Resolving the IPMI Cipher Zero vulnerability

Description

 This article describes the steps to resolve an IPMI Cipher Zero vulnerability.

Contents


Setup

This tutorial requires ipmitool. You can install it on your OS (linux) or boot into rescue mode.

Local install

For Ubuntu/Debian

apt-get install ipmitool
modprobe ipmi_devintf
modprobe ipmi_si


For CentOS/RHEL

yum install ipmitool
modprobe ipmi_devintf
modprobe ipmi_si

Rescue mode

  1. Boot the server into the rescue image by going to your control panel. Select the server that needs the update and select 'Rescue 2.1 (amd64):
     

    Rescue mode will cause a hard restart of your server. This can cause you to loose data. You probably want to shut down your server cleanly, before you confirm this operation.

  2. Click the "Confirm" button.
     
  3. Get the password from the server by clicking "Show Operating system password". 
  4. SSH to the server and run the following commands from the rescue image:

    modprobe ipmi_devintf
    modprobe ipmi_si

    This command loads the kernel modules.

HP ILO

ILO 100

Boot your server into the rescue image or install ipmitool on your local OS. Run the following command:

ipmitool raw 0x0c 1 2 0x18 0 0x51 0x55 0 0 0 0 0 0

ILO 3

Upgrade firmware to 1.61 and higher. Download the firmware from here (Linux) or here (Windows). Download the CP*.scexe file.

ILO 4

Upgrade firmware to 1.30 and higher. Download the latest firmware from here (Linux) or here (Windows). Download the CP*.scexe file.

Upgrading ILO3/4 via Rescue Mode

  1. Boot your server into the rescue image. Copy the firmware to the rescue image with ssh:
    scp CP*.scexe root@<your server ip>:
     
  2. Log in to your server and unpack the firmware:

    ssh root@<your server ip>
    chmod +x CP*.scexe
    mkdir ilo
    ./CP026424.scexe --unpack=/root/ilo
  3. Now change to the 'ilo' directory and perform the upgrade:
    cd ilo
    ./flash_ilo3

FLASH_iLO3 v1.10 for Linux (Nov 17 2014)
(C) Copyright 2002-2014 Hewlett-Packard Development Company, L.P.
Creating directory for default log file /var/cpq
Firmware image: ilo3_185.bin
Current iLO 3 firmware version 1.26; Serial number ILOCZ3210B34M

Component XML file: CP026424.xml
CP026424.xml reports firmware version 1.85
This operation will update the firmware on the
iLO 3 in this server with version 1.85.
Continue (y/N)?y
Current firmware is 1.26 (Aug 26 2011 )
Firmware image is 0x801664(8394340) bytes
Committing to flash part...
******** DO NOT INTERRUPT! ********
Flashing completed.
Attempting to reset device.
Succeeded.
***** iLO 3 reboot in progress (may take up to 60 seconds.)
***** Please ignore console messages, if any.
iLO 3 reboot completed.

Dell iDRAC version 6

All iDRACs with version 6 or lower need a firmware update to resolve this vulnerability. Download the latest firmware from here, under the table "iDRAC6 Monolithic FW Version". Follow this guide to upgrade the firmware. Once your firmware is upgraded, you can continue with the Dell iDRAC information provided below.

Dell iDRAC

Boot your server into the rescue image or install ipmitool on your local OS. Run the following command:

ipmitool lan set 1 cipher_privs XXaaXXXXXXXXXXX

In case you want to monitor the server using iDRAC IPMI from an application (such as "IPMI touch" on iOS devices), you need to change cipher suite selection from "none/not used" to "SHA1 / SHA1-96".

Intel BMC and IBM IMM

Boot your server into the rescue image or install ipmitool on your local OS. Run the following command:

ipmitool lan set 1 cipher_privs XXaaXXXXXXXXXXX

Supermicro iKVM

This is the IPMI device for some Supermicro servers. To make sure these devices are not vulnerable, please make sure to use the latest version (anything > 3.xx - see comments on Supermicro download page here: http://www.supermicro.nl/support/bios/)
Boot your server into the rescue image or install ipmitool on your local OS. Run the following command:

ipmitool lan set 1 cipher_privs XaaaXXaaaXXaaXX

Testing to verify that the vulnerability is resolved

In order to check if the vulnerability is resolved, from a machine that has ipmitool installed, run the following command:

ipmitool -I lanplus -C 0 -H <ip address> -U <username> -P fluffywabbit lan print

Use the following table to find your username:

DeviceDefault username
iDRACroot
HP ILO100Administrator
HP ILO3/4admin
IBMUSERID

If you get the following error, your device has been patched successfully:

ipmitool -I lanplus -C 0 -H <ip address> -U admin -P fluffywabbit lan print
Error in open session response message : invalid role
Error: Unable to establish IPMI v2 / RMCP+ session

However, if you get something like the message displayed below, you are still vulnerable:

ipmitool -I lanplus -C 0 -H <ip address> -U admin -P fluffywabbit lan print
Get HPM.x Capabilities request failed, compcode = d4
Set in Progress         : Set Complete
Auth Type Support       : NONE MD5 PASSWORD
Auth Type Enable        : Callback : NONE MD5 PASSWORD
                        : User     : NONE MD5 PASSWORD
                        : Operator : NONE MD5 PASSWORD
                        : Admin    : NONE MD5 PASSWORD
                        : OEM      : NONE MD5 PASSWORD
IP Address Source       : Static Address
IP Address              : <ip address>
Subnet Mask             : 255.255.255.224
MAC Address             : 12:ab:cd:ef:ab:01
SNMP Community String   : public
IP Header               : TTL=0x40 Flags=0x40 Precedence=0x00 TOS=0x10
BMC ARP Control         : ARP Responses Enabled, Gratuitous ARP Disabled
Gratituous ARP Intrvl   : 2.0 seconds
Default Gateway IP      : <gateway ip>
802.1q VLAN ID          : Disabled
802.1q VLAN Priority    : 0
RMCP+ Cipher Suites     : 0,1,2,3
Cipher Suite Priv Max   : OOOOXXXXXXXXXXX
                        :     X=Cipher Suite Unused
                        :     c=CALLBACK
                        :     u=USER
                        :     o=OPERATOR
                        :     a=ADMIN
                        :     O=OEM