[164247] in North American Network Operators' Group
Re: IPMI vulnerabilities
daemon@ATHENA.MIT.EDU (Jeroen Massar)
Tue Jul 2 11:58:38 2013
Date: Tue, 02 Jul 2013 17:58:16 +0200
From: Jeroen Massar <jeroen@massar.ch>
To: Jamie Bowden <jamie@photon.com>
In-Reply-To: <465966A5F5B867419F604CD3E604C1E54D5CED99@PRA-DCA-MAIL.pra.ray.com>
Cc: "nanog@nanog.org list" <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On 2013-07-02 17:54 , Jamie Bowden wrote:
>> From: Jeroen Massar [mailto:jeroen@massar.ch]
>> On 2013-07-02 16:51 , Steven Bellovin wrote:
>>> http://www.wired.com/threatlevel/2013/07/ipmi/
>>>
>>> Capsule summary: watch out!
>>
>> Indeed! But it is should be logical, as IPMI is supposed to be for OOB
>> access right? :)
>>
>> Anybody not putting them behind a properly restricted firewall and/or
>> VLAN is asking for issues... typical IPMI boxes run outdated linux
>> kernels, with nice olddated userspace and a whole lot of tools that one
>> can not really restrict access to, thus it is quite silly to have that
>> access open to the public.
>
> That same reasoning has worked wonders at keeping SCADA systems off the public internet too.
People problems cannot be resolved with code.
Greets,
Jeroen
