First, a bit of background about IPMI — how it came about and for what purpose, as well as the limitations and risks inherent in those devices. Nearly all modern servers ship with a secondary out-of-band management system that allows administrators to remotely perform basic monitoring and maintenance — even when the server’s operating system is unresponsive. The most basic interfaces allow administrators to reboot the system and monitor basic state, but some manufacturers have included advanced functionality that ranges from changing BIOS settings to accessing a remote desktop and remotely installing a new operating system.
Manufacturers have their own names for the interface that you may have heard of, like HP Integrated Lights-Out (iLO), Dell Remote Access Card (DRAC), and SuperMicro Intelligent Management. However, most manufacturers (including HP, Dell, Cisco, IBM, Intel, and SuperMicro) support a standardized protocol for interacting with the management controller: Intelligent Platform Management Interface (IPMI). IPMI was standardized by Intel in 1998 and continues to be supported by most servers today.
However, while IPMI provides incredible value to administrators — particularly for servers in remote data centers — implementations are riddled with severe vulnerabilities, many of which allow full remote compromise. Dan Farmer wrote some really interesting papers on IPMI and BMC security that are worth diving into if you’re interested in the topic.
Controllers are rarely updated and manufacturers have generally been slow to respond. As such, it’s critical that IPMI devices never be connected to the public Internet.
What are the security risks of insecure IPMI devices?
Given that many IPMI devices continue to be vulnerable to remote exploits and allow near complete control over a server, among other severe risks, it’s best practice to never connect IPMI devices to the public Internet.
Back in 2013, Dan Farmer and HD Moore found that that thousands of IPMI devices on the Internet still used default passwords:
“About 5 percent of Internet-facing BMCs had a default password set,” HD Moore said. “In an unscientific internal test, 80 percent of devices identified still had a default password configured (of 35 systems on a typical corporate network).”
ith those security implications in mind, it’s worth running daily scans to find these remote access services and to prioritize removing them from the public Internet.
How to find IPMI protocol with Censys
Across the Internet, we found around 128K instances of IPMI.
Now you know how to search for IPMI devices and prioritize the removal of them to improve your overall security. On a related topic, you may try looking for RDP and VNC with Censys (better to know if they’re out there rather than remain in blissful ignorance, we say!) and taking action on those devices.