Technology giant Dell EMC issued a security patch for a path traversal vulnerability found in the Integrated Dell Remote Access Controller (iDRAC) that could allow threat actors to get full control of server operations. The company urged users to update their devices with the latest firmware to avoid further risks. The vulnerability “CVE-2020-5366,” with a high CVSS rating of 7.1, was discovered by security researchers Georgy Kiguradze and Mark Ermolov from Positive Technologies.
iDRAC is designed for secure local and remote server management and allows IT administrators to deploy, update and monitor Dell EMC PowerEdge servers remotely. The researchers stated that an attacker can exploit this vulnerability to obtain full control of server operation by turning it on or off, as well as changing settings for cooling and power. The path traversal vulnerability is one of the three most common vulnerabilities that enables attackers to view the content of server folders that should not be accessible even to a logged-in ordinary site user.
A remote authenticated malicious user with low privileges could potentially exploit this vulnerability by manipulating input parameters to gain unauthorized read access to the arbitrary files.
– Dell said in a security advisory.
The vulnerability affects Dell EMC iDRAC9 controllers with firmware versions prior to 22.214.171.124. To fix the vulnerability, users must install Dell EMC iDRAC9 firmware version 126.96.36.199, close the standard public and private SNMP communities, and use SNMPv3 in accordance with all security guidelines.
Dell EMC also recommended certain security practices for iDRAC use; these include:
- Place iDRAC on a separate administration network. Do not connect it directly to the internet
- It is recommended to use a dedicated Gigabit Ethernet port on servers for connecting iDRAC to a separate administration network
- Along with placing iDRAC on a separate network, companies should isolate the administration network or VLAN (such as with a firewall) and restrict access to the subnet or VLAN to authorized server administrators only
- Use 256-bit encryption and TLS 1.2 or later
- It is recommended to use configuration options like IP address range filtering and system lockdown mode
- Dell EMC recommends additional authentication such as Microsoft Active Directory or LDAP and strongly suggests updating iDRAC firmware
Kiguradze said, “The vulnerability makes it possible to read any file in the controller’s operating system, and in some cases, to interfere with operation of the controller (for instance during reading symbolic Linux devices like /dev/urandom). If attackers obtain the backup of a privileged user, they can block or disrupt the server’s operation. This attack can be performed externally — if an attacker has credentials, perhaps by brute-forcing, although this is unlikely given the product’s anti-brute-forcing protections — or internally, such as with the account of a junior admin with limited access to the server.”