Dell EMC iDRAC has been updated to address a path traversal vulnerability in iDRAC versions prior to 18.104.22.168. The vulnerability that was discovered in the Integrated Dell Remote Access Controller (iDRAC) could allow cyber criminals to obtain control over server operations. SKOUT recommends updating to the latest firmware release, which contains a resolution to the vulnerability.
Technical detail and additional information
What is the threat?
A “Path Traversal” refers to the improper limitation of a pathname to a restricted directory. Dell EMC iDRAC versions prior to version 22.214.171.124 contain this vulnerability. A remote authenticated user could make changes to the iDRAC controller settings by way of manipulating input parameters to gain unauthorized read access to the arbitrary files. This high severity directory traversal vulnerability affected the vulnerable versions of the iDRAC, which is the web services interface of the Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software firewall products.
Why is this noteworthy?
Dell is ranked as a world leader in the server market and iDRAC is offered as an option for almost all of the current Dell servers. The Cisco ASA line of security devices protects corporate networks, business infrastructure, and data centers of all sizes. There are more than one million of these devices deployed throughout the world. The Cisco Firepower Threat Defense (FTD) is a fully integrated, threat-focused next-generation firewall with unified management that is relied upon to provide advanced threat protection against cyber attacks. The degradation of these integral security appliances could have a severe negative impact on an organization’s overall security posture, possibly resulting in the loss of business and revenue.
What is the exposure or risk?
Positive Technologies, the research group that discovered the dangerous web vulnerability in the Dell EMC iDRAC remote access controller, explained that if attackers obtained the backup of a privileged user, the exploit could be used to block or disrupt a server’s operation. Additionally, the flaw could allow a remote authenticated user to change power settings or cooling settings on the iDRAC. The Path Traversal vulnerability received a score of 7.1, reflecting a high degree of potential danger. Though it is recommended by Dell not to connect an iDRAC controller to the Internet, it is estimated that there are many such controllers that are accessible over SNMP.
What are the recommendations?
SKOUT recommends updating to the latest Dell EMC iDRAC firmware release (version 126.96.36.199) and following the best practices outlined at https://www.dell.com/support/article/en-us/sln322125/dsa-2020-128-idrac-local-file-inclusion-vulnerability?lang=en:
- The iDRAC is intended to be on a separate management network. The iDRAC is not designed nor intended to be placed on, nor connected directly to the Internet. Doing so could expose the connected system to security and other risks for which Dell EMC is not responsible.
- Dell EMC recommends using the Dedicated Gigabit Ethernet port available on rack and tower servers to connect the iDRAC to a separate management network.
- Along with locating iDRAC on a separate management network, users should isolate the management subnet/vLAN with technologies such as firewalls, and limit access to the subnet/vLAN to authorized server administrators.
- Dell EMC recommends using 256-bit encryption strength as well as TLS 1.2 or higher. For tighter control, additional ciphers may be removed via “Cipher Select” – see the iDRAC User Guide for more details.
- Dell EMC recommends additional settings such as IP range filtering and System Lockdown Mode.
- Dell EMC recommends using additional security authentication options such as Microsoft Active Directory or LDAP.
- Dell EMC recommends keeping iDRAC firmware up to date.
If you have any questions, please contact our Security Operations Center.