Easy SuperMicro Security Hole: IPMI failover mode by default

[fmatthew5876]

So I've been using a Supermicro 5018A-FTN4 system as my shiny new pfsense router.

I have crap Att U-verse internet, which requires setting up a double NAT. I was debugging a port forwarding issue and I noticed on the att router there was another machine connected. This made no sense, as the only thing on the att network should be my pfsense router WAN.

The 5018A-FTN4 has a dedicated IPMI network port, but it turns out by default that IPMI is set to failover mode. What this means is that if you don't connect the IPMI port to your network, it will default to sharing it with Network port 0. This also happens to be igb0, the default WAN port chosen by a fresh pfsense install. The result is that you could be exposing the IPMI access on your router to the whole internet!

Luckily, the much hated uverse double NAT is the only thing that saved me here. I had no idea this failover feature existed and simply assumed the dedicated IPMI port was the only one. I thought I was being prudent leaving IPMI disconnected but instead I was inadvertently exposing my whole network to a massive security hole.

The fix is to change the setting from "Failover" to "Dedicated". You can do this by connecting to IPMI using a web browser. Go to Configuration -> Network and then change Lan Interface: to "Dedicated".

Maybe I'm just inexperienced and made a noob mistake, but this seems like a pretty dumb default setting. Especially for a system which is built specifically for low power applications like routing.

 

[Evan]

I am not sure it's a dumb default but your right it's better if default was dedicated in the eyes of enterprise guys but it simply pays to review all setting on a new system.
(Some people would say it's dumb not to failover if you have the capabilities, no doubt it's set like that so a new install has the best chance of connecting to a network, any network that's present)

 

[Evan]

I am not sure it's a dumb default but your right it's better if default was dedicated in the eyes of enterprise guys but it simply pays to review all setting on a new system.
(Some people would say it's dumb not to failover if you have the capabilities, no doubt it's set like that so a new install has the best chance of connecting to a network, any network that's present)

 

[Blinky 42]

That is why I always put the first interface on a system as internal network and any public interface is later.
Not only do you need to make sure you know what is setup for IPMI, you need to make sure PXE booting is only enabled on interfaces you expect. Putting the first NIC on the inside helps on both fronts.

The older SM motherboards were much worse at failing over and back to the dedicated NIC in a predictable way w/o a hard power off, the new ones have been better in our experience but early fights with x7 boards set the habit of forcing it to dedicated before even installing the OS.

 

[i386]

How do you guys who work in data centers handle "problems" like thisone?

At home I set up everything (ipmi settings, rights, users) on server,switches and other devices directly with a laptop and then "deploy" them.

 

[PigLover]

In production datacenters deployment tools are used that set all the relevant configuration prior to deoloyment (or immediately after it is connected to the network using discovery/autodeploy tools).

In datacenters with good operational discipline the configurations are read back periodically, confirmed against what is expected and corrected if wrong.

Sent from my SM-G950U using Tapatalk

 

[whitey]

AKA puppet/ansible :-D

 

[T_Minus]

Excuse the ignorance but puppet/ansible can set BIOS settings?
Or, is all this capable of being done via IPMI via those tools?

 

[PigLover]

You can set the BIOS parameters if the vendor exposes them through their management tools. Supermicro IPMI does not - but other manufacturers do.

Sent from my SM-G950U using Tapatalk

 

[RTM]

This issue comes up every now and again, but I agree it is a stupid default.
From a security perspective it is a nightmare, because the IPMI systems are essentially full embedded system, that are network connected and infrequently updated. There has been plenty of CVEs for Supermicros IPMI implementations over the years to warrant network segregation.

I hope that we can one day get an alternative firmware like OpenBMC for our IPMI, so we can get something that is more hardened.

Anyway for what it is worth, I am fairly certain that newer Supermicro boards default to "dedicated only" mode, at least I seem to remember that the X10DRI board I bought a half year ago had that set as default.

 

[RobertFontaine]

It may be a pain for security guys but it is awfully nice when you need to get diagnostics out of a flakey board.

 

[Chankster]

Anyway for what it is worth, I am fairly certain that newer Supermicro boards default to "dedicated only" mode, at least I seem to remember that the X10DRI board I bought a half year ago had that set as default.

I double checked several of our X9 and X10 boards and they're all being delivered to us with failover as the default.