Table of Contents

Option 1: Disable the IPMI Service

The IPMI service settings can typically be managed via the web page in the Administration section. Specifically, on the HP iLO, navigate to the Administration->Access Settings page and set the “IPMI over LAN Access” to “Disabled”. Disable IPMI over LAN

Option 2: Implement a Strong Password

If disabling the service is not an option, updating the password to be much stronger will prevent attackers from cracking the hash obtainable from this vulnerability. Change the credential’s password and consider implementing additionally security policies. Typically to update passwords on these systems, log in via the web page, access the account settings, and update the password.

Option 3: Implement a Strong Password Policy

Ensure a strong password policy is in place and users are properly trained on best practices. The National Institute of Standards and Technology (NIST) commonly releases guidance on password best practices which include:

  • A minimum length of 8 characters
  • Blacklisting passwords that contain dictionary words, repetitive or sequential characters, and the company name
  • Implement Multi-Factor Authentication when available
  • For more detail see NIST 800-63-3

Option 4: Implement a Configuration Management Policy

Often, systems and applications will be installed without the default credentials being changed. Identify a configuration management process that ensures default credentials are changed before systems are deployed in a production environment.