1

I am actually performing a security review for a customer and I'm being confusing about the IPMI case.

If I'm correct, the protocol is flawed by design, thus directly exposing the IPMI service (udp/623) on the network to password hashes extraction.

Knowing that, is it a good mitigation to only allow IPMI over HTTP (i.e. via the web UI provided by several providers like Dell, SuperMicro etc...) ?

And as a conclusion, is that possible ?! Or should the IPMI specific port be always listening ?

Thank you for your answers.

b0z
  • 11
  • 2
  • 3
    IPMI is not a secure protocol. It assumes that the network is private. You really shouldn't be trying to do this remotely. I highly recommend installing another device in the network so that you can tunnel securely before being able to access anything at that level. – tudor -Reinstate Monica- Dec 21 '15 at 01:13
  • @tudor I know that :D As you said, the network iself is secured by design, but I want to have many account managed on the BMC, without exposing password hashes. More precisely, I want to give a restricted access to users and keep my Administrator's hash secure. – b0z Dec 21 '15 at 10:08

1 Answers1

0

The short answer is yes, HTTPS is possible and udp port 621 isn't necessarily required. The current Wikipedia page says this under "Current Security Status" here.

IPMI supports the use of SSL by way of HTTPS for secure communication with certificates.

The use of default short passwords, or "cipher 0" hacks can be easily overcome with the use of a RADIUS server for Authentication, Authorization, and Accounting over SSL as is typical in a datacenter or any medium to large deployment. The user's RADIUS server can be configured to store AAA securely in an LDAP database in a secure manner using either FreeRADIUS/OpenLDAP or Microsoft Active Directory and related services.

...

Therefore, the prudent best practice is to disable the use of the Operator and Administrator roles in LDAP/RADIUS, and only enable them when needed by the LDAP/RADIUS administrator. For example, in RADIUS a role can have its setting Auth-Type changed to:

Auth-Type := Reject

Doing so will prevent RAKP hash attacks from succeeding since the username will be rejected by the RADIUS server.

tudor -Reinstate Monica-
  • 1,805
  • 18
  • 36