Intelligent Platform Management Interface (IPMI) is a set of low-level interface specifications for an autonomous computing system. It is an industry standard protocol, developed by Intel and supported by over two hundred vendors, including Dell, HP, IBM, Cisco, Supermicro, Fujitsu. It provides out-of-band management and monitoring capabilities independent of the host system’s CPU, firmware (BIOS or UEFI), and operating system. The key IPMI capabilities include:

  • Monitoring (supervision of the hardware)
  • Recovery control (Recover/Restart the server)
  • Logging (“out-of-band” management for the hardware)
  • Inventory (list of hardware inventory)

The capabilities are available even when the server has been shut-down (as long as at least one server power supply has power). Although remarkably powerful, IPMI comes with a series of cybersecurity risks.  An attacker can reboot the system, install a new operating system, or compromise data, bypassing any operating system controls. Attackers can easily search and identify internet-connected target systems, and IPMI is no exception. An attacker with IPMI access can discover and open management interfaces. Many of these interfaces utilize default or no passwords, or weak encryption. Further consequences depend on the type and use of the compromised system.  At the very least, an attacker can compromise confidentiality, integrity, and availability of the server once gaining access to the BMC. It considers to be a common knowledge in the cybersecurity community that the easiest way to hack into most network devices is through default passwords. BMCs are no different. The table below shows the default username and password combinations for the most prevalent BMC brands. Note only HP randomizes the IPMI passwords. (Source: https://blog.rapid7.com/2013/07/02/a-penetration-testers-guide-to-ipmi/).

Brand Name Default Username Default Password
HP Integrated Lights Out (iLO) Administrator factory randomized 8-character string
Dell Remote Access Card (iDRAC, DRAC) root calvin
IBM Integrated Management Module (IMM) USERID PASSW0RD (with a zero)
Fujitsu Integrated Remote Management Controller admin admin
Supermicro IPMI (2.0) ADMIN ADMIN
Oracle/Sun Integrated Lights Out Manager (ILOM) root changeme
ASUS iKVM BMC admin admin

A few key underlying risks in IPMI are:

  • Passwords for IPMI authentication are saved in clear text.
  • Knowledge of one IPMI password gives you the password for all computers in the IPMI managed group.
  • Root access on an IPMI system grants complete control over hardware, software, firmware on the system.
  • BMCs often run excess and older network services that may be vulnerable.
  • IPMI access may also grant remote console access to the system, resulting in access to the BIOS.
  • There are few, if any, monitoring tools available to detect if the BMC is compromised.
  • Certain types of traffic to and from the BMC are not encrypted.
  • Unclear documentation on how to sanitize IPMI passwords without destruction of the motherboard.

Risk Mitigation Strategy

Potential risk mitigation strategies are:

Restrict IPMI to Internal Networks

Restrict IPMI traffic to trusted internal networks. Traffic from IPMI (usually UDP port 623) should be restricted to a management VLAN segment with strong network controls.  Scan for IPMI usage outside of the trusted network and monitor the trusted network for abnormal activity.

Utilize Strong Passwords

Change the pre-configured user name and password when the server is deployed. Doing so will prevent unauthorized users from gaining access to IMM or IMM2 through the pre-configured user account.
Devices running IPMI should have strong, unique passwords set for the IPMI service. Please see https://www.us-cert.gov/ncas/tips/ST04-002.

Encrypt Traffic

Enable encryption on IPMI interfaces, if possible.  Check your manufacturer manual for details on how to set up encryption.

Require Authentication

“cipher 0” is an option enabled by default on many IPMI enabled devices that allows authentication to be bypassed.  Disable “cipher 0” to prevent attackers from bypassing authentication and sending arbitrary IPMI commands.  Anonymous logins should also be disabled.

Sanitize Flash Memory at End of Life

Follow manufacturer recommendations for sanitizing passwords.  If none exists, destroy the flash chip, motherboard, or other areas the IPMI password may be stored.