HIGH: Open IPMI Report

DESCRIPTION LAST UPDATED: 2023-12-12

DEFAULT SEVERITY LEVEL: HIGH

This report identifies hosts that have the Intelligent Platform Management Interface (IPMI) service open (port 623/udp) and accessible from the Internet.

IPMI is the base of most of the Out Of Band / Lights Out management suites and is implemented by the server’s Baseboard Management Controller (BMC). The BMC has near complete access and control of the server’s resources, including, but not limited to, memory, power, and storage. Anyone that can control your BMC (via IPMI) can control your server.

IPMI instances in general are known to contain a variety of vulnerabilities, some more serious than others. In short, you really do not want to expose IPMI to the Internet.

If you’re not convinced yet, please take a look at the excellent work by Dan Farmer on IPMI security issues at http://fish2.com/ipmi/ and US-CERT alert TA13-207A at https://www.us-cert.gov/ncas/alerts/TA13-207A

Track exposed IPMI instances on our Dashboard.

Severity levels are described here.

For more information on our scanning efforts, check out our Internet scanning summary page..

Filename: scan_ipmi

Fields

  • timestamp
    Time that the IP was probed in UTC+0
  • severity
    Severity level
  • ip
    The IP address of the device in question
  • protocol
    Protocol that the IPMI response came on (UDP)
  • port
    Port that the IPMI response came from
  • hostname
    Reverse DNS name of the device in question
  • asn
    ASN of where the device in question resides
  • geo
    Country where the device in question resides
  • region
    State / Province / Administrative region where the device in question resides
  • city
    City in which the device in question resides
  • ipmi_version
    IPMI version support (version 1.5 or 2.0)
  • none_auth
    Supports NONE authentication mechanism (yes = bad)
  • md2_auth
    Supports MD2 authentication mechanism (yes = bad)
  • md5_auth
    Supports MD5 authentication mechanism
  • passkey_auth
    Supports Straight Password / Key authentication (yes = bad)
  • oem_auth
    Supports proprietary authentication mechanisms (unknown if good or bad)
  • defaultkg
    IPMI v2.0 only — two-key login authentication status (default means that the key is set to all zeros)
  • permessage_auth
    Per-message Authentication status (disabled is bad)
  • userlevel_auth
    User Level Authentication status (disabled is bad)
  • usernames
    Non-Null Usernames enabled (at least one enabled account has a non-null username)
  • nulluser
    NULL usernames are enabled with non-NULL passwords
  • anon_login
    Anonymous logins are allowed (NULL username and NULL password) (yes = bad)
  • error
    IPMI v1.5 "none" authentication only — error condition, if any, reported when an "info" probe is sent to the BMC
  • deviceid
    IPMI v1.5 "none" authentication only — Device ID: Specified by the Manufacturer, usually as an instance identifier
  • devicerev
    IPMI v1.5 "none" authentication only — Device Revision: Revision number of the probed BMC
  • firmwarerev
    IPMI v1.5 "none" authentication only — Firmware Revision: Major and minor number of the installed firmware version
  • version
    IPMI v1.5 "none" authentication only — IPMI Version: Specifies which version of the IPMI specification that the controller is compatible with
  • manufacturerid
    IPMI v1.5 "none" authentication only — Manufacturer ID: Name of the manufacturer in SMI Network Management Private Enterprise Code format
  • manufacturername
    IPMI v1.5 "none" authentication only — Manufacturer Name
  • productid
    IPMI v1.5 "none" authentication only — Product ID of the probed device
  • productname
    IPMI v1.5 "none" authentication only — Product Name of the probed device
  • naics
    North American Industry Classification System Code
  • hostname_source
    Hostname source
  • sector
    Sector the device belongs to

Sample

"timestamp","severity","ip","protocol","port","hostname","tag","ipmi_version","asn","geo","region","city","none_auth","md2_auth","md5_auth","passkey_auth","oem_auth","defaultkg","permessage_auth","userlevel_auth","usernames","nulluser","anon_login","error","deviceid","devicerev","firmwarerev","version","manufacturerid","manufacturername","productid","productname","naics","hostname_source","sector"
"2010-02-10 00:00:00",high,192.168.0.1,udp,623,node01.example.com,ipmi,2.0,64512,ZZ,Region,City,no,yes,yes,yes,no,default,enabled,enabled,yes,no,no,,,,,,,,,,0,ptr,
"2010-02-10 00:00:01",high,192.168.0.2,udp,623,node02.example.com,ipmi,2.0,64512,ZZ,Region,City,no,no,yes,yes,no,default,enabled,enabled,yes,no,no,,,,,,,,,,0,,
"2010-02-10 00:00:02",high,192.168.0.3,udp,623,node03.example.com,ipmi,2.0,64512,ZZ,Region,City,no,yes,yes,yes,no,default,enabled,enabled,yes,yes,no,,,,,,,,,,0,ptr,

Our 131 Report Types