Re: WaPo writes about vulnerabilities in Supermicro IPMIs

If you are OK with USB ether net for one interface, check out the tplink wr703n. Its powered via USB, has a USB and rj45 jack. Runs OpenWrt. Leo Bicknell wrote: > >On Aug 15, 2013, at 9:18 PM, Brandon Martin >wrote: > >> As to why people wouldn't put them behind dedicated firewalls, >imagine

Re: WaPo writes about vulnerabilities in Supermicro IPMIs

There's a few misconceptions I'd like to address, plus add some backstory. The Washington Post article is intentionally void of details. It is intended as a non-technical article. You can find the actual technical paper here: https://www.usenix.org/conference/woot13/illuminating-security-issues-su

Re: WaPo writes about vulnerabilities in Supermicro IPMIs

Hi, I find it odd that this is suddenly news... There is plenty of security updates for iBMC/iDrac/etc from IBM/HP/Dell/etc over the years. But: You can use ipmitool, rootkit/exploit some Linux box and upload your own firmware in that iBMC/iDrac/etc... for example the BMC firmwa

Re: WaPo writes about vulnerabilities in Supermicro IPMIs

On Aug 15, 2013, at 9:18 PM, Brandon Martin wrote: > As to why people wouldn't put them behind dedicated firewalls, imagine > something like a single-server colo scenario. I have asked about this on other lists, but I'll ask here. Does anyone know of a small (think Raspberry Pi sized) device

Re: WaPo writes about vulnerabilities in Supermicro IPMIs

just so we're all clear, SuperMicro wasn't the only one... link: http://pastebin.com/syXHLuC5 1. CVE-2013-4782 CVSS Base Score = 10.0 2. The SuperMicro BMC implementation allows remote attackers to bypass authentication and execute arbitrary IPMI commands by using cipher suite 0 (aka cipher zer

Re: WaPo writes about vulnerabilities in Supermicro IPMIs

- Original Message - > From: "Jonathan Lassoff" > The primary point of IPMI for most users is to be able to administer > and control the box when it's not running. > Using the host itself as a firewall is the quickest way to get that > BMC online, but it kinda defeats the purpose. Wow.

Re: WaPo writes about vulnerabilities in Supermicro IPMIs

- Original Message - > From: "Andrew Jones" > > Well, *I* would firewall eth1 from eth0 and cross-over eth1 to the ILO jack; > > let the box be the firewall. Sure, it's still as breakable as the box > > proper, but security-by-obscurity isn't *bad*, it's just *not good > > enough*. > > T

RE: WaPo writes about vulnerabilities in Supermicro IPMIs

> -Original Message- > From: valdis.kletni...@vt.edu [mailto:valdis.kletni...@vt.edu] > Sent: Thursday, August 15, 2013 8:48 PM > To: Jay Ashworth > Cc: NANOG > Subject: Re: WaPo writes about vulnerabilities in Supermicro IPMIs > > On Thu, 15 Aug 2013 21:00:01

Re: WaPo writes about vulnerabilities in Supermicro IPMIs

On 16.08.2013 12:46, Jay Ashworth wrote: - Original Message - From: "Brandon Martin" As to why people wouldn't put them behind dedicated firewalls, imagine something like a single-server colo scenario. Most such providers don't offer any form of lights-out management aside from mayb

Re: WaPo writes about vulnerabilities in Supermicro IPMIs

The primary point of IPMI for most users is to be able to administer and control the box when it's not running. Using the host itself as a firewall is the quickest way to get that BMC online, but it kinda defeats the purpose. On Thu, Aug 15, 2013 at 7:46 PM, Jay Ashworth wrote: > - Original

Re: WaPo writes about vulnerabilities in Supermicro IPMIs

- Original Message - > From: "Brandon Martin" > As to why people wouldn't put them behind dedicated firewalls, imagine > something like a single-server colo scenario. Most such providers don't > offer any form of lights-out management aside from maybe remote reboot > (power-cycle) nor do

Re: WaPo writes about vulnerabilities in Supermicro IPMIs

- Original Message - > From: "Valdis Kletnieks" > > Is anyone here stupid enough not to put the management interfaces > > behind a firewall/VPN? > > In most cases, this requires plugging in two separate ethernet cables > without wondering why you asked to be provisioned one IP address...

Re: WaPo writes about vulnerabilities in Supermicro IPMIs

On 08/15/2013 09:00 PM, Jay Ashworth wrote: Presumably, everyone else's are very religious as well. Is anyone here stupid enough not to put the management interfaces behind a firewall/VPN? http://www.washingtonpost.com/blogs/the-switch/wp/2013/08/14/researchers-figure-out-how-to-hack-tens-o

Re: WaPo writes about vulnerabilities in Supermicro IPMIs

On 8/15/2013 8:53 PM, Scott Weeks wrote: On 2013-08-15 19:00, Jay Ashworth wrote: Is anyone here stupid enough not to put the management interfaces behind a firewall/VPN? --- Pain is a great teacher... The problem is getting the one that le

Re: WaPo writes about vulnerabilities in Supermicro IPMIs

On 2013-08-15 19:00, Jay Ashworth wrote: > Is anyone here stupid enough not to put the management interfaces behind > a firewall/VPN? --- Pain is a great teacher... scott

Re: WaPo writes about vulnerabilities in Supermicro IPMIs

On Thu, 15 Aug 2013 21:00:01 -0400, Jay Ashworth said: > Presumably, everyone else's are very religious as well. > > Is anyone here stupid enough not to put the management interfaces behind > a firewall/VPN? In most cases, this requires plugging in two separate ethernet cables without wondering wh

Re: WaPo writes about vulnerabilities in Supermicro IPMIs

On 2013-08-15 19:00, Jay Ashworth wrote: Presumably, everyone else's are very religious as well. Is anyone here stupid enough not to put the management interfaces behind a firewall/VPN? That was my initial thought, too. Jima