To be honest, if your BMC is accessible to the public internet, then you're gonna get what's coming to you - they're notoriously insecure in general. And if your server is physically accessible to a malicious party, then it's pretty much game over anyways.
BMCs don't seem to be treated as something which needs regular and ideally automated updates, when in fact they have web servers, SSH and suchlike which absolutely require it.
The assumption seems to be that the owners will do it manually on a regular basis, but with the numbers and variety of servers out there this is unrealistic - certainly the ones we lease are often well out of date, and this is from a reputable provider.
It doesn't help that some manufacturers, seeing security updates as a cost centre, have put up financial barriers to keeping servers up to date in the form of annual service subscriptions. Usually this hasn't been a problem for critical security issues, but there have been a few cases where I've had to hunt down RAID controller firmware on FTP servers.
We’ve updated our terms. By continuing to use the site and/or by logging into your account, you agree to the Site’s updated Terms of Use and Privacy Policy.
Facebook
Twitter
RSS
2 Comments
Back to Article
Frinkeldoodle - Wednesday, October 3, 2018 - link
To be honest, if your BMC is accessible to the public internet, then you're gonna get what's coming to you - they're notoriously insecure in general. And if your server is physically accessible to a malicious party, then it's pretty much game over anyways.GreenReaper - Thursday, October 4, 2018 - link
BMCs don't seem to be treated as something which needs regular and ideally automated updates, when in fact they have web servers, SSH and suchlike which absolutely require it.The assumption seems to be that the owners will do it manually on a regular basis, but with the numbers and variety of servers out there this is unrealistic - certainly the ones we lease are often well out of date, and this is from a reputable provider.
It doesn't help that some manufacturers, seeing security updates as a cost centre, have put up financial barriers to keeping servers up to date in the form of annual service subscriptions. Usually this hasn't been a problem for critical security issues, but there have been a few cases where I've had to hunt down RAID controller firmware on FTP servers.