Skip site navigation (1)Skip section navigation (2)
Date:      Sat, 5 Apr 2014 15:00:26 +0000
From:      Kamil Choudhury <Kamil.Choudhury@anserinae.net>
To:        "freebsd-hackers@freebsd.org" <freebsd-hackers@freebsd.org>
Subject:   Securing baseboard managers
Message-ID:  <F9A7386EC2A26E4293AF13FABCCB32B301519A6260@janus.anserinae.net>

next in thread | raw e-mail | index | archive | help
First, a quick story.=20

A new motherboard I just bought has one of those out of band management=20
Ethernet ports. When I connected it into my cable router, despite the=20
cord being plugged into the non-baseboard Ethernet port, the baseboard=20
grabbed my public IP (I use this box as a router) instead of FreeBSD.=20

So. I exposed the baseboard's janky operating system running god knows=20
what ancient version of Linux to the internet, and momentarily gave all=20
comers (the credentials were, of course, admin/admin) the power to=20
remotely reboot my computer. Yikes.=20

The stakes here were low: I was at home, and there's really nothing all=20
that valuable on my network. But at the end of the day, these baseboard
controllers are running unmanaged, unaudited code on our networks, and=20
that scares me.=20

So...my questions:=20

1/ How do you protect yourself against this kind of vulnerability? Am I
paranoid for even thinking this is a problem?=20

2/ While out of band management is useful, I just can't bring myself to=20
trust software that seems to have been written by poo-flinging monkeys
(seriously, you need to see the browser-based UI they provide: frames!
<blink>! Java applets!). Is there any way to replace the vendor provided=20
solution with something more auditable and configurable? Maybe a teeny-tiny=
=20
BSD-based distribution?=20

I spend my days doing application development, so I am probably missing=20
a lot of perspective that more systems-oriented people have. If my=20
questions are ridiculous, feel free to tell me so and send me on my way!

Thanks in advance,=20
Kamil



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?F9A7386EC2A26E4293AF13FABCCB32B301519A6260>