Fixing CVEs due to IPMI

  • 9 October 2020
  • 0 replies

Userlevel 2
Badge +2

As companies become more security aware, third party security tools are being utilized more heavily than ever before. One such tool is a security scanner which can review open network ports within an environment and report back on certain vulnerabilities (CVEs). This includes the open ports of Nutanix specific components such as the IPMI.

While it is important to keep the IPMI/BMC upgraded to the latest version so as to integrate the latest security patches, there are CVEs that will still report as failed by scanners based upon the default IPMI configuration. This is due to the virtual media port (623) and the iKVM port (5900) being opened by default.

The virtual media port allows the user to open a remote session to the host console and the iKVM port allows the hosts to query information from the BMC.

The specific CVEs affected by these two ports being open can be found in KB 2555. NOTE: If these features are disabled, you will be unable to query any BMC info nor able to open a remote console session to the IPMI over the network.

This topic has been closed for comments