How to Fix the IPMI Remote Management Vulnerability

As you may have seen today in the tech press, one year after a major vulnerability in IPMI Remote Management systems from multiple server vendors was published, over 32,000 systems with Remote Management publicly accessible from the Internet have not applied the firmware update that addresses said vulnerability.

iXsystems ships Remote Management features standard on most systems. Most systems equipped with Intel E5-2600 processors purchased before 2014 and running IPMI firmware versions prior to 3.15 require firmware updates to address the issues cited in the article. This Knowledgebase article contains detailed information on system(s) and version(s) affected, and steps to take to update Remote Management firmware.

Performing Remote Management Firmware Updates

Remote Management firmware on iXsystems servers can be updated using multiple methods:

1. Direct update via Remote Management Web UI
2. Remote update via CLI from Windows or Linux
3. Remote update via IPMIView GUI from Windows or Linux

Single machines or small installations should use the Web UI method. For sites with a large number of systems needing update, use the CLI tool with a script or IPMIView.

This Knowledgebase article contains a link to the firmware images by motherboard model. If the model isn’t known, contact iXsystems support with the system serial number and we can provide the necessary firmware image link.

Network Security Best Practices are Key

Network security practices to protect against remote vulnerability exploit are based on the idea of “security in layers.” The practices assume a single point cannot defend against every attack, and a combination of controls widen the protections.

Network security best practices include deploying these measures:

1. Deploy firewalls and configure strict filters.

Remote Management interfaces are usually accessed from a set of central management stations. Firewalls should be deployed only allowing access to their interfaces from the approved management stations. Access to those stations should also be restricted to networks owned by the company.

2. Apply Principal of Least Privilege to restrict administrative access to only the people and places it is needed.

Only grant configuration change accounts to users who will be changing configurations. Users who are only monitoring should be configured with read-only or reduced privilege accounts. In the event their access is compromised, the attacker will only be able to look and not touch.

3. Test for vulnerabilities, Monitor for intrusions, and Update software when risks are identified.

Regular port scans and penetration tests can identify accidental or newly discovered exposures that need to be addressed. In addition, monitoring for abnormal activity on networks and firewalls can identify when an intrusion may have occurred. Regularly polling software versions and maintaining a list of software updates that address security vulnerabilities allows for easy identification of systems needing maintenance, which can be scheduled as the need allows.