Noticed an internal firewall was blocking access to LDAP/AD ports on one VLAN where the Supermicro IPMI (v. 3.03) dedicated LAN ports were on another VLAN. The DHCP server on the IPMI VLAN is giving out XXX.local as a DNS suffix, and this is the only idea I have as to the cause, but why LDAP? Are they compromised? Something new? They all pass the cleartext PW exploit test. Thanks.
Supermicro IPMI spamming LDAP ports
- Thread starter rpross3
- Start date
-
- Tags
- supermciro ipmi
Notice: Page may contain affiliate links for which we may earn a small commission through services like Amazon Affiliates or Skimlinks.
What kind of firewall is it? I had something like this happen but it was an ID-10T error on the admin's part.
I'd start with FW rules. There's hundreds of thousands/ millions of these IPMI's out there so if they had a major new vulnerability you'd see it by now.
I'd start with FW rules. There's hundreds of thousands/ millions of these IPMI's out there so if they had a major new vulnerability you'd see it by now.
I'll double check for operator error. The firewall is pfSense with VLANs. The rules are blocking access. I hear you on the vulnerability, but someone has to be first... I'll see about removing the DNS suffix from the DHCP options; which still wouldn't explain why the IPMI is trying to access port 389.
I made the mistake of connecting a network port with shared IPMI to the public internet once. It was on a supermicro motherboard. I got an email from my ISP a few weeks later when the scripters found it and used it for DDOS..
They used a DHCP amplification exploit on me. I believe there are others.
It doesn't sound like this is what is happening to the OP but do be careful with machines with shared IPMI.
They used a DHCP amplification exploit on me. I believe there are others.
It doesn't sound like this is what is happening to the OP but do be careful with machines with shared IPMI.