Threats Associated with Using IPMI in Publicly Accessible Networks and the Necessity of Regular Updates - IPMI Best Practices

| F.A.Q.Supermicro newsSupport
Facebook Twitter Clipboard

Threats Associated with Using IPMI in Publicly Accessible Networks and the Necessity of Regular Updates

In the era of digitization, remote server management has become not only a convenience but a necessity. The Intelligent Platform Management Interface (IPMI) is one of the tools that facilitates the administration of server hardware from anywhere in the world. However, like any powerful tool, it carries risks, especially when exposed to public IP addresses.

Supermicro IPMI new interface

Threats Associated with Exposing IPMI Interfaces to Public IP Addresses

  1. Brute Force Attacks and Remote Takeover: Exposing IPMI to a public IP address makes servers vulnerable to brute force attacks, where hackers try hundreds of thousands of login and password combinations until they find the correct one. If the login credentials are weak, the server can be taken over.
  2. Exploitation of Known Vulnerabilities: Publicly accessible IPMI becomes an easy target for attackers who regularly scan networks for known vulnerabilities. Examples include the security flaws CVE-2019-16649 and CVE-2019-16650, which affected specific IPMI software, allowing for privilege escalation and unauthorized system access.
  3. Denial of Service (DoS): Attackers can carry out DoS attacks on IPMI interfaces, leading to system overload and denying access to authorized users. Such attacks can effectively disable remote hardware management at critical moments.

CVE Cases: CVE-2019-16649 and CVE-2019-16650

  • CVE-2019-16649: This vulnerability allows a remote attacker to gain unauthorized access to the IPMI system through malicious packets. Attackers can exploit this flaw to bypass authentication mechanisms and gain access to administrative functions.
  • CVE-2019-16650: This flaw enables privilege escalation, meaning an attacker with limited system access can gain full administrator rights. This allows full control over the server, including remote shutdown, restart, or configuration changes.

The Necessity of Regular Updates

Attacks on IT systems evolve daily, and hackers constantly seek new ways to breach security. Therefore, it is crucial that IPMI systems are regularly updated. Software manufacturers often release updates containing security patches that fix detected vulnerabilities.

  • Proactive Update Management: Server owners should regularly monitor manufacturer websites and CVE databases (Common Vulnerabilities and Exposures) to stay informed about the latest threats and available patches.
  • Network Segmentation: To minimize risk, network segmentation and isolating management interfaces from the public Internet is recommended. Access to IPMI should only be possible from trusted internal networks or through secure VPNs.
  • Strong Authentication Mechanisms: Implementing strong passwords and additional authentication mechanisms, such as two-factor authentication (2FA), significantly complicates potential attackers' attempts to gain control over the system.

Using Extended IPMI Licenses

Purchasing and using extended IPMI licenses is a good practice for any administrator. These not only facilitate work but also add new capabilities, such as:

  • Ability to update BIOS from the IPMI level
  • Enhancements related to remote console access, e.g., HTML5 allowing virtual disk mounting
  • RAID controller management
  • Power consumption monitoring
  • Additional Security Features
  • Enhanced Logging and Reporting
  • Custom Alerts and Notifications

Supermicro Provides Licenses Extending IPMI Capabilities

Supermicro System Management Software License
  Standard Basic Advanced Enterprise
Description Covers all core functionality to effectively set up, manage, and monitor your Supermicro systems. These features are available to all Supermicro users. Extends the core functionality and makes system management easier with additional features, such as remote BIOS management and system updates. Delivers a broad set of tools to help administrators improve the performance, up-time, and monitoring of Supermicro systems. Offers an extensive platform to manage large data centers and coordinate automated lifecycle management, software-defined infrastructure, and more in a single pane of glass.
License No license required SFT-OOB-LIC SFT-DCMS-SINGLE SFT-DCMS-SINGLE + SFT-SDDC-SINGLE
 Key features
  • Secure remote console (KVM/HTML5)
  • System temperature monitoring
  • System power thresholds & alerts
  • Component monitoring
  • Email alerting
  • Remote configuration
  • Offline diagnostics
  • Crash dump
  • License management
  • Remote BMC management
  • Remote BIOS management
  • Out-of-Band systems checks
  • TPM Provisioning
  • Mount/Unmount ISO images from Samba/HTTP via JAVA
  • Basic Redfish APIs
  • CIM management
  • SysLog 
  • Remote OS deployment
  • Mount/Unmount ISO images from Samba/HTTP via HTML5
  • Auto-discovery
  • Power capping
  • RAID monitoring and configuration
  • HDD monitoring
  • Advanced Redfish APIs
  • FW update policy
  • System lock down
  • Crash screen/video capture 
  • 3rd Party vendor support
  • POD & Rack-level management
  • SDI Lifecycle management
  • Manage Composable Dissagregated Infrastructure
  • Zero-touch provisioning for network configuration
  • Single pane of glass for data center deployment
  • Rich analytics & telemetry
  • User defined role-based access control 
 Included applications Supermicro Signature Verification Utility, IPMICFG, IPMIView, SMCIPMITool (base features), SD5, TAS, SDO (base features), BMC (base features), SuperBlade (BNM, CMM) As Standard +
SMCIPMITool (expanded features), SUM (base features)		 As Basic +
BMC (all features), SDO (all features), SUM (all features), SPM, SSM, 3rd party software plug-ins (1) 		 As Advanced +
SCC 

(1) All features listed are for validated components only. Exceptions may apply.

(2) Service Call Feature for SSM and SUM requires separate add-on license.

Summary

Using IPMI brings significant benefits, but it also requires a responsible approach to security. Exposing these interfaces to public IP addresses without proper safeguards exposes servers to serious risks. Regular updates, strong security measures, and good network management practices are crucial to ensure the safety and stability of server systems. Stay current with updates and ensure your systems are always protected against the latest threats.

Related pages:

  1. IPMIView for Android & IPMIView for iOS & IPMIView for Windows & IPMIView for Linux
  2. IPMI Hard Reset
  3. Fibre Channel cards available from SupermicroNew unique password for IPMI - BMC Unique Password
  4. How to activate SFT-OOB-LIC and SFT-DCMS-SINGLE JSON license on Supermicro motherboards with old BMC Web? SUM (Supermicro Update Manager)
  5. How to activate SFT-DCMS-LIC IPMI license, if SFT-OOB-LIC license is already activated and it can't be uploaded through Web GUI?