5 - VU#843044

Executive Summary

Summary
Title	Multiple Dell iDRAC IPMI v1.5 implementations use insufficiently random session ID values

Informations
Name	VU#843044	First vendor Publication	2014-12-18
Vendor	VU-CERT	Last vendor Modification	2014-12-18
Severity (Vendor)	N/A	Revision	M

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score	NA
Base Score	NA	Environmental Score	NA
impact SubScore	NA	Temporal Score	NA
Exploitabality Sub Score	NA

Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:L/Au:N/C:N/I:P/A:N)
Cvss Base Score	5	Attack Range	Network
Cvss Impact Score	2.9	Attack Complexity	Low
Cvss Expoit Score	10	Authentication	None Required
Calculate full CVSS 2.0 Vectors scores

Detail

Vulnerability Note VU#843044

Multiple Dell iDRAC IPMI v1.5 implementations use insufficiently random session ID values

Original Release date: 18 Dec 2014 | Last revised: 18 Dec 2014

Overview

The Intelligent Platform Management Interface (IPMI) v1.5 implementations in multiple Dell iDRAC releases are vulnerable to arbitrary command injection due to use of insufficiently random session ID values.

Description

CWE-330: Use of Insufficiently Random Values - CVE-2014-8272

The IPMI v1.5 implementations in multiple Dell iDRAC releases, including versions of iDRAC6 modular/monolithic and iDRAC7, are vulnerable to arbitrary command injection due to use of predictable and limited session ID values. Session IDs are assigned incrementally rather than randomly, enabling an authenticated user to predict subsequent session IDs based on his own session. However, due to the small pool of possible session ID values, brute force guessing attacks are viable and authentication is not necessary.

Dell has issued the following statement:

The legacy nature of the IPMI 1.5 protocol exposes several weaknesses in the overall design and implementation. These are:

Use of an insecure (unencrypted) channel for communication.
Poor password management including limited password length.
Limited session management capability.

These weaknesses are inherent in the overall design and implementation of the protocol, therefore support for the IPMI 1.5 version of the protocol has been permanently removed. This means that it will not be possible to reactivate or enable it in an operational setting.

Dell's full statement can be viewed in Vendor Information below.

Impact

A remote, unauthenticated attacker can inject arbitrary commands into a privileged session.

Solution

Apply an update

Dell has released the following updates that completely remove IPMI v1.5 code:

iDRAC6 modular – version 3.65
iDRAC6 monolithic - version 1.98
iDRAC7 – version 1.57.57

Note that removing IPMI v1.5 is a violation of the IPMI v2.0 specification, section 13.4, which requires backwards compatibility with IPMI v1.5. Other than requiring users to adopt IPMI v2.0 at the exclusion of the insecure IPMI v1.5, no additional impact of the violation is known.

Restrict access

As a general good security practice, only allow connections from trusted hosts and networks.

Dell advises the following:

DRAC’s are intended to be on a separate management network; they are not designed nor intended to be placed on or connected to the internet. Doing so could expose the connected system to security and other risks for which Dell is not responsible.

Along with locating DRACs on a separate management subnet, users should isolate the management subnet/vLAN with technologies such as firewalls, and limit access to the subnet/vLAN to authorized server administrators.

Vendor Information (Learn More)

The following versions of Dell iDRAC are affected: iDRAC6 modular, versions 3.60 and below; iDRAC6 monolithic, versions 1.97 and below; iDRAC7, versions 1.56.55 and below.

Vendor	Status	Date Notified	Date Updated
Dell Computer Corporation, Inc.	Affected	01 Dec 2014	16 Dec 2014

If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

Group	Score	Vector
Base	10.0	AV:N/AC:L/Au:N/C:C/I:C/A:C
Temporal	7.8	E:POC/RL:OF/RC:C
Environmental	6.4	CDP:LM/TD:M/CR:H/IR:H/AR:H

References

http://www.dell.com/support/home/us/en/19/Drivers/DriversDetails?driverId=61W8X
http://www.dell.com/support/home/us/en/19/Drivers/DriversDetails?driverId=78M0V
http://www.dell.com/support/home/us/en/19/Drivers/DriversDetails?driverId=XH6FX
http://www.intel.com/content/www/us/en/servers/ipmi/second-gen-interface-spec-v2-rev1-4.html

Credit

Thanks to Yong Chuan Koh for reporting this vulnerability from his time with IBM X-Force Research.

This document was written by Joel Land.

Other Information

CVE IDs:CVE-2014-8272
Date Public:18 Dec 2014
Date First Published:18 Dec 2014
Date Last Updated:18 Dec 2014
Document Revision:28

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Original Source

Url : http://www.kb.cert.org/vuls/id/843044

CPE : Common Platform Enumeration

Type	Description	Count
Application	Dell Idrac6 Modular cpe:2.3:a:dell:idrac6_modular::::::::	1
Application	Dell Idrac6 Monolithic cpe:2.3:a:dell:idrac6_monolithic::::::::	1
Application	Intel Ipmi cpe:2.3:a:intel:ipmi:1.5:::::::*	1
Hardware	Dell Idrac6 Monolithic cpe:2.3:h:dell:idrac6_monolithic:-:::::::*	1
Hardware	Dell idrac7 cpe:2.3:h:dell:idrac7:-:::::::*	1

Nessus® Vulnerability Scanner

Date	Description
2015-01-09	Name : The remote host is affected by an arbitrary command injection vulnerability. File : drac_ipmi_cmd_inj.nasl - Type : ACT_GATHER_INFO

Alert History

If you want to see full details history, please login or register.

Date	Informations
2015-01-10 13:23:29	Multiple Updates
2014-12-20 00:26:21	Multiple Updates
2014-12-19 17:26:33	Multiple Updates
2014-12-18 17:17:51	First insertion

Global Informations

Type	Count
CPE ID(s)	5
Nessus® Exploit(s)	1

	Related
5	CVE-2014-8272
Info : listing not affected by your CVSS Env Score

Same Subject	Severity
Login to view 1 more Alert(s)