Dell, Hewlett-Packard and IBM servers "vulnerable by default"

Security

by Jimmy Nicholls| 09 June 2014

Security researcher slams major vendors.

A security researcher who pioneered the use of vulnerability scanners in computing has accused the likes of Dell, Hewlett-Packard and IBM of peddling servers that are "vulnerable by default".

Writing in a white paper Dan Farmer claimed that a scan of the intelligent platform management interface (IPMI) that allows system administrators to manage computers without using an OS had revealed 230,000 microcontrollers exposed to the internet, with 90% capable of being compromised through basic weaknesses.

He said: "For over a decade major server manufacturers have harmed their customers by shipping servers that are vulnerable by default, with a management protocol that is insecure by design, and with little to no documentation about how to make things better."

IPMI is used as a basic piece of software by vendors who later add services such as mail and network management protocols. The associated baseboard management controller (BMC) has considerable oversight of networks it is attached to, creating the opportunity for extensive hacking.

University of Michigan researchers had raised concerns in a paper last year, saying they believe potential attacks could include the installation of spyware, rootkits providing unlogged backdoor access, and botnets for use in other attacks.

"While only a quarter of a million BMCs is only a tiny sliver of the total computing power in the world, it's still an important indicator as a kind of canary in the coalmine," Farmer added.

"All the services that make the Internet so vital to our daily lives are powered by servers hiding behind the curtains of corporate firewalls."

He advised systems administrators not to put a managed network port on the internet unless it is strictly necessary, to rotate IPMI passwords frequently, and to increase password length.

Comments
Post a comment

Comments may be moderated for spam, obscenities or defamation.

Join our network

734 people like this.
0 people follow this.

Security Intelligence

Suppliers Directory

Privcy Policy

We have updated our privacy policy. In the latest update it explains what cookies are and how we use them on our site. To learn more about cookies and their benefits, please view our privacy policy. Please be aware that parts of this site will not function correctly if you disable cookies. By continuing to use this site, you consent to our use of cookies in accordance with our privacy policy unless you have disabled them.