I always flag as a way to try to get the mods' attention. I'm pretty sure my flags are de-weighted or even disregarded at this point though, because I flag for all sorts of reasons (which is the problem with having no way of being more specific about why I'm doing it).
BMC's (or the equivalent for whatever vendor you are using) should never be exposed to the internet- they shouldn't even be on the same network as the rest of the server. Generally speaking I put them on a completely separate network that has to be VPN'd into explicitly. Having BMC access is as close to having physical access as you can get without actually touching the machine.
Better said than practiced. I recently bought a Supermicro MBD-M11SDV-8CT-LN4F-O (AMD EPYC 3201 SoC). There are 5 NICs--4 Intel and 1 Realtek. The Realtek is set of by itself and obviously dedicated to the BMC controller.
However, reading around I learned that if the controller doesn't succeed in getting a DHCP address on the Realtek interface (unplugged, or apparently in Supermicro's case just a failed DHCP server), it will automatically switch to sharing the first Intel NIC.
You can disable it in the BIOS, but I've had problems in the past where I thought I disabled IPMI on the LAN but either didn't do it correctly or it reverted itself. It doesn't help that there are a ton of ambiguously named, poorly documented options.
To be on the safe side I've plugged both the Realtek and #1 Intel jack. I usually prefer to use the RS-232 serial port for management as it's more fool-proof, but unfortunately this MB doesn't have one. I could install one, but it doesn't make me any more confident that the BMC isn't (now or in the future) on the network.
I understand how useful these BMCs can be, especially for Windows machines, but they're so extremely dangerous. It sucks that they're so ubiquitous, and it sucks that SuperMicro's BMC seems to be the worst of them all in terms of security and bugginess. Unfortunately, a SuperMicro motherboard and case is the only way to get a low-power AMD EPYC server into a small, 1U, short-depth form factor. There are a few more options for Intel, but SuperMicro is still your best bet for do-it-yourself server hardware.
I really love my three PC Engines APUs. Simple serial connection, coreboot firmware, and other than AMD's PSP chip and perhaps the Intel NIC controller, no hidden vectors for remote access. And it has an RS-232 serial port, which because there's no GPU (or at least no video port) both the BIOS and most BSD and Linux distros will automatically use by default.
It'd be awesome if PC Engines built something using EPYC or even Ryzen, stripping everything down like they did for the APU and ALIX. But their niche is low-powered, passively cooled x86 devices using older, more reliable, cheaper, well-documented SoCs. Soekris tried to go upmarket with the net6501 and ended up folding. (They still sell custom DAC hardware from their EU outfit.) There's not enough of a market to make it worthwhile to take the risk. Lots of people love the idea in theory, but what people end up doing is sticking with traditional server suppliers, or in the home, hobbyist, and small business market just buying one of the many faster small form factor boxes that have flooded the market. The problem with those alternatives is that the boards are packed with too much crap, they're too diverse, and every model and family of models short-lived.
In tiny deployments, use a cheap dumb gigabit switch to connect up all the BMCs to your firewall. Give them a separate DHCP assigned subnet and allow access to it only from your management machine.
In larger deployments, you should have separate management networks anyway.
It's not that SuperMicro has the worst BMC. It's that all BMCs/IPMI/iLO/iDRAC are terrible at security, so you need to treat them just like console ports,
I think the large problem alluded to (if true), is that if DHCP fails it may switch which NIC it shares with as well. That problematic for many reasons, and many of them are still problems if you separate it to a different network.
You generally don't expect a DHCP server going down somewhere, possibly in a side-network where it may not be noticed, to cause a management system to open up on a server's publicly connected NIC when it reboots (man, I hope it requires a reboot!). That renders all your careful segregation of your control network completely useless with one service failure and a reboot. Sucks to be you if that DHCP server is on the same circuit as some other servers and they all power cycle at once, because I bet the BMC tries to DHCP an address before the DHCP server boots entirely.
To me, it seems like a very poor default behavior. I can see the benefit if you know what you're doing and want to enable it though.
Good luck with that, on many devices the BMC gets silently bridged onto the lan ports even if you make a significant effort to prevent it.
Even where you think you have it isolated and have tested, you may later find yourself thwarted when an unoverridable bridge gets triggered any time the dedicated BMC port's link is down.
> Good luck with that, on many devices the BMC gets silently bridged onto the lan ports even if you make a significant effort to prevent it.
I don't think that's true.
I can't speak for all devices, but I've worked with a lot of Dell and SuperMicro servers and they all have an option in the BIOS for this. You specify if the BMC should operate on it's own dedicated network port or share the network port used for primary network uplink.
From the network traffic logs I've gathered, I've never seen any indication of the BMC interfering with the primary LAN ports when the BMC is set to use the dedicated LAN port. Additionally, the BMC doesn't revert back to the shared port if the link is broken on the dedicated port -- the BIOS setting prevents that.
At my company we've configured all of the BMCs to use the dedicated LAN port, those LAN ports are connected to physically separate top of cabinet switches, and those switches are linked to a fully independent core router with it's own independent uplink to the internet. The BMCs are only assigned private network IPs and can only be accessed by outside users through a VPN. This is all very standard practice for the hosting industry.
> I can't speak for all devices, but I've worked with a lot of Dell and SuperMicro servers and they all have an option in the BIOS for this. You specify if the BMC should operate on it's own dedicated network port or share the network port used for primary network uplink.
They do, but on the three supermicro board types I have here, simply doing that but then leaving the BMC port disconnected results in them bridging onto the lan anyways. They obey the setting but only so long as a link is up on the BMC port.
Not when you've gone into the BIOS and configured the BMC to only operate on it's dedicated port.
I'm responsible for netsec at my company and I've never seen any indication of the BMC network activity on primary network ports after I've configured the BMC in BIOS to use it's dedicated network port.
For example your server might have 3 network ports, one is a dedicated BMC, but if it's not populated it will bridge to one of the other two, so basically you only have 1 port that is safe to use.
While this is a good best practice, most current BMCs treat the host as trusted, so if BMCs assume the management network it's trusted, you've just provided a path to pwn every machine on your network if only one of them is compromised. So while that's of course a good best practice, it isn't the be-all-end-all of C security (The same point was made during the presentation on this vulnerability at OSFC this morning).
There's a major, major hosting company whose server IPMIs all had an internet IP and used a default password for an unreasonably long time. I'm honestly not sure how this company is still around.
Can you please name and shame, or at least link to a news article about this?
I'm going to be a little blunt, but the pattern of "there's a well-known company that's done something bad, you probably use their products, but I can't tell you what company because [I don't want to be deposed in a libel lawsuit / I want to feel intellectually superior]" is really long in the tooth, and doesn't add value to the discussion other than to pique everyone's paranoia.
Eh, screw it. It was Rackspace. I worked there, and was told this by a senior member of the infrastructure staff in a one on one. It was was fixed before I got there. They still have similarly bad security flubs.
Last time I looked OVH allowed IPMI access to their servers from the internet. You click a button and it gives you a JNLP which gets you remote console, keyboard/mouse and media.
The OVH IPMI access is pretty cool - needs to be initiated from the web console, no longer requires JNLP, just straight browser access and the web console supports three different two factor authentication methods.
My only regret is that it took us so long to discover and switch to OVH - there are a few wrinkles but it’s such fantastic value compared with colo, let alone AWS/GCP/azure
It feels like maybe Bloomberg knew of something but got the wrong root cause- it seems a lot more likely for someone to sneak in a slightly-reprogrammed BMC than change board layouts /etc., especially considering just how much control BMC's have.
That was my concern. All it would take is a built-in IPMI password. For extra credit, a built-in IPMI password that wasn't listed if you list IPMI passwords.
So I search for "IPMI password", and get this.[1]
"On modern Supermicro IPMI interfaces the default login/ password is:"
Login: ADMIN
Password: ADMIN
That's convenient. Well-documented, too. Is that enabled by default?
FWIW, the implant they were describing could absolutely change a default password in the bitstream. That'd be really neat because you could swap out the flash and still be screwed.
Bloomberg knew of _something_, but Bloomberg isn't a news company. They're a hardware company. That info was passed on to the journos who went and did their own thing (Telephone, chinese whispers, and a healthy dose of confirmation bias).
I was talking to one of the Bloomberg engineers at a bar about six months before the story dropped. There was _something_ and it was _big_, but didn't get any more information than that. The story dropped, and the story was idiotic, but there was still something there. This is probably it.
That the theory presented (inserting a microcontroller INSIDE a circuit board) is absolutely the hardest way to do things, especially when the article (esp. the article's graphics) heavily implied this chip was implanted right next to the empty pad of an SOT-8 footprint that was used for boot flash for the BMC. You could just put a chip on that empty footprint and hardly anyone would catch it.
Or there are the specific quotes from the Bloomberg piece -- "the microchip altered the operating system's core so it could accept modifications" -- is so obtuse that it not only fails to inform the reader, but also sounds like some sort of pseudo-technobabble from someone who doesn't know what they're talking about. Ostensibly, if this story were true, the sources would say something like, "this chip contained a code that overwrote settings, allowing remote access". You know, something that seems like it passed through an editor.
Or there is the fact that the source checking on the story amounted to going to one guy, asking a question, having him say, "yeah, that's possible", coming back a few weeks later with another question, having the source say, "yeah, that's possible too", and assuming these possibilities add up to a certainty.
The bloomberg big hack story is the worst researched and most poorly presented piece of writing in recent memory. It is idiocy in the classical greek sense -- it is disconnected from the polis and any semblance of reality. The authors are still writing for Bloomberg, too.
> That the theory presented (inserting a microcontroller INSIDE a circuit board) is absolutely the hardest way to do things, especially when the article (esp. the article's graphics) heavily implied this chip was implanted right next to the empty pad of an SOT-8 footprint that was used for boot flash for the BMC. You could just put a chip on that empty footprint and hardly anyone would catch it.
Except if they were looking for it. An implant inside the board would be persistent across swapping out or re-imaging the the flash, _and_ wouldn't benoticable unless you were x-raying the board.
And yeah, the graphics weren't perfect, welcome to journalism.
> Or there are the specific quotes from the Bloomberg piece -- "the microchip altered the operating system's core so it could accept modifications" -- is so obtuse that it not only fails to inform the reader, but also sounds like some sort of pseudo-technobabble from someone who doesn't know what they're talking about. Ostensibly, if this story were true, the sources would say something like, "this chip contained a code that overwrote settings, allowing remote access". You know, something that seems like it passed through an editor.
IDK, it sounds like the implant would override one of the keys built into the image, whether that's an update key or a remote access key.
> Or there is the fact that the source checking on the story amounted to going to one guy, asking a question, having him say, "yeah, that's possible", coming back a few weeks later with another question, having the source say, "yeah, that's possible too", and assuming these possibilities add up to a certainty.
> The bloomberg big hack story is the worst researched and most poorly presented piece of writing in recent memory. It is idiocy in the classical greek sense -- it is disconnected from the polis and any semblance of reality. The authors are still writing for Bloomberg, too.
I still haven't heard a legitimate reason from you what doesn't make sense here other than vague "this doens't make sense, I'm so much more intelligent than them".
And I'm an FPGA developer who's personally screwed up SPI flashes via a very similar mechanisms just from bugs.
The entire comment seemed constructive to me. The part I assume you take issue with was constructive, if not worded as nicely as it could have been. The comment appears at least to have been made in good faith, and it's possible that one portion wasn't meant as negatively as you took it. In any case, it's a small minority of the original content of the comment.
I would be interested in your response, as it seems you both present yourself as having good information regarding what is likely or possible in n this space, yet seem to have very different ideas as to what that is.
If these security reports are valid, this may affect not only Supermicro, but other vendors too. From the top of my head, Asus and Gigabyte workstation motherboards also carried AST2400 based BMCs, and theirs ipmi web interface looked very similar(if not totally the same) to supermicro's.
BMCs are scary as hell... even for people who say they isolate them, you also need to do a full audit as many come with rubbish default settings.
For example, Dell's default config on BMC/Idrac (at least 4-5 years ago when I tested) do not have brute force prevention and by default utilising a special CLI program, you can logon to a DRAC from the host OS.
Therefore, if a host got compromised, even if Idrac is on a different network, you could in theory bruteforce from the host credentials and jump/attack the management network.
FYI, for Dell, the command to disable this behaviour was racadm config -g cfgRacTune -o cfgRacTuneLocalConfigDisable 1
> by default utilising a special CLI program, you can logon to a DRAC from the host OS ... Therefore, if a host got compromised, even if Idrac is on a different network, you could in theory bruteforce from the host credentials and jump/attack the management network.
I'm not sure about a DRAC, but for standard BMC units on Dell/SuperMicro servers I am not aware of anyway that you can actually log into the BMC from the host OS.
You can certainly use tools like ipmicfg to reset passwords or configuration on the BMC unit from the host OS, but I don't know of any way that you could actually drop into the command prompt for the BMC and launch an attack on the management network.
As long as you have the BMC on a private IP in an entirely independent network (accessible only via VPN), then a utility like ipmicfg wouldn't help you break into it.
