Researchers have disclosed details of a recently patched a path traversal vulnerability in the iDRAC technology can allow remote attackers to take over control of server operations.

The web vulnerability was found in the Dell EMC iDRAC remote access controller, technology embedded within the latest versions of Dell PowerEdge servers.

Vulnerability:

The path traversal vulnerability (CVE-2020-5366), found in Dell EMC iDRAC9 versions prior to 4.20.20.20, is rated as a 7.1 in terms of exploitability, giving it a high-severity vulnerability rating.

How the attackers exploit the Vulnerability:

If exploited, the flaw can allow attackers to view the content of server folders that should not be accessible even to someone who are logged in as an ordinary site user. iDRAC runs on Linux, and the specific appeal to hackers in exploiting the vulnerability would be the ability to read the file /etc/password, which stores information about Linux users.

Example:  An example of how this can be used by attackers is a recent attack on two vulnerabilities found on the Zoom video conferencing app that could allow remote attackers to breach the system of any participant in a group call. Indeed, a remote, authenticated malicious user with low privileges could potentially exploit the iDRAC flaw by manipulating input parameters to gain unauthorized read access to the arbitrary files.

iDRAC is designed to allow IT administrators to remotely deploy, update, monitor and maintain Dell servers without installing new software.

The vulnerability can only be exploited if iDRAC is connected to the internet. The iDRAC controller is used by network administrators to manage key servers, “effectively functioning as a separate computer inside the server itself.

Attackers can exploit the flaw externally by obtaining the back-up of a privileged user or if they have credentials or brute-force their way in. They also could use the account of a junior administrator with limited server access to exploit the flaw internally. Once an attacker gains control, he or she can externally block or disrupt the server’s operation.

Recommendations

It is recommended to consider the following best practices:

• To better secure Dell servers that use iDRAC, it is recommended that customers place iDRAC on a separate administration network and don’t connect the controller to the internet.
• Companies also should isolate the administration network or VLAN (such as with a firewall) and restrict access to the subnet or VLAN to authorized server administrators only.
• Customers are advised to updated to the iDRAC firmware that fixes the flaw
• To secure iDRAC against intrusion include using 256-bit encryption and TLS 1.2 or later; configuration options are such as:
• IP address range filtering and system lockdown mode;
• Additional authentication such as Microsoft Active Directory or LDAP.