There’s a great post by Rob VandenBrink over at the ISC Handler’s Diary about embedded devices that are hiding in plain sight in your data center.
I was recently in a client engagement where we had to rebuild / redeploy some ESXi 4.x servers as ESXi 5.1. This was a simple task, and quickly done (thanks VMware!), but before we were finished I realized that we had missed a critical part – the remote managent [sic] port on the servers. These were iLO ports in this case, as the servers are HP’s, but they could just as easily have been DRAC / iDRAC (Dell), IMM or AMM (IBM) or BMC (Cisco, anything with a Tyan motherboard or lots of other vendors). These “remote management ports are in fact all embedded systems – Linux servers on a card, booting from flash and usually running a web application. This means that once you update them (via a flash process) they are “frozen in time” as far as Linux versions and patches go. In this case, these iLO cards hadn’t been touched in 3 years.
So from a security point of view, all the OS version upgrades and security patches from the last 3 years had NOT been applied to these embedded systems.
This is a thorny issue as systems often need downtime to patch these systems. Check out the thread there for how others are handing or mitigating this.
Oh, and I’ll throw in Sun’s LOM (Lights Out Management) to the list.