freeipmi-devel
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Freeipmi-devel] The Infamous Cipher Zero, I presume?

From: Albert Chu
Subject: Re: [Freeipmi-devel] The Infamous Cipher Zero, I presume?
Date: Fri, 22 Feb 2013 10:30:49 -0800 
> I'd love to hear about the vendors that do have this on or off by 
> default.

I know I've seen some vendors not disable it by default (and did not
disable IPMI 1.5's "none" authentication), but I can't recall who.

A random thought/comment.  I do know many vendors do not write their own
IPMI firmware, it usually comes from another company.  I have this
feeling that many of the defaults actually from the common "parent" of
the firmware, not the vendor itself.

Al

On Fri, 2013-02-22 at 07:53 -0800, dan farmer wrote:
> Many may know this… but it came as a bit of news to me to actually
> *see* it in the wild.  I came across this while working on my little
> audit tool of the config stuff I'd posted here.
> 
> The short version - everyone here probably knows that Cipher Zero is
> the first Cipher in the IPMI 2.0 spec.  It allows you to authenticate
> to IPMI without a password - in other words, it's really no cipher at
> all, or the un-cipher.  It removes all security from IPMI.  But who
> cares, really?  Surely vendors wouldn't turn this on by default, would
> they?  Well… it's enabled on my Dell (iDRAC 6), HP (iLO 3), and
> Supermicro.  That's all the systems I have access to, presumably there
> are more.
>
> Longer version: let's see, to belabor the obvious, to execute an IPMI 
> command, you can use good ol' bmc-config with the proper authentication:
> 
>       $ bmc-config -D LAN_2_0 -I 0  -v -u root -p calvin -h 10.0.0.1 
> --checkout|grep -i cipher_suite_id_0
>       Maximum_Privilege_Cipher_Suite_Id_0           Administrator
> 
> You know, that line of output is not good. How not good is "not good"? Well, 
> let's try it again... this time with "FluffyWabbit" as the password:
> 
>       $ bmc-config -D LAN_2_0 -I 0  -v -u root -p FluffyWabbit -h 10.0.0.1 
> --checkout|grep -i cipher_suite_id_0
>       Maximum_Privilege_Cipher_Suite_Id_0           Administrator
> 
> I guess this is neat. Or sad.  Or something.  You can try other passwords to 
> verify FluffyWabbit isn't some vendor hardcoded backdoor ;)
> 
> I believe that IBM, as of the M2/Nehalem generation, has essentially
> abolished cipher zero through the efforts of Jarred B Johnson (kudos
> to both!) I'm not sure who else still has this going on… but you might
> check your own boxes.  I'd love to hear about the vendors that do have
> this on or off by default.
> 
> 
> Disclaimer - various versions of the IPMI utilities - including bmc-config -  
> do not work correctly with cipher 0 and will fail; this misled me early on in 
> testing my own boxes. The latest version of freeipmi seems to work on all the 
> ones I've tested, at least; make sure you have downloaded the latest copy and 
> try this to verify good ol' cipher 0 is still around.
> 
> Most commands say they support cipher zero, but ensure you have the latest 
> version, because bugs abound out there in the tools and/or in the BMCs.  
> Here's a couple of more ways to see if this is enabled:
> 
>       $ ipmitool -I lanplus -C 0 -H 10.0.0.1 -U admin -P FluffyWabbit lan 
> print
> 
>       $ ipmiutil lan  -J 0  -N 10.0.0.1 -U admin -P FluffyBunny
> 
> Ipmiutil has a nice printing of the results - anything in the RMCP+ line that 
> looks zero-ish is bad :)
> 
>      $ ipmitool -I lanplus -C 0 -H 10.0.0.1 -U root -P calvin  lan print
>       Set in Progress         : Set Complete
>       Auth Type Support       : NONE MD2 MD5 PASSWORD
>       Auth Type Enable        : Callback : MD2 MD5
>                               : User     : MD2 MD5
>                               : Operator : MD2 MD5
>                               : Admin    : MD2 MD5
>                               : OEM      :
>       IP Address Source       : Static Address
>       IP Address              : 192.168.0.23
>       Subnet Mask             : 255.255.255.0
>       MAC Address             : 14:fe:b5:c7:df:28
>       SNMP Community String   : public
>       IP Header               : TTL=0x40 Flags=0x40 Precedence=0x00 TOS=0x10
>       Default Gateway IP      : 192.168.0.1
>       Default Gateway MAC     : 00:00:00:00:00:00
>       Backup Gateway IP       : 0.0.0.0
>       Backup Gateway MAC      : 00:00:00:00:00:00
>       802.1q VLAN ID          : Disabled
>       802.1q VLAN Priority    : 0
>       RMCP+ Cipher Suites     : 0,1,2,3,4,5,6,7,8,9,10,11,12,13,14
>       Cipher Suite Priv Max   : aaaaaaaaaaaaaaa
>                               :     X=Cipher Suite Unused
>                               :     c=CALLBACK
>                               :     u=USER
>                               :     o=OPERATOR
>                               :     a=ADMIN
>                               :     O=OEM
> 
> -- d
> 
> ^..^
> 
> _______________________________________________
> Freeipmi-devel mailing list
> address@hidden
> https://lists.gnu.org/mailman/listinfo/freeipmi-devel
-- 
Albert Chu
address@hidden
Computer Scientist
High Performance Systems Division
Lawrence Livermore National Laboratory
reply via email to
[Prev in Thread] Current Thread [Next in Thread]