# IPMI/BMC vulnerabilities



## MartinD (Jul 28, 2013)

Just came across this from a UKNOF thread:


http://threatpost.com/ipmi-protocol-bmc-vulnerabilities-expose-thousands-of-servers-to-attack


----------



## notFound (Jul 28, 2013)

Pretty sure that was an old vulnerability or maybe that's another or an imaginary one I was thinking of.


----------



## kaniini (Jul 28, 2013)

This is why the BMCs should be on a private network not accessible from the internet, where the only external access is through a VPN.


----------



## fapvps (Jul 30, 2013)

Does anyone actually have BMCs facing the open internet?


----------



## jarland (Jul 30, 2013)

fapvps said:


> Does anyone actually have BMCs facing the open internet?


Every WSI/Datashack customer who requests IPMI and doesn't secure it, if you can even do that with the trashy one they use, certainly does. Google indexes a lot of these things. It's an all you can eat buffet of wide open onboard IPMI. Googling for fun I see universities, large corporations, and even government entities with the login pages publicly accessible.


----------



## fixidixi (Aug 19, 2013)

> Googling for fun I see universities, large corporations, and even government entities with the login pages publicly accessible.


Or just simply use shodan


----------

