iLo, iLo – It’s off to Hack We Go…

Out of band management access to your servers can often be a lifesaver – whether it goes by the name iLo, DRAC, IMM or iKVM, the principle is the same – a separate little computer inside the server with its own network connection and set of authentication credentials. Where could the security risk be in that?

‘Ah-ha’, you may say, we know that the most of these devices ship with disturbingly weak default credentials (with the exception of HP, variations on admin/admin) and have changed to our own super secure set. All’s good, right?

Possibly not. As used to my own benefit this week (a long story involving an old development server and missing iLO credentials…), some of the devices are disturbingly easy to hijack. The problem lies with something called “Intelligent Platform Management Interface”, or IPMI for short. IPMI listens on UDP port 623 and, to all intents and purposes, offers a command-line version of the Web Based interface more typically used to administer iLO-type devices.

Normally you need a username and password to authenticate against the IPMI interface, and all communication is encrypted. Bizarrely though, a bad implementation of the IPMI specification (common to all the main server vendors) means you can effectively use something called the ‘Cipher 0’ option to sidestep not just encryption but authentication too. As an attacker or simply an admin who forgot to note down the credentials, once you can talk to a vulnerable IPMI device, it’s essentially just a 5 minute job to get full administrative access to the iLO/DRAC/whatever interface and in very short order take over control of the entire physical server.

Thankfully for those of you with old server firmware still as it came from the factory, all of the big vendors have released updated firmware to patch this particular hole (it dates from late 2013 remember), so fixing should be straightforward. Whilst the most serious, this isn’t the only security problem with IPMI – it’s definitely worth taking some time to think more generally about how IPMI enabled devices are setup and secured on your network.

Best practice would always see out of band interfaces on a separate physical network and at the very least they should be on a separate management VLAN with heavily restricted access – you definitely don’t want everyday users to be able to poke around on iLO. You should also treat the out of band management devices just as you would a normal server – include them in your vulnerability and patching processes, setup for two factor authentication where possible and make sure they’re protected by IPS and logging system events to a syslog server. Oh, and if you’re an organisation that uses the same password across lots of devices, make sure you remember to include this in your cleansing process before listing old kit on eBay!

If you need assistance in understanding whether your organisation it at risk from this, or any other IT threats a modern business faces, we’re here to help. At ITC we’re experts in vulnerability scanning and secure network design. Take a look through our website for more details of what we can offer and get in touch. By phone on: 020 7517 3900 or email to: [email protected]