IPMI network LAN interface failover operational risk

Summary

Some models of FortiAnalyzer and FortiManager have a default setting of "Failover", for remote IPMI access; this means that if no cable is plugged in the IPMI port, the IPMI implementation will request an IP address on the regular LAN port of the device, via DHCP requests.

Should such a DHCP request succeed, access to the IPMI web GUI is then possible on the granted IP address, via the regular LAN port of the device.

This presents an operational risk, as this default behavior may not be known or understood by administrators of the device; the latter risk is more important if the default IPMI admin passwords have not been changed.

Affected Products

FortiAnalyzer models:
FAZ-400E, FAZ-1000E, FAZ-2000E, FAZ-3000F, FAZ-3500F, FAZ-3700F
FortiManager models:
FMG-300E, FMG-400E, FMG-2000E, FMG-3000F
Other models and Fortinet products are confirmed to not have a default Failover setting.

Solutions

IPMI firmware has been updated to avoid that potential operational risk, and production shipments after July 2017 do not present that risk. For customer using affected models, Fortinet PSIRT suggests checking the IPMI interface settings and making sure the IPMI port option is set to "Dedicated" instead of "Failover". The procedure is detailed in this document entry: https://docs.fortinet.com/document/fortimanager/hardware/disable-the-ipmi-port/ As a measure of precaution, and regardless the product, when an IPMI port is present, we also suggest to not leave the IPMI interface admin password to its default value. The procedure to change it is detailed in this document entry: https://docs.fortinet.com/document/fortimanager/hardware/change-the-ipmi-port-password/

Acknowledgement

Fortinet is pleased to thank "taNET GmbH", "BOLL Engineering AG" and "CIC Consulting Informatico" for reporting this operational risk under responsible disclosure.