GoFuckYourself.com - Adult Webmaster Forum - View Single Post - Supermicro IPMI exploit

6South · 06-26-2014, 03:16 AM

An exploit against Supermicro IPMI that allows pulling a plain text list of users and passwords using a simple Get command to a specific port from back in November 2013 was not actually fixed in the firmware updates supplied by Supermicro, apparently.

http://arstechnica.com/security/2014...dvisory-warns/

There are a couple of more effective options for your server admins that are not being discussed:

1. Limit IPMI connections to specific IPs
2. Put IPMI behind a VPN / firewall.
3. Disable Telnet connections.

I've only seen one datacenter post an advisory on this and their solution is to helpfully null route your IPMI connection IPs.

06-26-2014, 03:16 AM
6South Registered User Industry Role: Join Date: Jan 2011 Posts: 84	Supermicro IPMI exploit - still vulnerable An exploit against Supermicro IPMI that allows pulling a plain text list of users and passwords using a simple Get command to a specific port from back in November 2013 was not actually fixed in the firmware updates supplied by Supermicro, apparently. http://arstechnica.com/security/2014...dvisory-warns/ There are a couple of more effective options for your server admins that are not being discussed: 1. Limit IPMI connections to specific IPs 2. Put IPMI behind a VPN / firewall. 3. Disable Telnet connections. I've only seen one datacenter post an advisory on this and their solution is to helpfully null route your IPMI connection IPs. __________________ -= Software / Systems Architect and Server Geek =-