[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Freeipmi-devel] The Infamous Cipher Zero, I presume?
|
From: |
dan farmer |
|
Subject: |
[Freeipmi-devel] The Infamous Cipher Zero, I presume? |
|
Date: |
Fri, 22 Feb 2013 07:53:26 -0800 |
Many may know this… but it came as a bit of news to me to actually *see* it in
the wild. I came across this while working on my little audit tool of the
config stuff I'd posted here.
The short version - everyone here probably knows that Cipher Zero is the first
Cipher in the IPMI 2.0 spec. It allows you to authenticate to IPMI without a
password - in other words, it's really no cipher at all, or the un-cipher. It
removes all security from IPMI. But who cares, really? Surely vendors
wouldn't turn this on by default, would they? Well… it's enabled on my Dell
(iDRAC 6), HP (iLO 3), and Supermicro. That's all the systems I have access
to, presumably there are more.
Longer version: let's see, to belabor the obvious, to execute an IPMI command,
you can use good ol' bmc-config with the proper authentication:
$ bmc-config -D LAN_2_0 -I 0 -v -u root -p calvin -h 10.0.0.1
--checkout|grep -i cipher_suite_id_0
Maximum_Privilege_Cipher_Suite_Id_0 Administrator
You know, that line of output is not good. How not good is "not good"? Well,
let's try it again... this time with "FluffyWabbit" as the password:
$ bmc-config -D LAN_2_0 -I 0 -v -u root -p FluffyWabbit -h 10.0.0.1
--checkout|grep -i cipher_suite_id_0
Maximum_Privilege_Cipher_Suite_Id_0 Administrator
I guess this is neat. Or sad. Or something. You can try other passwords to
verify FluffyWabbit isn't some vendor hardcoded backdoor ;)
I believe that IBM, as of the M2/Nehalem generation, has essentially abolished
cipher zero through the efforts of Jarred B Johnson (kudos to both!) I'm not
sure who else still has this going on… but you might check your own boxes. I'd
love to hear about the vendors that do have this on or off by default.
Disclaimer - various versions of the IPMI utilities - including bmc-config -
do not work correctly with cipher 0 and will fail; this misled me early on in
testing my own boxes. The latest version of freeipmi seems to work on all the
ones I've tested, at least; make sure you have downloaded the latest copy and
try this to verify good ol' cipher 0 is still around.
Most commands say they support cipher zero, but ensure you have the latest
version, because bugs abound out there in the tools and/or in the BMCs. Here's
a couple of more ways to see if this is enabled:
$ ipmitool -I lanplus -C 0 -H 10.0.0.1 -U admin -P FluffyWabbit lan
print
$ ipmiutil lan -J 0 -N 10.0.0.1 -U admin -P FluffyBunny
Ipmiutil has a nice printing of the results - anything in the RMCP+ line that
looks zero-ish is bad :)
$ ipmitool -I lanplus -C 0 -H 10.0.0.1 -U root -P calvin lan print
Set in Progress : Set Complete
Auth Type Support : NONE MD2 MD5 PASSWORD
Auth Type Enable : Callback : MD2 MD5
: User : MD2 MD5
: Operator : MD2 MD5
: Admin : MD2 MD5
: OEM :
IP Address Source : Static Address
IP Address : 192.168.0.23
Subnet Mask : 255.255.255.0
MAC Address : 14:fe:b5:c7:df:28
SNMP Community String : public
IP Header : TTL=0x40 Flags=0x40 Precedence=0x00 TOS=0x10
Default Gateway IP : 192.168.0.1
Default Gateway MAC : 00:00:00:00:00:00
Backup Gateway IP : 0.0.0.0
Backup Gateway MAC : 00:00:00:00:00:00
802.1q VLAN ID : Disabled
802.1q VLAN Priority : 0
RMCP+ Cipher Suites : 0,1,2,3,4,5,6,7,8,9,10,11,12,13,14
Cipher Suite Priv Max : aaaaaaaaaaaaaaa
: X=Cipher Suite Unused
: c=CALLBACK
: u=USER
: o=OPERATOR
: a=ADMIN
: O=OEM
-- d
^..^
- [Freeipmi-devel] The Infamous Cipher Zero, I presume?,
dan farmer <=