June 4th, 2014 - paper

A paper (11 pages) surveying IPMI and BMC security on the Internet; version 1.00 (June 4th, 2013):

Sold Down the River

A modestly lengthy paper (31 pages) on IPMI and BMC security; version 2.01 (August 12th, 2013):

IPMI: Freight Train to Hell, bloated director's cut.

- or -

IPMI: Express Train to Hell (one page, G-rated version; HTML/PDF;)

The one-page version is the express/single page/reader's digest one; it has various generalities I try to fully explain in the paper or supporting documents.

(Older material and first version of paper may be found here.)

Note #2. HD Moore put together a really fine set of methods to exploit various issues with IPMI. Required reading for some of the dangers. Dark times ahead (not because of his work ;))

Serious problem

Note #3. Zach Wikholm reported a nigh critical vulnerability (also reported last year, and I found about 30K then in a spot scan as well, but it's high time people started actually listening) in about a zillion and one (est :)) SuperMicro BMCs, as few as some interesting other problems. If you have a SM you really need to check this out. Spot checks reveal a LOT of vulnerable BMCs because of recovered passwords - for more see: Big Trouble in little BMC land

Kudos to Zach for finding these things, and Cari.net for supporting him.

Note #4. Facebook has put out OpenBMC, an interesting looking implementation that, in theory, may be placed on BMCs. Problematically most vendors (HP, Dell, IBM, etc.) won't let you install firmware that isn't signed by them... so you're out of luck. Plus, the low-level drivers and so on... who knows. I couldn't get it to build, myself, but let's remain hopeful. If anyone knows of (publically available) hardware that this will actually run on, drop me a line.