very high.

Recommendations

  • Restrict access to IPMI to your internal networks.
  • If remote access from outside of your networks is necessary use a VPN through wich authorized employees can connect to IPMI.

References

Shadow Server – Open IPMI Report

Shadow Server – IPMI Scanning Project

Dan Farmer – IPMI Report

US-CERT - alert TA13-207A