|Risks identified in TA13-207A
||Risk mitigation in FSP based systems
|Passwords for IPMI authentication are saved in clear text.
||Passwords are encrypted and persisted in the flash in FSP based systems.
|Knowledge of one IPMI password gives you the password for all computers in the IPMI managed group.
||This vulnerability does not apply to FSP based systems since passwords are encrypted prior to being saved. Deployments must discourage reuse of password across different systems.
|Root access on an IPMI system grants complete control over hardware, software, firmware on the system.
||Console access to the FSP is disabled. User can open an IPMI SOL console to a partition and log in with root credentials ( need password here ). Once user has logged in and then if SOL is deactivated and activated, the password is not prompted. Hence, if a root user has logged in to partition and gets the session deactivated, that session can be re-activated by anybody else. IPMI protocol requirements for SOL deactivation itself is silent on this.
|BMCs often run excess and older network services that may be vulnerable.
||In FSP based systems user could disable network services via ASMI. In general, this may not really be an IPMI specific security issue.
|IPMI access may also grant remote console access to the system, resulting in access to the BIOS.
||While this is a feature of IPMI, user still needs the IPMI session password to activate the SOL session.
|There are few, if any, monitoring tools available to detect if the BMC is compromised.
||FSP firmware is validated using security test tools such as Nessus and Qualys.
|Certain types of traffic to and from the BMC are not encrypted.
||This is a usage issue. User could choose to have an un-encrypted SOL session.
|Unclear documentation on how to sanitize IPMI passwords without destruction of the motherboard.
||Not applicable to FSP based systems since passwords are never stored in clear text.
|IPMI 2.0 Cipher Type 0 - Authentication Bypass Vulnerability.
||FSP rejects if client attempts to open session via Cipher 0.