Possible security breach trough Intel ME / IPMI on Servers ?
Linux - ServerThis forum is for the discussion of Linux Software used in a server related context.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Possible security breach trough Intel ME / IPMI on Servers ?
Hello,
I have 2 server that I installed with Ubuntu Server and I monitor them.
Suffice to say that I didn't configure the BIOSes initially. Somebody else was in charge of this operation.
Let's call these servers: Server1 and Server2.
Server1 is a Lenovo ThinkCentre M92P - This one has Intel Management Engine with AMT
Server2 is a HP Proliant DL160 G6 - This one has IPMI (to my surprise, it doesn't have ILO).
I was in charge of the OS Section.
I installed Ubuntu 20.04 on both of them, I secured them, firewall, VPN, and so on....
But I dind't pay attention to one single thing: the possibility of external access, independent of OS, via Intel ME/AMT and IPMI.
I disabled them both (Intel ME/AMT and IPMI) on both servers so I can have a good night sleep. And no, I do not need them. OS with Linux is enough, I don't need remote management features.
My questions are (I ASK THAT ONLY PEOPLE WHO KNOW THESE THINGS LIKE 100% TO ANSWER ME, OK ?)
1. CAN SOMEBODY HACK INTO MY SYSTEM USING THESE AND ACCESS THE CONTENTS OF MY HDD WHILE LINUX IS RUNNING ?
(I am ONLY interested in information theft or virus/info writing on HDD).
I don't care about CPU temperature, auto-reboots and sensors. Nothing happened that I should have noticed.
I am only interested in remote exploits.
Is it possible ? Does Intel ME/AMT or IPMI allow for this ? (for externals to enter my system and read the HDD) ?
I also mention the following facts:
1st server (Intel ME/AMP):
- I think it only runs on the on-board NIC. I don't use the onboard LAN Card. Only PCIe LAN Cards.
Does Intel ME/AMPT run only on on-board NIC ? If that is the case, I can stay relaxed.
- It looks like AMP had DHCP active, but my Card doesn't get DHCP, so I believe this is also a good point.
- Even configuring a local address, I wasn't able to access Intel ME/AMP from Linux or from on an external computer via the real IPs. Port scans reveal no open ports, aside from those opened by Linux
2nd server (IPMI):
- IMPI is set on BIOS to run on DEDICATED NIC. Not on Shared Onboard NIC. (but I don't saw a dedicated RJ-45 Port on the back of the server)
- Also, NO IP address is obtained via DHCP.
- I wasn't able to access Intel ME/AMP from Linux or from on an external computer via the real IPs. Port scans reveal no open ports, aside from those opened by Linux
I disabled the services now.
I am interested if UNTIL NOW, could anyone have entered in some form or another to access my HDD ?
I believe that in order to enter, an IP address must be configured. Intel ME/AMP and IPMI both used DHCP on an interface on which I didn't have an IP. But in my Internal LAN, I had an IP on a PCIe card. Could that have been a problem ?
If someone can help, please help me with these security concerns....
Distribution: debian, lfs, whatever else i need in qemu
Posts: 268
Rep:
If you want a honest answer for the worst case scenario, then yes, it could have happened, either via remote/local access, or even pre-installed backdoor in the supply chain. Yes, it is possible, but when you talk about security you have to consider the costs and efforts to hack something versus the profits that that 'something' can give you.
The process to develop something like a custom firmware for HDD for example is very complicated and requires significant dedication. If you want to talk about possibilities of these things occuring, you may want to google on that to find interesting articles dating back to early 2000s. It is possible but generally involves a state-backed attacker. Or someone who's specifically out to get you, and either he has a very deep knowledge or very deep pockets to hire those with a deep knowledge.
For the most part, for absolute majority of people the real-world answer would be no, you're safe.
For the first server, nothing bad can happen to you with current configuration, unless you lose root to someone, in which case local attacker could reflash the firmware. For the second one, ILO has been discussed back in 2018 and it has direct RAM access so it's possible to infect host os without reboots. At least, that's what papers tell. If you connect LAN to the builtin NIC then you're potentially exposing ILO, use external pcie NIC like with your first server.
However, I see that your answer is more of a general nature... educational I might add.... :-)
Yes, I know that theoretically it could have been a problem.
But, in this scenario, which is adapted to my situation (where I didn't have dedicated NICs (for ILO) or Onboard NIC (for IPMI)) and where I didn't have IP addresses in neither server assigned, to begin with (DHCP was active and NO IP), could have been a problem ?
Can someone connect to these if these do not have assigned IP addresses, in the first place ?
If you study carefully my exact scenario, is there cause for concern ? (technically speaking, not related to the importante or time spending)
Distribution: debian, lfs, whatever else i need in qemu
Posts: 268
Rep:
I don't know if these systems in particular continue sending out DHCP requests, if they do(which is easy to check with tcpdump on the other side of wire), you can introduce a DHCP server to the network and that would assign IPs to everyone who's asking for it. Personally, I would rather just use another NIC just like you do on first server. If you use other NIC, there is no way those packets would be captured and routed into IPMI on hardware level.
So like I said, your first PC seems fine, second is questionable and could have potentially been assigned an IP to and interacted with. If you can't install another NIC you may want to set up a trusted firewall between that server and the rest of network, that would be filtering all packets coming/going to IPMI MAC address. That would negate all chances of interaction with it.
What we need to grasp is the idea that these computers with IPMI must be kept on separate NIC on an extremely trusted network. There is a movement towards something "open" but that doesn't mean it's gonna be bug-free, nothing is perfect.
If you don't use IPMI at all at work, then it's actually better if your server has a dedicated/shared setting to move it off to dedicated port and never plug anything in there. I've been taught to generally view these AMT and IPMI stuff as uncontrolled backdoors rather than a useful tool, and trying to avoid them at all costs. We see new exploits for those every single year. How many more are never revealed?
Theoretically, anything is possible until proven otherwise(that is, miding security from day 1).
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.