Inherent Risks of Using the Intelligent Platform Management Interface (IPMI) on the Lenovo System x Integrated Management Module (IMM), Integrated Management Module II (IMM2) and ThinkServer TSM - us

Lenovo Security Advisory: LEN-10617

Potential Impact: Access to systems through IPMI if default settings are not changed

Severity: High

**Scope of Impact:******Industry-Wide

**CVE Identifiers:**CVE-2013-4037, CVE-2013-4031

Summary Description:

Various risks with the industry-standard Intelligent Platform Management Interface (IPMI) have been identified and documented in the IT security community. Because the Lenovo System x Integrated Management Model (IMM), IMM2 and ThinkServer System Manager (TSM) provide IPMI access by default, a subset of these identified risks are applicable to those servers.

The Intelligent Platform Management Interface (IPMI) is an industry-standard protocol supported by Lenovo and more than 200 computer system vendors that consists of a set of computer interface specifications that can be used by system administrators for out-of-band management and monitoring of host computer systems independent of their CPU, firmware and operating system.

CVE ID: CVE-2013-4037
Description:
The RAKP protocol, which is specified by the IPMI standard for authentication, has flaws. Although the IMMs and TSM do not allow the use of null passwords, a hacker could reverse engineer the RAKP transactions to determine a password. The authentication process for IPMI requires the management controller to send a hash of the requested user’s password to the client, prior to the client authenticating. This process is a key part of the IPMI specification. The password hash can be broken using an offline brute force or dictionary attack.

CVSS Base Score: 4.3
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)

CVE ID: CVE-2013-4031
Description:
The IMM, IMM2 and ThinkServer TSMs are preconfigured with one IPMI user account which has the same default login name and password on all affected systems. If a malicious user gains access to the IPMI interface using this preconfigured account, he or she would be able to power off or on, or reboot the host server, with the ability to create or change user accounts and possibly preventing legitimate users from accessing the IMMs.
Additionally, if a user fails to change the default user name and password on each of the systems he or she has deployed, the user would have the same login information for each of the IMMs on those systems.

CVSS Base Score: 10
CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)

Mitigation Strategy for Customers (what you should do to protect yourself):

• Change the preconfigured user name and password when the server is deployed. Doing this will prevent unauthorized users from gaining access to the IMMs through the preconfigured user account.
• If a user is not managing a server using IPMI, the IMMs and TSM can be configured to disallow IPMI network access from the user accounts. This can be accomplished using the IPMItool utility or a similar utility for managing and configuring IPMI management controllers. Here is an example of an IPMItool utility command to disable the network access for an IPMI user:

IPMItool channel setaccess 1 #user_slot# privilege=15

Replace #user_slot# in the above command with the actual slot number (1 through 12) and repeat for each IMM/IMM2/TSM user that has been configured. The example above details the command when it is run directly on the server itself. If the IPMItool command is run remotely over the network, or if a different utility is used, the command will be different. Consult the documentation for the utility that you are using to determine the correct command syntax. Disallowing IPMI network access will remove the ability to use the weakness present in the IPMI RAKP protocol to discover user account credentials.

• It is possible to disable IPMI network access to the IMM and IMM2 altogether. The CLI command portcontrol –ipmi off will disable IPMI network access and will persist across IMM and IMM2 reboots.
• To disable IPMI over LAN network access on the TSM, follow the steps below (note that IPMI over KCS/SSH can still be used when IPMI over LAN is disabled):
  • Login to ThinkServer TSM
  • Click the right arrow to show the main menu icons
  • Click on the Services Management icon
  • Select the “IPMI over LAN” from the list of services
  • Move the “State” slider switch to the “off” position
  • Click Apply and select Yes from the confirmation screen to accept your choice
  • Click OK on the Success notification screen
• Use strong passwords, at least 16 characters long with a mixture of upper and lowercase letters, numbers, and special characters. By using longer, more complex passwords it makes it more difficult for malicious users to discover valid user credentials.
• Keep the management network separate from the public network. Keeping the management network separate lessens security exposures by reducing the number of individuals who can access the IMMs and TSM.
• Note that Lenovo XClarity Administrator uses IPMI to manage ThinkServer systems and certain System x systems. If you are using XClarity Administrator to manage your hardware, ensure you do not disable the IPMI account being used for management.