...
- A vulnerable machine doesn't necessarily get hacked. To
- The vulnerability, if present, should nevertheless be fixed ASAP.
- If the interface is exposed to untrusted networks (i.e. the Internet), the attacker we observed would try to access the system
- by guessing just a username. This is possible if the so called "cipher 0" is enabled, which implies that no password is required.
- to crack the password of an IPMI user after retrieving the Hash. This is possible with weak or moderately complex passwords.
- However, a cracked password (3b above) may not be exploitable when the user is disabled, the attack would then fail. ACOnet-CERT has no data whether this is the case and can't detect this either, as this would require us to try to attack ourselves.
- See also the vendor's documentation and make sure the firmware is up to date - see the links below.
Intrusion
As far as we could observe, the attackers intrude the system in one of at least two, possibly three ways:
...
Truth is: We don't know who or where the hackers are.
| Anker | ||||
|---|---|---|---|---|
|
Note that if you use of the tools and information on this page or following any of it's links, you do so at your own risk.
...
- Dell iDRAC: Best Practices for Security for iDRAC, IPMI, SNMP
- Dell iDRAC: Vulnerability Note VU#843044 (Dec. 2014)
- Cisco: IPMI Security Vulnerabilities
- Dan Farmer about IPMI security: http://fish2.com/ipmi/
Others
- rkhunter (Rootkit detection tool): http://rkhunter.sourceforge.net
...