Date: Sun, 6 Apr 2014 16:36:33 +0200 From: Achim Patzner <ap@bnc.net> To: Kamil Choudhury <Kamil.Choudhury@anserinae.net> Cc: "freebsd-hackers@freebsd.org" <freebsd-hackers@freebsd.org> Subject: Re: Securing baseboard managers Message-ID: <B479C45C-0F92-44D6-B614-471ADF229EEE@bnc.net> In-Reply-To: <F9A7386EC2A26E4293AF13FABCCB32B301519A6260@janus.anserinae.net> References: <F9A7386EC2A26E4293AF13FABCCB32B301519A6260@janus.anserinae.net>
next in thread | previous in thread | raw e-mail | index | archive | help
--Apple-Mail=_CA09179D-9C5B-4412-936C-4AC8F14101AB Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=windows-1252 Am 05.04.2014 um 17:00 schrieb Kamil Choudhury = <Kamil.Choudhury@anserinae.net>: > A new motherboard You might have told us a bit more about that mainboard if you wanted = some hints=85 > I just bought has one of those out of band management=20 > Ethernet ports. When I connected it into my cable router, despite the=20= > cord being plugged into the non-baseboard Ethernet port, the baseboard=20= > grabbed my public IP (I use this box as a router) instead of FreeBSD. =85 because it is using DHCP and probably up and running before FreeBSD = even starts thinking about booting. Nothing wrong there. You might take = a look at the firmware configuration and just turn it off if you don=92t = need it. Or use another NIC for your outside connection. > 1/ How do you protect yourself against this kind of vulnerability? Am = I > paranoid for even thinking this is a problem?=20 Usually by reading the manual and configuring the hardware or turning = the thing off if it is not needed. Or removing the microcontroller from = my mainboard (eg. on Intel server boards) > 2/ While out of band management is useful, I just can't bring myself = to=20 > trust software that seems to have been written by poo-flinging monkeys > (seriously, you need to see the browser-based UI they provide: frames! > <blink>! Java applets!). If you=92re that much better than those programmers you might lend them = a hand. But remember: Your tools have to be running on everything on = this planet including FreeBSD boxes running a browser in a Linux = emulation. And on my Android phone, of course. > Is there any way to replace the vendor provided=20 > solution with something more auditable and configurable? Maybe a = teeny-tiny=20 > BSD-based distribution? Of course. Just write it. But keep in mind that the inner workings of = those remote management modules are quite a bit more complex than their = block diagrams. Achim= --Apple-Mail=_CA09179D-9C5B-4412-936C-4AC8F14101AB Content-Disposition: attachment; filename=smime.p7s Content-Type: application/pkcs7-signature; name=smime.p7s Content-Transfer-Encoding: base64 MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIFaTCCBWUw ggNNoAMCAQICAwyteTANBgkqhkiG9w0BAQUFADB5MRAwDgYDVQQKEwdSb290IENBMR4wHAYDVQQL ExVodHRwOi8vd3d3LmNhY2VydC5vcmcxIjAgBgNVBAMTGUNBIENlcnQgU2lnbmluZyBBdXRob3Jp dHkxITAfBgkqhkiG9w0BCQEWEnN1cHBvcnRAY2FjZXJ0Lm9yZzAeFw0xMzAxMDIwOTQ1MTVaFw0x NTAxMDIwOTQ1MTVaMDMxFjAUBgNVBAMTDUFjaGltIFBhdHpuZXIxGTAXBgkqhkiG9w0BCQEWCmFw QGJuYy5uZXQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCemZ2gCwrtE8FYdD42ApLp AyRBcfTJHRaU5R/rTbpBTIbDQn4ESOg0697sOlMjiNlzgvuTJeGDSd6DLREb5pJqqNyzW5kTu1yN dzI8442GxyZAYImcXpQNvvA5OxH4GRwzcjlIie5TDZll1pA+OQwDfPWeosfUugHaDU6KuX6QhrJx JYdweO7ZOb9jL2iJGco3QCQKPoqbLt+NmIyV48DsB12H7oW7NI9E5CfiRQqMioVVUvkRWL2w+1MQ +ymaXl0KOqRZOzhKYJpoRmLxO/hKgBTn2MsEqtqMp5gemM3hRKF14MSo85nNqMv25AYJapkENazR hUmISG+1y6/goSJNAgMBAAGjggE6MIIBNjAMBgNVHRMBAf8EAjAAMFYGCWCGSAGG+EIBDQRJFkdU byBnZXQgeW91ciBvd24gY2VydGlmaWNhdGUgZm9yIEZSRUUgaGVhZCBvdmVyIHRvIGh0dHA6Ly93 d3cuQ0FjZXJ0Lm9yZzAOBgNVHQ8BAf8EBAMCA6gwQAYDVR0lBDkwNwYIKwYBBQUHAwQGCCsGAQUF BwMCBgorBgEEAYI3CgMEBgorBgEEAYI3CgMDBglghkgBhvhCBAEwMgYIKwYBBQUHAQEEJjAkMCIG CCsGAQUFBzABhhZodHRwOi8vb2NzcC5jYWNlcnQub3JnMDEGA1UdHwQqMCgwJqAkoCKGIGh0dHA6 Ly9jcmwuY2FjZXJ0Lm9yZy9yZXZva2UuY3JsMBUGA1UdEQQOMAyBCmFwQGJuYy5uZXQwDQYJKoZI hvcNAQEFBQADggIBAMmLFZrEKQJqqmh+r8IzcfPl04h4ArE8O+I0BTN0r22hy4izV+F2Qvkwy02g uM8ylmUdCdIFXUQ8joPVT3RJqZ/NmDsdbFq4RziDbF/C219RfTRL1nWcNxudGA4vSLbuBTxD2bSx BkmjRdmpGm3EGwRp7bLtnONuTVBxK7TDculECUbm0Bwh9RAtZr/Gqk5arj5oO0oI9vKdRDVWCUxF m1kS7gwGfVtv2DKFDh3VBqB6kXfx5nP/LOcb7Rwpu4GzBU/e1OFswha9maU9Qi/9URX07Q47dOBc pqhNh5pW12kfeZPO7lcGqfYq08Ub/mKaJcAEaoyD2ILDDhzeeOK3QDlKC56lEt8MW4swef6/MPUh +WuofauNhBXoecf5XonGNuKEhbSmSykSzwoEBdBAO6QUtnpLTlYSeO3Xg/bYfbwJCGkUnd0q+2Q1 fQpN+RxkYqQCb5XaV9Fz7cU4u36Rc/AMDXr+qXEyvOqB7OzeTgjq06VMNQ+mIrGCS9rb7OQmB1o7 8PCOVTqE8z77Du4Bh14wG/SP/kat5IJSuDFjvFT/C8ro46pOfczfq/Eb4QSktwtbD7+Qlh4p/e0B n4nyK1M1MyDnQxzv2XvmWfwoi0tUP2dkT30YtUuucWYFzRO1erg4tVd4xW0ShP1VtynFyWQcPaLT LvWc/0VML6hcaWRuMYIDMzCCAy8CAQEwgYAweTEQMA4GA1UEChMHUm9vdCBDQTEeMBwGA1UECxMV aHR0cDovL3d3dy5jYWNlcnQub3JnMSIwIAYDVQQDExlDQSBDZXJ0IFNpZ25pbmcgQXV0aG9yaXR5 MSEwHwYJKoZIhvcNAQkBFhJzdXBwb3J0QGNhY2VydC5vcmcCAwyteTAJBgUrDgMCGgUAoIIBhzAY BgkqhkiG9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0xNDA0MDYxNDM2MzRaMCMG CSqGSIb3DQEJBDEWBBRMwk9EXQdnXjNNsrL4mhYir9ULizCBkQYJKwYBBAGCNxAEMYGDMIGAMHkx EDAOBgNVBAoTB1Jvb3QgQ0ExHjAcBgNVBAsTFWh0dHA6Ly93d3cuY2FjZXJ0Lm9yZzEiMCAGA1UE AxMZQ0EgQ2VydCBTaWduaW5nIEF1dGhvcml0eTEhMB8GCSqGSIb3DQEJARYSc3VwcG9ydEBjYWNl cnQub3JnAgMMrXkwgZMGCyqGSIb3DQEJEAILMYGDoIGAMHkxEDAOBgNVBAoTB1Jvb3QgQ0ExHjAc BgNVBAsTFWh0dHA6Ly93d3cuY2FjZXJ0Lm9yZzEiMCAGA1UEAxMZQ0EgQ2VydCBTaWduaW5nIEF1 dGhvcml0eTEhMB8GCSqGSIb3DQEJARYSc3VwcG9ydEBjYWNlcnQub3JnAgMMrXkwDQYJKoZIhvcN AQEBBQAEggEALRmOM2THsU9eqN6s/QHYELKhFfPRhKKaKKMRVk1GlRArIe1Z1kxYmMLBsZ2SKTJu 9MMCj78cov7nqX0uvM5oSCBiChj1prBvegKUaBObPUmOujpl668lzyNu6/B4+miPAeVcXS3WXHKn BMSMcqiWuJ5lpV7norwLAusi7TE8jlUxJQhKwBQjmXymox1Oy4g9GMl/Lq30Fm26FkFzNlK9r5W3 Uw2X81YnokMfu/2gNnNuczn9447KbDL69WtgF45a7J4Vo1wJ1++Hp4j5TUlHLLDIHg11AR3XXkVH YL6u6lKL367Wu1fJkS6y9ssd4oiTlFgX1k6vyXxiEq5NmaNutwAAAAAAAA== --Apple-Mail=_CA09179D-9C5B-4412-936C-4AC8F14101AB--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?B479C45C-0F92-44D6-B614-471ADF229EEE>