Risks identified in TA13-207A |
Risk mitigation in FSP based systems |
Passwords for IPMI authentication are saved in clear text. |
Passwords are encrypted and persisted in the flash in FSP based systems. |
Knowledge of one IPMI password gives you the password for all computers in the IPMI managed group. |
This vulnerability does not apply to FSP based systems since passwords are encrypted prior to being saved. Deployments must discourage reuse of password across different systems. |
Root access on an IPMI system grants complete control over hardware, software, firmware on the system. |
Console access to the FSP is disabled. User can open an IPMI SOL console to a partition and log in with root credentials ( need password here ). Once user has logged in and then if SOL is deactivated and activated, the password is not prompted. Hence, if a root user has logged in to partition and gets the session deactivated, that session can be re-activated by anybody else. IPMI protocol requirements for SOL deactivation itself is silent on this. |
BMCs often run excess and older network services that may be vulnerable. |
In FSP based systems user could disable network services via ASMI. In general, this may not really be an IPMI specific security issue. |
IPMI access may also grant remote console access to the system, resulting in access to the BIOS. |
While this is a feature of IPMI, user still needs the IPMI session password to activate the SOL session. |
There are few, if any, monitoring tools available to detect if the BMC is compromised. |
FSP firmware is validated using security test tools such as Nessus and Qualys. |
Certain types of traffic to and from the BMC are not encrypted. |
This is a usage issue. User could choose to have an un-encrypted SOL session. |
Unclear documentation on how to sanitize IPMI passwords without destruction of the motherboard. |
Not applicable to FSP based systems since passwords are never stored in clear text. |
IPMI 2.0 Cipher Type 0 - Authentication Bypass Vulnerability. |
FSP rejects if client attempts to open session via Cipher 0. |