From owner-freebsd-hackers@FreeBSD.ORG Sun Apr 6 15:36:58 2014 Return-Path: Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 1E150FAA for ; Sun, 6 Apr 2014 15:36:58 +0000 (UTC) Received: from mailomat.net (mailomat.net [81.20.89.254]) (using TLSv1 with cipher DES-CBC3-SHA (168/168 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 8F01D9B6 for ; Sun, 6 Apr 2014 15:36:57 +0000 (UTC) X-Junk-Score: 2 [X] X-SpamCatcher-Score: 2 [X] X-Junk-Score: 0 [] X-Cloudmark-Score: 0 [] X-Cloudmark-Analysis: v=2.1 cv=f6ZxWoCM c=1 sm=1 tr=0 a=/nRDZZJyYxTE/j0HnTmKXw==:117 a=/nRDZZJyYxTE/j0HnTmKXw==:17 a=Cln8rwbaxfUA:10 a=ZDwDCB9QlRsA:10 a=QX6QvZ3GsOUA:10 a=JysbXFYnAAAA:8 a=dAPAsP0gAAAA:8 a=NUNO_Q2GAAAA:8 a=GfuML84mu7z3egrp6EcA:9 a=vF8JgFM5HzxhwAJJ:21 a=CD7tSLVhXDxgXu9n:21 a=pILNOxqGKmIA:10 a=-mD4bCdHlbEA:10 a=qfQzaZuGX9vIp4vycI4A:9 a=ZVk8-NSrHBgA:10 Received: from [194.39.192.125] (account bnc-mail@mailrelay.mailomat.net HELO bnc.net) by mailomat.net (CommuniGate Pro SMTP 6.0.5) with ESMTPSA id 65541539; Sun, 06 Apr 2014 16:36:39 +0200 X-Junk-Score: 2 [X] X-SpamCatcher-Score: 2 [X] Received: from [192.168.200.188] (account ap@bnc.net HELO [192.168.200.188]) by bnc.net (CommuniGate Pro SMTP 6.0.5) with ESMTPSA id 7063050; Sun, 06 Apr 2014 16:36:38 +0200 Content-Type: multipart/signed; boundary="Apple-Mail=_CA09179D-9C5B-4412-936C-4AC8F14101AB"; protocol="application/pkcs7-signature"; micalg=sha1 Mime-Version: 1.0 (Mac OS X Mail 7.2 \(1874\)) Subject: Re: Securing baseboard managers From: Achim Patzner In-Reply-To: Date: Sun, 6 Apr 2014 16:36:33 +0200 Message-Id: References: To: Kamil Choudhury X-Mailer: Apple Mail (2.1874) Cc: "freebsd-hackers@freebsd.org" X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 06 Apr 2014 15:36:58 -0000 --Apple-Mail=_CA09179D-9C5B-4412-936C-4AC8F14101AB Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=windows-1252 Am 05.04.2014 um 17:00 schrieb Kamil Choudhury = : > A new motherboard You might have told us a bit more about that mainboard if you wanted = some hints=85 > I just bought has one of those out of band management=20 > Ethernet ports. When I connected it into my cable router, despite the=20= > cord being plugged into the non-baseboard Ethernet port, the baseboard=20= > grabbed my public IP (I use this box as a router) instead of FreeBSD. =85 because it is using DHCP and probably up and running before FreeBSD = even starts thinking about booting. Nothing wrong there. You might take = a look at the firmware configuration and just turn it off if you don=92t = need it. Or use another NIC for your outside connection. > 1/ How do you protect yourself against this kind of vulnerability? Am = I > paranoid for even thinking this is a problem?=20 Usually by reading the manual and configuring the hardware or turning = the thing off if it is not needed. Or removing the microcontroller from = my mainboard (eg. on Intel server boards) > 2/ While out of band management is useful, I just can't bring myself = to=20 > trust software that seems to have been written by poo-flinging monkeys > (seriously, you need to see the browser-based UI they provide: frames! > ! Java applets!). If you=92re that much better than those programmers you might lend them = a hand. But remember: Your tools have to be running on everything on = this planet including FreeBSD boxes running a browser in a Linux = emulation. And on my Android phone, of course. > Is there any way to replace the vendor provided=20 > solution with something more auditable and configurable? Maybe a = teeny-tiny=20 > BSD-based distribution? Of course. Just write it. But keep in mind that the inner workings of = those remote management modules are quite a bit more complex than their = block diagrams. Achim= --Apple-Mail=_CA09179D-9C5B-4412-936C-4AC8F14101AB Content-Disposition: attachment; filename=smime.p7s Content-Type: application/pkcs7-signature; name=smime.p7s Content-Transfer-Encoding: base64 MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIFaTCCBWUw ggNNoAMCAQICAwyteTANBgkqhkiG9w0BAQUFADB5MRAwDgYDVQQKEwdSb290IENBMR4wHAYDVQQL ExVodHRwOi8vd3d3LmNhY2VydC5vcmcxIjAgBgNVBAMTGUNBIENlcnQgU2lnbmluZyBBdXRob3Jp dHkxITAfBgkqhkiG9w0BCQEWEnN1cHBvcnRAY2FjZXJ0Lm9yZzAeFw0xMzAxMDIwOTQ1MTVaFw0x NTAxMDIwOTQ1MTVaMDMxFjAUBgNVBAMTDUFjaGltIFBhdHpuZXIxGTAXBgkqhkiG9w0BCQEWCmFw QGJuYy5uZXQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCemZ2gCwrtE8FYdD42ApLp AyRBcfTJHRaU5R/rTbpBTIbDQn4ESOg0697sOlMjiNlzgvuTJeGDSd6DLREb5pJqqNyzW5kTu1yN dzI8442GxyZAYImcXpQNvvA5OxH4GRwzcjlIie5TDZll1pA+OQwDfPWeosfUugHaDU6KuX6QhrJx JYdweO7ZOb9jL2iJGco3QCQKPoqbLt+NmIyV48DsB12H7oW7NI9E5CfiRQqMioVVUvkRWL2w+1MQ +ymaXl0KOqRZOzhKYJpoRmLxO/hKgBTn2MsEqtqMp5gemM3hRKF14MSo85nNqMv25AYJapkENazR hUmISG+1y6/goSJNAgMBAAGjggE6MIIBNjAMBgNVHRMBAf8EAjAAMFYGCWCGSAGG+EIBDQRJFkdU byBnZXQgeW91ciBvd24gY2VydGlmaWNhdGUgZm9yIEZSRUUgaGVhZCBvdmVyIHRvIGh0dHA6Ly93 d3cuQ0FjZXJ0Lm9yZzAOBgNVHQ8BAf8EBAMCA6gwQAYDVR0lBDkwNwYIKwYBBQUHAwQGCCsGAQUF BwMCBgorBgEEAYI3CgMEBgorBgEEAYI3CgMDBglghkgBhvhCBAEwMgYIKwYBBQUHAQEEJjAkMCIG CCsGAQUFBzABhhZodHRwOi8vb2NzcC5jYWNlcnQub3JnMDEGA1UdHwQqMCgwJqAkoCKGIGh0dHA6 Ly9jcmwuY2FjZXJ0Lm9yZy9yZXZva2UuY3JsMBUGA1UdEQQOMAyBCmFwQGJuYy5uZXQwDQYJKoZI hvcNAQEFBQADggIBAMmLFZrEKQJqqmh+r8IzcfPl04h4ArE8O+I0BTN0r22hy4izV+F2Qvkwy02g uM8ylmUdCdIFXUQ8joPVT3RJqZ/NmDsdbFq4RziDbF/C219RfTRL1nWcNxudGA4vSLbuBTxD2bSx BkmjRdmpGm3EGwRp7bLtnONuTVBxK7TDculECUbm0Bwh9RAtZr/Gqk5arj5oO0oI9vKdRDVWCUxF m1kS7gwGfVtv2DKFDh3VBqB6kXfx5nP/LOcb7Rwpu4GzBU/e1OFswha9maU9Qi/9URX07Q47dOBc pqhNh5pW12kfeZPO7lcGqfYq08Ub/mKaJcAEaoyD2ILDDhzeeOK3QDlKC56lEt8MW4swef6/MPUh +WuofauNhBXoecf5XonGNuKEhbSmSykSzwoEBdBAO6QUtnpLTlYSeO3Xg/bYfbwJCGkUnd0q+2Q1 fQpN+RxkYqQCb5XaV9Fz7cU4u36Rc/AMDXr+qXEyvOqB7OzeTgjq06VMNQ+mIrGCS9rb7OQmB1o7 8PCOVTqE8z77Du4Bh14wG/SP/kat5IJSuDFjvFT/C8ro46pOfczfq/Eb4QSktwtbD7+Qlh4p/e0B n4nyK1M1MyDnQxzv2XvmWfwoi0tUP2dkT30YtUuucWYFzRO1erg4tVd4xW0ShP1VtynFyWQcPaLT LvWc/0VML6hcaWRuMYIDMzCCAy8CAQEwgYAweTEQMA4GA1UEChMHUm9vdCBDQTEeMBwGA1UECxMV aHR0cDovL3d3dy5jYWNlcnQub3JnMSIwIAYDVQQDExlDQSBDZXJ0IFNpZ25pbmcgQXV0aG9yaXR5 MSEwHwYJKoZIhvcNAQkBFhJzdXBwb3J0QGNhY2VydC5vcmcCAwyteTAJBgUrDgMCGgUAoIIBhzAY BgkqhkiG9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0xNDA0MDYxNDM2MzRaMCMG CSqGSIb3DQEJBDEWBBRMwk9EXQdnXjNNsrL4mhYir9ULizCBkQYJKwYBBAGCNxAEMYGDMIGAMHkx EDAOBgNVBAoTB1Jvb3QgQ0ExHjAcBgNVBAsTFWh0dHA6Ly93d3cuY2FjZXJ0Lm9yZzEiMCAGA1UE AxMZQ0EgQ2VydCBTaWduaW5nIEF1dGhvcml0eTEhMB8GCSqGSIb3DQEJARYSc3VwcG9ydEBjYWNl cnQub3JnAgMMrXkwgZMGCyqGSIb3DQEJEAILMYGDoIGAMHkxEDAOBgNVBAoTB1Jvb3QgQ0ExHjAc BgNVBAsTFWh0dHA6Ly93d3cuY2FjZXJ0Lm9yZzEiMCAGA1UEAxMZQ0EgQ2VydCBTaWduaW5nIEF1 dGhvcml0eTEhMB8GCSqGSIb3DQEJARYSc3VwcG9ydEBjYWNlcnQub3JnAgMMrXkwDQYJKoZIhvcN AQEBBQAEggEALRmOM2THsU9eqN6s/QHYELKhFfPRhKKaKKMRVk1GlRArIe1Z1kxYmMLBsZ2SKTJu 9MMCj78cov7nqX0uvM5oSCBiChj1prBvegKUaBObPUmOujpl668lzyNu6/B4+miPAeVcXS3WXHKn BMSMcqiWuJ5lpV7norwLAusi7TE8jlUxJQhKwBQjmXymox1Oy4g9GMl/Lq30Fm26FkFzNlK9r5W3 Uw2X81YnokMfu/2gNnNuczn9447KbDL69WtgF45a7J4Vo1wJ1++Hp4j5TUlHLLDIHg11AR3XXkVH YL6u6lKL367Wu1fJkS6y9ssd4oiTlFgX1k6vyXxiEq5NmaNutwAAAAAAAA== --Apple-Mail=_CA09179D-9C5B-4412-936C-4AC8F14101AB--