Lenovo Security Bulletin: LEN-10617
Potential impact: If the default settings are not changed, the system can be accessed through IPMI
Scope of impact: industry-wide
CVE id:cve-2013-4037, cve-2013-4031
The Intelligent Platform Management Interface (IPMI), which has identified and documented industry standards in the IT security community, has multiple risks. Because of the default IPMI access provided by Lenovo System X integrated Management Model (IMM), IMM2, and Thinkserver system Manager (TSM), So some of the risks that have been identified exist in these servers.
Intelligent Platform Management Interface (IPMI) is an industry-standard protocol supported by Lenovo and more than 200 computer system vendors, including a set of computer interface specifications that system administrators do not rely on the CPU, firmware, and operating systems of computer systems for Out-of-band management and monitoring of the master computer system.
The IPMI standard specifies that the RAKP protocol used for authentication is defective. Although IMM and TSM do not allow the use of empty passwords, it is possible for hackers to reverse engineer a RAKP transaction and determine the password. The IPMI authentication process requires the management controller to send the hash value of the requested user password to the client before client authentication is performed. This process is a key part of the IPMI specification. The password hash value can be cracked using an offline brute force attack or a dictionary attack.
CVSS vector: (av:n/ac:m/au:n/c:n/i:p/a:n)
IMM, IMM2, and Thinkserver TSM have preconfigured an IPMI user account that has the same default login name and password on all affected systems. If a malicious user accesses the IPMI interface using this preconfigured account, he or she will be able to power down or turn on the host server or reboot the host server, create or change user accounts, and possibly prevent legitimate users from accessing the IMM.
In addition, if the user fails to change the default username and password on each system that he or she has deployed, the user accesses each IMM on those systems with the same logon information.
CVSS vector: (AV:N/AC:L/AU:N/C:C/I:C/A:C)
What measures should be taken to protect themselves:
-After you deploy the server, change the preconfigured user name and password. Doing so will prevent unauthorized users from accessing the IMM through a preconfigured user account.
-If users do not use the IPMI Management Server, you can configure IMM and TSM to not allow IPMI access from these user accounts over the network. This can be achieved by using the Ipmitool utility or similar utilities for managing and configuring the IPMI Management controller. The following is an example of the Ipmitool utility command that prohibits IPMI users from accessing over the network:
Ipmitool Channel setaccess 1 #user_slot # privilege=15
Replace the #user_slot # in the upper command with the actual slot number (1 to 12) and run the command repeatedly for each IMM/IMM2/TSM user that has been configured. The above example details the commands that are run directly on the server itself. If you run the Ipmitool command remotely over a network or use a different utility, the command will vary. Consult the documentation for the utility you are using to determine the correct command syntax. Not allowing access over the network IPMI will not be able to discover user account credentials using vulnerabilities that exist in the IPMI RAKP protocol.
-Prevents both IMM and IMM2 from accessing IPMI over the network. CLI command PORTCONTROL-IPMI off will prohibit access to IPMI over the network and will continue to take effect after the IMM and IMM2 reboot.
-To disable IPMI over LAN network access on TSM, follow the steps below (note: After disabling the IPMI over LAN, you can still use IPMI over Kcs/ssh):
-Log on to Thinkserver TSM
-click the right arrow to display the main menu icon
-Click the Service Management icon
-Select IPMI over LAN from the list of services
-Move the status slider switch to the off position
-click ' Apply ' and select ' Yes ' from the confirmation screen to accept your selections
-Click OK on the Success notification screen
-Use complex passwords with a length of at least 16 characters and mix uppercase and lowercase letters, numbers, and special characters. Using longer, more complex passwords makes it more difficult for malicious users to find valid user credentials.
-Keep the management network separate from the public network. Keep the management network separate and reduce security vulnerabilities by reducing the number of people who can access IMM and TSM.
-Note: The Lenovo xclarity administrator uses IPMI to manage the thinkserver system and some system X systems. If you are using the Xclarity administrator to manage your hardware, ensure that the IPMI account that is used for administration is not disabled.
All the IPMI-using Lenovo systems, including but not limited to:
BladeCenter hs22/hs22v/hs23/hs23e/hx5
Flex System x220 m4/x222 m4/x240 m4/x240 m5/x280/x280 X6
Flex System x440 m4/x480/x480 X6
iDataPlex dx360 m2/dx360 m3/dx360 m4/dx360 M4 Water cooled
NeXtScale nx360 m4/nx360 M5
System x3250 m4/x3250 m5/x3250 M6
System x3500 m2/x3500 m3/x3500 m4/x3500 M5
System x3550 m2/x3550 m3/x3550 m4/x3550 M5
System x3650 m3/x3650 m4/x3650 M4 bd/x3650 M4 hd/x3650 M5
Thinkserver dc5000/dc5100
Thinkserver rd330/rd340/rd350/rd350x
Tthinkserver rd430/rd430x/rd440/rd440x/rd450/rd450x
Thinkserver rd530/rd540/rd550
Thinkserver rd630/rd640/rd640x/rd650
Thinkserver ss430/ss440/ss440x
Thinkserver ts130/ts140/ts150
Thinkserver ts430/ts440/ts450
Additional information and references:
https://www-947.ibm.com/support/entry/portal/docdisplay?lndocid=migr-5093463
Revised version
|
Date
|
Describe
|
1
|
9/29/2016
|
Initial version
|
For the latest information, please pay attention to Lenovo's updates and announcements about your equipment and software. The information in this bulletin is provided "as is" and we do not guarantee any content. Lenovo reserves the right to change or update the notice at any time