There is a risk of using the Intelligent Platform Management Interface (IPMI) on Lenovo System X

Source: Internet
Author: User
Tags hash cve lenovo
Failure phenomenon:
Lenovo Security Bulletin: LEN-10617
Potential impact: If the default settings are not changed, the system can be accessed through IPMI
Severity: High
Scope of impact: industry-wide
CVE id:cve-2013-4037, cve-2013-4031
Summary description:
The Intelligent Platform Management Interface (IPMI), which has identified and documented industry standards in the IT security community, has multiple risks. Because of the default IPMI access provided by Lenovo System X integrated Management Model (IMM), IMM2, and Thinkserver system Manager (TSM), So some of the risks that have been identified exist in these servers.
Intelligent Platform Management Interface (IPMI) is an industry-standard protocol supported by Lenovo and more than 200 computer system vendors, including a set of computer interface specifications that system administrators do not rely on the CPU, firmware, and operating systems of computer systems for Out-of-band management and monitoring of the master computer system.
CVE id:cve-2013-4037
Describe:
The IPMI standard specifies that the RAKP protocol used for authentication is defective. Although IMM and TSM do not allow the use of empty passwords, it is possible for hackers to reverse engineer a RAKP transaction and determine the password. The IPMI authentication process requires the management controller to send the hash value of the requested user password to the client before client authentication is performed. This process is a key part of the IPMI specification. The password hash value can be cracked using an offline brute force attack or a dictionary attack.
CVSS basic score: 4.3
CVSS vector: (av:n/ac:m/au:n/c:n/i:p/a:n)
CVE id:cve-2013-4031
Describe:
IMM, IMM2, and Thinkserver TSM have preconfigured an IPMI user account that has the same default login name and password on all affected systems. If a malicious user accesses the IPMI interface using this preconfigured account, he or she will be able to power down or turn on the host server or reboot the host server, create or change user accounts, and possibly prevent legitimate users from accessing the IMM.
In addition, if the user fails to change the default username and password on each system that he or she has deployed, the user accesses each IMM on those systems with the same logon information.
CVSS Basic Score: 10
CVSS vector: (AV:N/AC:L/AU:N/C:C/I:C/A:C)

Solution:
What measures should be taken to protect themselves:
-After you deploy the server, change the preconfigured user name and password. Doing so will prevent unauthorized users from accessing the IMM through a preconfigured user account.
-If users do not use the IPMI Management Server, you can configure IMM and TSM to not allow IPMI access from these user accounts over the network. This can be achieved by using the Ipmitool utility or similar utilities for managing and configuring the IPMI Management controller. The following is an example of the Ipmitool utility command that prohibits IPMI users from accessing over the network:
Ipmitool Channel setaccess 1 #user_slot # privilege=15
Replace the #user_slot # in the upper command with the actual slot number (1 to 12) and run the command repeatedly for each IMM/IMM2/TSM user that has been configured. The above example details the commands that are run directly on the server itself. If you run the Ipmitool command remotely over a network or use a different utility, the command will vary. Consult the documentation for the utility you are using to determine the correct command syntax. Not allowing access over the network IPMI will not be able to discover user account credentials using vulnerabilities that exist in the IPMI RAKP protocol.
-Prevents both IMM and IMM2 from accessing IPMI over the network. CLI command PORTCONTROL-IPMI off will prohibit access to IPMI over the network and will continue to take effect after the IMM and IMM2 reboot.
-To disable IPMI over LAN network access on TSM, follow the steps below (note: After disabling the IPMI over LAN, you can still use IPMI over Kcs/ssh):
-Log on to Thinkserver TSM
-click the right arrow to display the main menu icon
-Click the Service Management icon
-Select IPMI over LAN from the list of services
-Move the status slider switch to the off position
-click ' Apply ' and select ' Yes ' from the confirmation screen to accept your selections
-Click OK on the Success notification screen
-Use complex passwords with a length of at least 16 characters and mix uppercase and lowercase letters, numbers, and special characters. Using longer, more complex passwords makes it more difficult for malicious users to find valid user credentials.
-Keep the management network separate from the public network. Keep the management network separate and reduce security vulnerabilities by reducing the number of people who can access IMM and TSM.
-Note: The Lenovo xclarity administrator uses IPMI to manage the thinkserver system and some system X systems. If you are using the Xclarity administrator to manage your hardware, ensure that the IPMI account that is used for administration is not disabled.
Product Impact:
All the IPMI-using Lenovo systems, including but not limited to:
System x
BladeCenter hs22/hs22v/hs23/hs23e/hx5
Flex System x220 m4/x222 m4/x240 m4/x240 m5/x280/x280 X6
Flex System x440 m4/x480/x480 X6
Flex System x880/x880 X6
iDataPlex dx360 m2/dx360 m3/dx360 m4/dx360 M4 Water cooled
NeXtScale nx360 m4/nx360 M5
System x3100 m4/x3100 M5
System x3250 m4/x3250 m5/x3250 M6
System x3300 M4
System x3500 m2/x3500 m3/x3500 m4/x3500 M5
System x3530 M4
System x3550 m2/x3550 m3/x3550 m4/x3550 M5
System x3560 m2/x3560 M3
System x3630 m3/x3630 M4
System x3650 m3/x3650 m4/x3650 M4 bd/x3650 M4 hd/x3650 M5
System x3690 X5
System x3750 m4/x3750 M5
System x3850 x5/x3850 X6
System x3950 x5/x3950 X6
Thinkserver
Thinkserver dc5000/dc5100
Thinkserver rd330/rd340/rd350/rd350x
Tthinkserver rd430/rd430x/rd440/rd440x/rd450/rd450x
Thinkserver rd530/rd540/rd550
Thinkserver rd630/rd640/rd640x/rd650
Thinkserver rq750/rq940
Thinkserver rs140/rs160
Thinkserver sd330/sd350
Thinkserver ss430/ss440/ss440x
Thinkserver td340/td350
Thinkserver ts130/ts140/ts150
Thinkserver ts240/ts250
Thinkserver ts430/ts440/ts450
Thinkserver ts540/ts550
Additional information and references:
https://www-947.ibm.com/support/entry/portal/docdisplay?lndocid=migr-5093463
Revision history:
Revised version
Date
Describe
1
9/29/2016
Initial version
For the latest information, please pay attention to Lenovo's updates and announcements about your equipment and software. The information in this bulletin is provided "as is" and we do not guarantee any content. Lenovo reserves the right to change or update the notice at any time

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.