Cleartext Transmission of Sensitive Information in the pyghmi Module
The Python module pyghmi provides a number of functions for accessing IPMI
servers. IPMI is a protocol for accessing and administrating servers at the
hardware level. IPMI runs on the Baseboard Management Controller (BMC) and
provides access to the BIOS, disks, and other hardware.
However, the protocol and thus the Python module does not provide adequate security features. This means that data transmitted over the network, including passwords, is sent in cleartext. This makes it possible for attackers to intercept and read this data.
The Python module pyghmi should not be used for accessing IPMI servers on an
untrusted network.
Example
from pyghmi.ipmi import command
cmd = command.Command(bmc="bmc",
userid="userid",
password="ZjE4ZjI0NTE4YmI2NGJjZDliOGY3ZmJiY2UyN2IzODQK")
Remediation
If the IPMI protocol must be used and sensitive data will be transferred, it is recommended to secure the connection using SSH tunneling. If available, SSH transport networking data over an encrypted connection.
Otherwise, it is very important to keep communication with IPMI over a private secure network.
import paramiko
# IPMI device information
ipmi_port = 623
ipmi_username = 'your_ipmi_username'
ipmi_password = 'your_ipmi_password'
# SSH server information
ssh_host = 'ssh.example.com'
ssh_port = 22
ssh_username = 'your_ssh_username'
ssh_password = 'your_ssh_password'
# Local port to forward the IPMI traffic through
local_port = 6230
try:
# Connect to the SSH server
ssh_client = paramiko.SSHClient()
ssh_client.set_missing_host_key_policy(paramiko.RejectPolicy())
ssh_client.connect(ssh_host, ssh_port, ssh_username, ssh_password)
# Set up the SSH tunnel
transport = ssh_client.get_transport()
transport.set_keepalive(30)
transport.request_port_forward('', ipmi_port)
print('SSH tunnel established. IPMI traffic is being forwarded to localhost')
# You can now communicate with the IPMI device through the SSH tunnel.
# For example, you can use an IPMI client or library like 'pyghmi' to interact with the IPMI device using the local_port.
transport.cancel_port_forward('', local_port)
ssh_client.close()
except Exception as e:
print(f'Error: {e}')
False Positives
In the case of a false positive the rule can be suppressed. Simply add a
trailing or preceding comment line with either the rule ID (PY519) or
rule category name (cleartext_transmission).
- Using rule ID
- Using category name
from pyghmi.ipmi import command
# suppress: PY519
cmd = command.Command(bmc="bmc",
userid="userid",
password="ZjE4ZjI0NTE4YmI2NGJjZDliOGY3ZmJiY2UyN2IzODQK")
from pyghmi.ipmi import command
# suppress: cleartext_transmission
cmd = command.Command(bmc="bmc",
userid="userid",
password="ZjE4ZjI0NTE4YmI2NGJjZDliOGY3ZmJiY2UyN2IzODQK")