Join Log in
Score:3
Apollo13 avatar Server

Limiting in-band OS access to Supermicro BMC (AST2500) possible?

jp flag
Apollo13

TL;DR: Is there any option to disable OS (in-band) access to Aspeed AST 2500 BMC on a SuperMicro board or at least limit it somehow (e.g. via specific password or via setting the permission level to read-only access)?

Long version:

Last year we bought a few SuperMicro servers containing an Aspeed AST2500 BMC. Up to now we were not using the BMCs but now are in the process of setting them up, reachable via a separate out-of-band management network. While researching options to reset BMC passwords I found multiple posts (e.g. this one) which indicate as soon as I've got root privileges on the host I can also access the BMC and change the admin password without any additional security measures.

I really don't like the idea of being able to change BMC parameters from within the host OS, especially because BMCs are often badly patched and are a very interesting target for rootkits (by the way, exactly such a rootkit was discovered the other day; at least, as far as I know, it could not get onto the BMC via in-band interface)

Is there any option to limit host-to-BMC communication?

EDIT: The server board used in our servers is "ASRock ROMED8-2T".

89
0 + 0
bmc
Score:2
shodanshok avatar Server
ca flag
shodanshok

Short answer: I am not aware of a BMC setting telling it "disable all in-band access", but I really doubt it exists or it can be useful at all

Long answer: While your question is interesting, please note that if someone gained root privileges your server is irrecoverably compromised, so you can not trust it anymore. After all, root is able to not only reset the BMC password, but to also reflash it, rewrite the mainboard BIOS/UEFI and updating the firmware of other add-on cards (ie: RAID controllers).

All of that can be accomplished by standard low-level interfaces (I2C, DMI, IPMI, etc.) which the linux kernel natively supports. Removing the corresponding modules/code will not work, as a bad actor having root privileges can install and reboot a patched kernel.

0 + 0
Apollo13 avatar
jp flag
Apollo13
Thanks for your answer - of course you are absolutely right about a server being "irrecoverably compromised" if an attacker gained root access. In fact, I asked about ways to limit communication because I want to prevent an attacker from gaining access to the management network via the BMC. But apparently there is no such option...
0
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.