Date: Sat, 5 Apr 2014 13:20:57 -0700 From: "Chad J. Milios" <milios@ccsys.com> To: Kamil Choudhury <Kamil.Choudhury@anserinae.net> Cc: "freebsd-hackers@freebsd.org" <freebsd-hackers@freebsd.org> Subject: Re: Securing baseboard managers Message-ID: <319928A2-C5FE-4BCA-A217-341DFD319FA7@ccsys.com> In-Reply-To: <F9A7386EC2A26E4293AF13FABCCB32B301519A6260@janus.anserinae.net> References: <F9A7386EC2A26E4293AF13FABCCB32B301519A6260@janus.anserinae.net>
next in thread | previous in thread | raw e-mail | index | archive | help
> On Apr 5, 2014, at 8:00 AM, Kamil Choudhury <Kamil.Choudhury@anserinae.net= > wrote: >=20 > First, a quick story.=20 >=20 > A new motherboard I just bought has one of those out of band management=20= > Ethernet ports. When I connected it into my cable router, despite the=20 > cord being plugged into the non-baseboard Ethernet port, the baseboard=20 > grabbed my public IP (I use this box as a router) instead of FreeBSD.=20 >=20 > So. I exposed the baseboard's janky operating system running god knows=20 > what ancient version of Linux to the internet, and momentarily gave all=20= > comers (the credentials were, of course, admin/admin) the power to=20 > remotely reboot my computer. Yikes.=20 >=20 > The stakes here were low: I was at home, and there's really nothing all=20= > that valuable on my network. But at the end of the day, these baseboard > controllers are running unmanaged, unaudited code on our networks, and=20 > that scares me.=20 >=20 > So...my questions:=20 >=20 > 1/ How do you protect yourself against this kind of vulnerability? Am I > paranoid for even thinking this is a problem?=20 >=20 > 2/ While out of band management is useful, I just can't bring myself to=20= > trust software that seems to have been written by poo-flinging monkeys > (seriously, you need to see the browser-based UI they provide: frames! > <blink>! Java applets!). Is there any way to replace the vendor provided=20= > solution with something more auditable and configurable? Maybe a teeny-tin= y=20 > BSD-based distribution?=20 >=20 > I spend my days doing application development, so I am probably missing=20= > a lot of perspective that more systems-oriented people have. If my=20 > questions are ridiculous, feel free to tell me so and send me on my way! >=20 > Thanks in advance,=20 > Kamil There is likely a setting in the mainboard's BIOS which makes the baseboard'= s NIC fail-over to sharing a mainboard port only when the baseboard's dedica= ted port lacks a link (default). Shared-always and dedicated-only are option= s. At any rate, the baseboard has it's own MAC address. Most baseboards can b= e configured with a VLAN tag as well. The default setting can be problematic when that port is hooked up to the WA= N because the baseboard is in almost every case initialized first and might e= ven be set to poll DHCP.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?319928A2-C5FE-4BCA-A217-341DFD319FA7>