Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror

Slashdot videos: Now with more Slashdot!

  • View

  • Discuss

  • Share

We've improved Slashdot's video section; now you can view our video interviews, product close-ups and site visits with all the usual Slashdot options to comment, share, etc. No more walled garden! It's a work in progress -- we hope you'll check it out (Learn more about the recent updates).

×
Security Cloud Networking Hardware

IPMI Protocol Vulnerabilities Have Long Shelf Life 62

Posted by samzenpus
from the protect-ya-neck dept.
msm1267 (2804139) writes "If enterprises are indeed moving services off premises and into the cloud, there are four letters those companies' IT organizations should be aware of: IPMI. Short for Intelligent Platform Management Interface, these tiny computers live as an embedded Linux system attached to the motherboards of big servers from vendors such as IBM, Dell and HP. IPMI is used by a Baseboard Management Controller (BMC) to manage Out-of-Band communication, essentially giving admins remote control over servers and devices, including memory, networking capabilities and storage. This is particularly useful for hosting providers and cloud services providers who must manage gear and data in varied locations.

Noted researchers Dan Farmer, creator of the SATAN vulnerability scanner, and HD Moore, creator of Metasploit, have been collaborating on research into the vulnerabilities present in IPMI and BMCs and the picture keeps getting uglier. Last July, Farmer and Moore published some research on the issue based upon work Farmer was doing under a DARPA Cyber Fast Track Grant that uncovered a host of vulnerabilities, and Internet-wide scans for the IPMI protocol conducted by Moore. Farmer released a paper called 'Sold Down the River,' in which he chastises big hardware vendors for ignoring security vulnerabilities and poor configurations that are trivial to find and exploit."
This discussion has been archived. No new comments can be posted.

IPMI Protocol Vulnerabilities Have Long Shelf Life

Comments Filter:
  • Re:IPMI vulnz (Score:5, Insightful)

    by gweihir (88907) on Sunday June 08, 2014 @12:26PM (#47190473)

    That may be a bit over-the top. IPMI is vulnerable, but it is also useful. Giving IPMI its own physical network with access only after authentication is usually enough. A secure jump-host or firewall that requires authentication to pass traffic does serve well to secure IPMI.

To spot the expert, pick the one who predicts the job will take the longest and cost the most.

Working...