Author Topic: network card to reduce attack surface?  (Read 379 times)

n2vi

  • Newbie
  • *
  • Posts: 4
  • Karma: +3/-0
    • View Profile
network card to reduce attack surface?
« on: April 13, 2022, 11:43:07 am »
I have updated the BMC firmware in the past [see 2021-03-21 post], but as time passes I'm uncomfortable with the attack surface exposed by the BMC listening on the motherboard network ports. My current solution is to unplug from those and instead add a network card on the PCI bus. I still have serial connections for BMC and POWER for doing system administration.

Is there a simpler way to achieve this? Perhaps a BMC configuration trick that disables NC-SI?

Borley

  • Full Member
  • ***
  • Posts: 133
  • Karma: +10/-0
    • View Profile
Re: network card to reduce attack surface?
« Reply #1 on: April 13, 2022, 10:27:38 pm »
IIRC the BMC is only remote accessible through the third RJ45 port (adjoined to rear panel USB on Blackbird).

Quote
The C1P9S01 BMC is attached to network port 3 via NCSI, and is configured to request an IP address via DHCP

It should be safe to just avoid using that port.
Blackbird C1P9S01, CPU 02CY650, 2x 8GB 2666 RAM, 1024GB M.2 SSD, AMD RX 560X, 2U heatsink, 500W SFX PSU, Debian 11

n2vi

  • Newbie
  • *
  • Posts: 4
  • Karma: +3/-0
    • View Profile
Re: network card to reduce attack surface?
« Reply #2 on: April 14, 2022, 11:55:29 am »
Thanks for the quick response!

I should have clarified in my question that I'm running TalosII and definitely can ssh to the BMC through the main ports. I don't have a Blackbird, so can't say what is possible there but if I'm looking at the correct schematic off Raptor's site it would seem to have the same issue.

It is the bmcweb process I see running on the BMC that particularly prompted me to be nervous, but I haven't investigated that in detail. A potential pre-auth ssh vulnerability is enough to make me want the air-gap anyway.

n2vi

  • Newbie
  • *
  • Posts: 4
  • Karma: +3/-0
    • View Profile
Re: network card to reduce attack surface?
« Reply #3 on: April 14, 2022, 12:59:33 pm »
It might be enough (from the BMC serial port) to say "ifconfig eth0 down", which I've done.
I'm not enough of an expert in the firmware's network stack to feel confident that's all I need.