2

I would like to get some outside opinion on this if possible, although I do not know what to ask.

Sun ILOM is an Out-of-band management system. I understand it is a separate OS on the box that is always on. It is able to access Keyboard Monitor Mouse and other hardware interfaces as well as power on and off the machine.

What is the risk of malicious software on these? (Specifically Sun X4100, but there are others)

I know that it is theoretically possible to install a new OS using the Firmware Upgrade system, and since it has access to all the hardware, it could send information through the network card.

What is the risk of this happening? How can I prevent this type of an attack when installing used equipment?

AviD
  • 72,138
  • 22
  • 136
  • 218
700 Software
  • 13,807
  • 3
  • 52
  • 82
  • Where are you getting the hardware from? What the reputation of the seller? What is your threat environment? Is it likely that an attacker would spend a great amount of effort to infultrate your infrastructure? – this.josh Jul 18 '11 at 21:13
  • I have been assigned to research the risks and decide the balanced way to get rid of them. However, I am supposed to use outside opinion in case I don't understand as well as I think I do. For the purpose of this research, someone might very well have intercepted the equipment. We would like to consider the generic attacker who does not actually know us, and the attacker who is frustrated at us taking their business. These attackers have lots of time on their hands. An exaggerated intrusion would be bad for our reputation, even if they were only able to call home without capturing anything. – 700 Software Jul 18 '11 at 21:22

2 Answers2

3

One assumes that you want to actually use the ILO capability, so "don't plug it into the network" isn't a useful answer. However, this is one of the few areas where it may make sense to have a separate "management" network. Put all the ILO interfaces onto a single network and limit that network's access, either via routing, firewall, or ACLs, so that only those trusted administrators machines can access the ILO. You should rarely need the ILO addresses to be able to go generally outbound, as the whole purpose of an ILO card is just to allow you to get "in front of the machine" without running down to the server room (which can be hours away in many cases).

As far as the firmware goes, it is reasonable for you to update all the firmware yourself. This not only guarantees an outsider can't slip malicious firmware past you, but it also may ensure that any security updates that apply to that hardware are in place. As illustration, the following link shows how to update and/or reset various ILO firmware:

http://download.oracle.com/docs/cd/E19569-01/820-1188-12/core_ilom_firmware.html

(Illustration only, I don't doubt that there are 17 proper locations describing how to handle 9 different Sun ILO platforms. And of course other vendors have their own ILO equivalents which would be handled differently in each case!)

P.S. ILO was originally HP's designation for lights out management, I could have sworn Sun used a different nomenclature, but I can't pull it up at the moment. However, like many people, I long ago began to use "ILO" to refer to "Whatever the vendor's called their remote access card thingy," so I'll just call it all ILO here.

gowenfawr
  • 71,975
  • 17
  • 161
  • 198
  • In response to your P.S. : ELOM and ALOM as well as Service Processor or SP have been used for equivalent and/or similar Sun "remote access card thingy"s. – 700 Software Jul 18 '11 at 21:08
  • We do in fact have an ILOM network that does not connect to the internet. My concern was that the malicious code might access the other network card(s) on the machine to do its dirty work. I can tell the firmware is upgraded by noticing the updated tab layout and functionality differences. I wonder if this is sufficient to be sure there is no malicious firmware lurking in there. – 700 Software Jul 18 '11 at 21:12
  • a) I think SP is what I was thinking of :) b) If you're concerned, then even checking what the firmware "says" it's level is is probably not good enough, and flashing a fresh version on is a relatively cheap risk mitigation. My advice is to add the 10 minutes to flash with the vendor update to your 'server build' process and remove the uncertainty. – gowenfawr Jul 18 '11 at 21:46
  • I did not communicate clearly. I will certainly put in the 10 minutes you speak of. I meant to refer to the risk that when I update the firmware, it might not actually be taking the update. The update is installed through the existing firmware I believe, so it could be ignoring the update. All I know to do is to watch for the update of the tab layout and button changes, and of course the displayed version number. So, I wonder, if you see the tab layouts and stuff change after the update, what is the risk that there is still malicious code? – 700 Software Jul 19 '11 at 00:47
  • Ah, I see the distinction now. I think the risk is reasonably low, but of course, it exists - the Stuxnet worm wrote itself to firmware and caused the firmware to report "all is well" when it wasn't. If you're concerned about that level of threat, then no, just looking wouldn't be enough. You'd want to be able to attach the firmware to an external controller for wipes/resets and not go through itself, which probably isn't easily supported by Sun. I'm inclined to say that the risk is low enough not to require such measures, but it depends on what your threat environment is. – gowenfawr Jul 19 '11 at 13:19
  • To sum up - if your brief is to "research the risks and decide the balanced way to get rid of them" with outside opinions as necessary, then my outside opinion is: based on the level of threat you've described, flashing ILO and using a non-routed/firewalled management network is a sufficient level of compensating control to manage the risk. – gowenfawr Jul 19 '11 at 17:45
1

Given that your question appears to be specifically about the risk of malicious firmware on the ILOM, I think there is a question here for the vendor (good luck getting Sun support from Oracle BTW). Are the firmware images signed? Are the signatures validated on installation?

These are the key controls for preventing malicious software/firmware updates.

Andrew
  • 161
  • 1
  • 4