Re: [Ipmitool-devel] unauthenticated Get Channel Cipher Suites command & possible bug…?

Tue, 13 May 2014 07:38:09 -0700 

On May 13, 2014, at 7:09 AM, Jarrod B Johnson <jbjoh...@us.ibm.com> wrote:
> I honestly wouldn't put too much stock in the results of that from an audit 
> perspective.  I would instead try to actually go through the motions of 
> authentication of interest.  After all, a BMC could do cipher suite 0 even if 
> not advertised and conversely not actually do cipher suite 0 even if 
> advertised.
> 
RE: final sentence, very true.  However, from an audit perspective there are 
some substantial difference between using Get Channel Cipher Suite and other 
methods (such as simply trying to execute an IPMI command on a remote system.)  
Perhaps the most important difference is that one method remotely executes 
commands directly on a system vs. simply using publicly advertised network 
services, which might matter if you're examining systems that you don't own or 
have authorization to scan.  Also, given the fragility of BMCs I know which one 
I'd recommend when auditing critical infrastructure that has up/down time 
concerns.

Differences in accuracy are interesting has well; of course actually 
authenticating requires a valid account name (even if null ;))  While you can 
know with near 100% accuracy when you succeed, a failure may or may not mean 
that C0 is active. Of course GCCS isn't always right either, but I would hope 
(at least!) that for classes of systems they'd produce similar results.

Of course you don't have to choose one over the other.  Using GCCS as a filter 
to drive authentication attempts seems reasonable to me.

dan


------------------------------------------------------------------------------
"Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE
Instantly run your Selenium tests across 300+ browser/OS combos.
Get unparalleled scalability from the best Selenium testing platform available
Simple to use. Nothing to install. Get started now for free."
http://p.sf.net/sfu/SauceLabs
_______________________________________________
Ipmitool-devel mailing list
Ipmitool-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/ipmitool-devel

Reply via email to