Re: [ipmiutil-developers] small survey paper

[Andy C. <and...@gm...>]

Dan,

Your paper does use lots of good IPMI LAN data to sound the security alarm,
but when sounding the security alarm, including the recommended action(s)
is wise/needed.  Without something to do, you would only desensitize the
readers to the risks.

Actions:
   1) Disable Access to the NULL user on the LAN channel(s)
   2) Disable Cipher 0 for LAN channel(s)
   3) Set passwords locally, not over a network link
   4) Change passwords at intervals
   5) In some extreme cases, disabling IPMI LAN access entirely may be
warranted

Your paper needs to have this laid out in an organized way.
Perhaps enumerating the vulnerabilities and actions in a chart would help.
We should take a tip from NIST and similar who include the following
(sample) summary data points:
CVSS Severity (version 2.0):
CVSS v2 Base Score: 2.6 (LOW) (AV:N/AC:H/AU:N/C:P/I:N/A:N) (legend)
Impact Subscore: 2.9
Exploitability Subscore: 4.9
CVSS Version 2 Metrics:
Access Vector: Network exploitable
Access Complexity: High
Authentication: Not required to exploit
Impact Type: Allows unauthorized disclosure of information

Perhaps the next level beyond that is to make it easier for folks to apply
the recommended actions, by supplying scripts, etc.   Particularly changing
the passwords regularly is something that won't get done without automation.

Andy


On Wed, Jun 4, 2014 at 5:20 PM, dan farmer <ze...@fi...> wrote:

> (Please forgive the spam; I wouldn't send such a thing here, let
> alone to ipmiutil, ipmitool, and freeipmi lists separately, but
> people got distressed last time when I didn't send something like
> it out, so... delete if of no interest.)
>
> Working with HD Moore (cc'd) of Rapid 7, who collected much of the
> data, I did some very simple analytics and wrote up a paper on
> something like the state of the union regarding BMC/IPMI security.
>
> http://fish2.com/ipmi/river.pdf
>
> (Summary: it's probably worse than you could imagine, but hey,
> perhaps you're a dreamer too. More ipmi stuff may be found @
> http://fish2.com/ipmi/.)
>
> A big thanks to not only HD for the data and commentary, but for
> the expertise and feedback from Albert Chu and Jarrod Johnson, who
> know more about IPMI than I ever will or want to know.
>
> Feel free to send any corrections, comments, questions, complaints,
> etc. to me.
>
> I'm trying to get the initial raw scan data, minus IP addresses,
> released, but you can do your own Internet scan of UPD 623 in less
> than a day, certainly.
>
> dan
>
> p.s. if anyone from SuperMicro security or IPMI team reads this,
> please drop me a line?  RE: Grand Conclusion, page 6, of the
> aforementioned paper.
>
> ¸¸.·´¯`·.¸><(((º>
>
>
> ------------------------------------------------------------------------------
> Learn Graph Databases - Download FREE O'Reilly Book
> "Graph Databases" is the definitive new guide to graph databases and their
> applications. Written by three acclaimed leaders in the field,
> this first edition is now available. Download your free book today!
> http://p.sf.net/sfu/NeoTech
> _______________________________________________
> ipmiutil-developers mailing list
> ipm...@li...
> https://lists.sourceforge.net/lists/listinfo/ipmiutil-developers
>