Lucene search

CERTVU:843044

HistoryDec 18, 2014 - 12:00 a.m.

Multiple Dell iDRAC IPMI v1.5 implementations use insufficiently random session ID values

2014-12-1800:00:00

www.kb.cert.org

5 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:L/Au:N/C:N/I:P/A:N

0.022 Low

EPSS

Percentile

89.5%

JSON

Overview

The Intelligent Platform Management Interface (IPMI) v1.5 implementations in multiple Dell iDRAC releases are vulnerable to arbitrary command injection due to use of insufficiently random session ID values.

Description

CWE-330: Use of Insufficiently Random Values - CVE-2014-8272

The IPMI v1.5 implementations in multiple Dell iDRAC releases, including versions of iDRAC6 modular/monolithic and iDRAC7, are vulnerable to arbitrary command injection due to use of predictable and limited session ID values. Session IDs are assigned incrementally rather than randomly, enabling an authenticated user to predict subsequent session IDs based on his own session. However, due to the small pool of possible session ID values, brute force guessing attacks are viable and authentication is not necessary.

Dell has issued the following statement:

The legacy nature of the IPMI 1.5 protocol exposes several weaknesses in the overall design and implementation. These are:

  * _Use of an insecure (unencrypted) channel for communication._
  * _Poor password management including limited password length._
  * _Limited session management capability._

These weaknesses are inherent in the overall design and implementation of the protocol, therefore support for the IPMI 1.5 version of the protocol has been permanently removed. This means that it will not be possible to reactivate or enable it in an operational setting.

Dell’s full statement can be viewed in Vendor Information below.

Impact

A remote, unauthenticated attacker can inject arbitrary commands into a privileged session.

Solution

Apply an update

Dell has released the following updates that completely remove IPMI v1.5 code:

* iDRAC6 modular – [version 3.65](&lt;http://www.dell.com/support/home/us/en/19/Drivers/DriversDetails?driverId=61W8X&gt;)
* iDRAC6 monolithic - [version 1.98](&lt;http://www.dell.com/support/home/us/en/19/Drivers/DriversDetails?driverId=78M0V&gt;)
* iDRAC7 – [version 1.57.57](&lt;http://www.dell.com/support/home/us/en/19/Drivers/DriversDetails?driverId=XH6FX&gt;)

Note that removing IPMI v1.5 is a violation of the IPMI v2.0 specification, section 13.4, which requires backwards compatibility with IPMI v1.5. Other than requiring users to adopt IPMI v2.0 at the exclusion of the insecure IPMI v1.5, no additional impact of the violation is known.

Restrict access

As a general good security practice, only allow connections from trusted hosts and networks.

Dell advises the following:

DRAC’s are intended to be on a separate management network; they are not designed nor intended to be placed on or connected to the internet. Doing so could expose the connected system to security and other risks for which Dell is not responsible.
Along with locating DRACs on a separate management subnet, users should isolate the management subnet/vLAN with technologies such as firewalls, and limit access to the subnet/vLAN to authorized server administrators.

Vendor Information

The following versions of Dell iDRAC are affected: iDRAC6 modular, versions 3.60 and below; iDRAC6 monolithic, versions 1.97 and below; iDRAC7, versions 1.56.55 and below.

843044

Filter by status: All Affected Not Affected Unknown

Filter by content: __ Additional information available

__ Sort by: Status Alphabetical

Expand all

Javascript is disabled. Click here to view vendors.

Dell Computer Corporation, Inc. __ Affected

Notified: December 01, 2014 Updated: December 16, 2014

Statement Date: December 09, 2014

Status

Affected

Vendor Statement

Dell Response to VU #843044**–**Arbitrary Command Injection for IPMI 1.5 [05 December 2014]

Summary

Due to the vulnerabilities inherent in IPMI 1.5, Dell has removed IPMI 1.5 code completely. Dell recommends upgrading to the following firmware release or greater to eliminate all such vulnerabilities related to the IPMI 1.5 protocol:

  * iDRAC6 modular – version 3.65
  * iDRAC6 monolithic - version 1.98
  * iDRAC7 – version 1.57.57
  * iDRAC8 – N/A - IPMI 1.5 not present in iDRAC8 firmware

The legacy nature of the IPMI 1.5 protocol exposes several weaknesses in the overall design and implementation. These are:

  * Use of an insecure (unencrypted) channel for communication.
  * Poor password management including limited password length.
  * Limited session management capability.

Dell Best Practices

Dell advises the following:

DRAC’s are intended to be on a separate management network; they are not designed nor intended to be placed on or connected to the internet. Doing so could expose the connected system to security and other risks for which Dell is not responsible.
Along with locating DRACs on a separate management subnet, users should isolate the management subnet/vLAN with technologies such as firewalls, and limit access to the subnet/vLAN to authorized server administrators.

Dell would like to thank Mr. Yong Chuan Koh for reporting this vulnerability by following responsible disclosure process and we appreciate his patience and cooperation through the period he interacted with Dell on discussions related to this vulnerability.