Positive Technologies researchers Georgy Kiguradze and Mark Ermolov have discovered a dangerous web vulnerability in the Dell EMC iDRAC remote access controller.¹ An attacker can exploit this vulnerability to obtain full control of server operation by turning it on or off, as well as changing settings such as for cooling and power. Dell EMC has released updated firmware and urges users to install it as soon as possible.
Path Traversal vulnerability CVE-2020-5366 has a score of 7.1, reflecting a high degree of danger. A remote authenticated user with low privileges can leverage the vulnerability to obtain unauthorized access and read arbitrary files.
Despite Dell's recommendation to not connect iDRAC to the Internet, as well as the product being relatively new, public search engines already indicate several Internet-accessible connections, which would facilitate exploitation by an external attacker. Moreover, more than 500 such controllers are accessible over SNMP.²
Georgy Kiguradze explains: "The iDRAC controller is used to manage key servers, effectively functioning as a separate computer inside the server itself. iDRAC runs on ordinary Linux, although in a limited configuration, and has a fully-fledged file system. The vulnerability makes it possible to read any file in the controller's operating system, and in some cases, to interfere with operation of the controller (for instance during reading symbolic Linux devices like /dev/urandom). If attackers obtain the backup of a privileged user, they can block or disrupt the server's operation. This attack can be performed externally—if an attacker has credentials, perhaps by bruteforcing, although this is unlikely given the product's anti-bruteforcing protections—or internally, such as with the account of a junior admin with limited access to the server.”
Path Traversal, according to Positive Technologies’ data, is consistently one of the three most common vulnerabilities. In the hands of an attacker, Path Traversal enables viewing the content of server folders that should not be accessible even to a logged-in ordinary site user. The biggest draw for most hackers is to read the file /etc/passwd, which stores information about Linux users. Recently, two such vulnerabilities were found in the popular video conferencing app Zoom, with which a remote attacker could theoretically breach the system of any participant in a group call.
IDC reporting ranks Dell as a world leader on the server market. iDRAC is offered as an option for almost all current Dell servers.
Dell EMC iDRAC9 controllers with firmware versions prior to 220.127.116.11 are affected. To fix the vulnerability, companies must install Dell EMC iDRAC9 firmware version 18.104.22.168, close the standard public and private SNMP communities, and use SNMPv3 in accordance with all security guidelines.
Best practices for iDRAC use include:
- Place iDRAC on a separate administration network. Do not connect it directly to the Internet.
- Dell EMC recommends using a dedicated Gigabit Ethernet port on servers for connecting iDRAC to a separate administration network.
- Along with placing iDRAC on a separate network, companies should isolate the administration network or VLAN (such as with a firewall) and restrict access to the subnet or VLAN to authorized server administrators only.
- Dell EMC recommends using 256-bit encryption and TLS 1.2 or later.
- Dell EMC recommends configuration options such as IP address range filtering and system lockdown mode.
- Dell EMC recommends additional authentication such as Microsoft Active Directory or LDAP.
- Dell EMC strongly recommends updating iDRAC firmware.
- Dell iDRAC is a hardware component (baseboard management controller) located on the server motherboard. iDRAC enables system administrators to remotely update, monitor, troubleshoot, and restore a Dell server even when the server is turned off.
- SNMP is a standard protocol for administering devices on IP networks.