Supermicro IPMI BMC security - how to disable HTTP?

security ipmi supermicro

8,465

Solution 1

Supermicro IPMI BMCs are extremely useful, but they are not engineered for security. I recommend keeping IPMI on a separate interface/VLAN. Even if you are able to disable port 80, it is highly likely that there are undocumented remote exploit vulnerabilities.

Solution 2

There is an OEM extension for IPMI that Supermicro supports to disable non-IPMI ports on their service processor. I'm not sure which motherboard lines it is currently supported in and what firmware versions it is in, but it may be worth trying out.

I'm not sure if the extension is supported in any of Supermicro's client software. The OEM extension is currently supported in FreeIPMI's ipmi-oem tool (disclaimer: I maintain this project, so this is a mini-plug). Here's the relevant chunk from the manpage.

Supermicro

get-bmc-services-status

This OEM command will determine if non-IPMI services (e.g. ssh, http, https, vnc, etc.) are currently enabled or disabled on the BMC. Command confirmed to work on Supermicro X8DTG.

set-bmc-services-status enable|disable

This OEM command will enable or disable all non-IPMI services on the BMC. This command can be used to enable or disable non-IPMI services such as ssh, http, https, and vnc. Command confirmed to work on Supermicro X8DTG.

8,465

Arenstar

Updated on September 18, 2022

Comments

Arenstar almost 2 years
On my Supermicro Server, using a H8SCM motherboard, I have an IPMI card.

The IPMI card is version 2.0 and it is running the 2.37 firmware.

The problem I have is that I find no feasible way to disable port 80 (HTTP access).

As user ADMIN...
```
Through the Web Interface, I can only change the port (1-65535)
Through the SSH login, I have no access to any relative or interesting information whatsoever
Through the ipmitool, I can only change setting relative to SOL
Through the patched SuperMicro ipmitool, there is no setting available
```
Am I missing something, or has Supermicro left a gaping security hole allowing plaintext password transmission???
- mfinni about 12 years
  
  Are you certain that it allows you to authenticate over HTTP? Their spec page says they use HTTPS, so I am (perhaps naively) assuming that they allow you to connect over 80 and then redirect you to HTTPS. Can you test this and let me know? I don't have access to a SuperMicro server to test my guess.
- Arenstar about 12 years
  
  I am capable of connecting to port 80 and logging in without redirection to 443 :( i would like to see port 80 closed.
- mfinni about 12 years
  
  Have you tried contacting their support, to see what they say? Not to discourage you from asking here as well, but you're asking whether a product has a given feature. Seems like the manufacturer of the product should be your first stop.
- Arenstar about 12 years
  
  I have, and havent even received acknowledgment of my question. :( I was hoping the public could help me out here...
- mfinni about 12 years
  
  You could just remember to not use http, always use https. It's more work on your part (there are browser plugins to help you with this though.) If you don't use the insecure method, then you're not exposing yourself to the vulnerability.
Arenstar about 12 years

I have mine on my internal interface where my LAN ip address's are.. It allows me to access them externally through proxying or SSH forwarding.. How do you manage these remotely on a different network/interface/vlan??
mfinni about 12 years

With a router, typically. That's how networks work.
Arenstar about 12 years

mfinni... I dont think that would suffice for PCI-DSS certification.. A router would result in the same situation i have right now.. We need security obviously, and accessibility outside of my datacenter... Miles.. When you seperate these on a seperate Interface/VLAN what methods do you use to manage your IPMI's externally ( also through proxying or ssh hoppping through a jump server)?....... Although my IPMI's are only accessible from my internal network, I recently have had some professional penetration tests, and the general view is that port 80 is a problem, and should be removed.
mfinni about 12 years

A router with firewall capabilities, or a firewall added in as an in-line device. Block port 80 into that subnet, and it is no longer a vulnerability.
Hecter about 12 years

Correct. Even the sort of Cisco router that you can buy used for under $50 (e.g. 1760) will let you configure extended ACLs. Add a managed switch that supports VLAN trunking (again you're looking at $50 and up, e.g. 2950) and you have a rudimentary managed network including everything you need to segregate VLANs and route between them. Obviously, newer/faster/better/in-warranty equipment costs more.
Arenstar about 12 years

Ok.. i was hoping.. however i retrieved "Supermicro:get-bmc-services-status failed: Invalid data field in Request" :(