Securing baseboard managers
Kamil Choudhury
Kamil.Choudhury at anserinae.net
Sat Apr 5 15:00:30 UTC 2014
First, a quick story.
A new motherboard I just bought has one of those out of band management
Ethernet ports. When I connected it into my cable router, despite the
cord being plugged into the non-baseboard Ethernet port, the baseboard
grabbed my public IP (I use this box as a router) instead of FreeBSD.
So. I exposed the baseboard's janky operating system running god knows
what ancient version of Linux to the internet, and momentarily gave all
comers (the credentials were, of course, admin/admin) the power to
remotely reboot my computer. Yikes.
The stakes here were low: I was at home, and there's really nothing all
that valuable on my network. But at the end of the day, these baseboard
controllers are running unmanaged, unaudited code on our networks, and
that scares me.
So...my questions:
1/ How do you protect yourself against this kind of vulnerability? Am I
paranoid for even thinking this is a problem?
2/ While out of band management is useful, I just can't bring myself to
trust software that seems to have been written by poo-flinging monkeys
(seriously, you need to see the browser-based UI they provide: frames!
<blink>! Java applets!). Is there any way to replace the vendor provided
solution with something more auditable and configurable? Maybe a teeny-tiny
BSD-based distribution?
I spend my days doing application development, so I am probably missing
a lot of perspective that more systems-oriented people have. If my
questions are ridiculous, feel free to tell me so and send me on my way!
Thanks in advance,
Kamil
More information about the freebsd-hackers
mailing list