Securing baseboard managers

Sat Apr 5 20:27:31 UTC 2014

> On Apr 5, 2014, at 8:00 AM, Kamil Choudhury <Kamil.Choudhury at anserinae.net> wrote:
> 
> First, a quick story. 
> 
> A new motherboard I just bought has one of those out of band management 
> Ethernet ports. When I connected it into my cable router, despite the 
> cord being plugged into the non-baseboard Ethernet port, the baseboard 
> grabbed my public IP (I use this box as a router) instead of FreeBSD. 
> 
> So. I exposed the baseboard's janky operating system running god knows 
> what ancient version of Linux to the internet, and momentarily gave all 
> comers (the credentials were, of course, admin/admin) the power to 
> remotely reboot my computer. Yikes. 
> 
> The stakes here were low: I was at home, and there's really nothing all 
> that valuable on my network. But at the end of the day, these baseboard
> controllers are running unmanaged, unaudited code on our networks, and 
> that scares me. 
> 
> So...my questions: 
> 
> 1/ How do you protect yourself against this kind of vulnerability? Am I
> paranoid for even thinking this is a problem? 
> 
> 2/ While out of band management is useful, I just can't bring myself to 
> trust software that seems to have been written by poo-flinging monkeys
> (seriously, you need to see the browser-based UI they provide: frames!
> <blink>! Java applets!). Is there any way to replace the vendor provided 
> solution with something more auditable and configurable? Maybe a teeny-tiny 
> BSD-based distribution? 
> 
> I spend my days doing application development, so I am probably missing 
> a lot of perspective that more systems-oriented people have. If my 
> questions are ridiculous, feel free to tell me so and send me on my way!
> 
> Thanks in advance, 
> Kamil

There is likely a setting in the mainboard's BIOS which makes the baseboard's NIC fail-over to sharing a mainboard port only when the baseboard's dedicated port lacks a link (default). Shared-always and dedicated-only are options. At any rate, the baseboard has it's own MAC address. Most baseboards can be configured with a VLAN tag as well.

The default setting can be problematic when that port is hooked up to the WAN because the baseboard is in almost every case initialized first and might even be set to poll DHCP.