Many servers make use of Intel’s Intelligent Platform Management Interface (IPMI) cards. These allow system administrators to access and remotely manage the server; including, changing BIOS settings, rebooting the server and providing an out-of-band login to the local system console. The IPMI can be built into the motherboard or can be added later and is supported by many enterprise vendors including HP, Dell, Intel and NEC.
Since November 2018, reports have been emerging of Linux systems being compromised and infected with JungleSec ransomware through the IPMI. For example, if the IPMI system was left in its default configuration when the server was installed then attackers could access it using well known default usernames and passwords.
Access to the IPMI allows an attacker to reboot the server into single user mode which typically provides root or admin access. This can allow data to be stolen or ransomed by the installation of malware, such as JungleSec.
Remote access systems, such as IPMI, are vital tools for a large number of system admininstrators; however, they provide powerful access to your network resources and should therefore be secured properly. The following guidelines are just some of the ways in which you can ensure your IPMI service is secured:
- Change or remove default credentials
- Logins provided to third parties, such as vendors, should be enabled only on an as-needed basis
- Staff logins should be issued to individuals (not shared)
- Treat IPMI logins with the same care and control as root or administrator logins for the server itself
- Firewalls should be configured to restrict the source IP addresses that may connect into the IPMI to the local network only – do not permit direct access from the internet
- On Linux system consider setting a password for the GRUB boot loader which will prevent unauthorised users from rebooting the server into single user mode
When arranging network penetration tests, include the IPMI devices within the scope of the test to ensure their protection is validated.