You've undoubtedly seen reports of the vulnerability in Supermicro's
BMC implementation that allows IPMI usernames and passwords to be
retrieved via a simple HTTP GET query to port 49152:
http://blog.cari.net/carisirt-yet-another-bmc-vulnerability-and-some-added-extras/
I ended up taking two different remediation tacks.
First, in our local server room, all IPMI interfaces are connected to
a single subnet. Our room is small enough that they're all connected
to a single Cisco switch, but the same mitigation would work with a
VLAN-based subnet. I created an access list that only allows tcp
access to the http and https ports. All other tcp requests get
blocked.
More tricky was a single server we have running in a remote data
center that I manage via IPMI. The Supermicro web interface allows
firewall configuration based on source IP address, so most pokes at
port 49152 would be rejected -- but our local network setup is such
that a visitor to our office could conceivably contact that port.
Thankfully it's Linux and iptables under the hood, so
1. Launch ssh session to remote BMC.
2. Upon login run "shell sh" to get a command-line shell.
3. # iptables -I INPUT -m tcp -p tcp --dport 49152 -j DROP
4. # iptables-save > /nv/ipctrl/rultbl.sav
I'm not yet clear what will happen to the new rule if we reconfigure
the firewall from the web gui (presumably, it will get wiped out, but
I'm just not sure) -- but for now it gives me some level of comfort.
--
Paul Heinlein
[email protected]
45°38' N, 122°6' W
_______________________________________________
Tech mailing list
[email protected]
https://lists.lopsa.org/cgi-bin/mailman/listinfo/tech
This list provided by the League of Professional System Administrators
http://lopsa.org/
