It has now been established that a ‘path traversal vulnerability’ in the iDRAC technology can allow remote attackers to take over control of server operations.
Researchers have disclosed details of a recently patched, high-severity Dell PowerEdge server flaw, which if exploited could allow an attacker to fully take over & control server operations.
The web vulnerability was found in the Dell EMC iDRAC remote access controller, technology embedded within the latest versions of Dell PowerEdge servers. While the vulnerability was fixed earlier this month, Georgy Kiguradze & Mark Ermolov, the researchers with Positive Technologies who discovered the flaw, published a detailed analysis.
The path traversal vulnerability (CVE-2020-5366), found in Dell EMC iDRAC9 versions prior to 184.108.40.206, is rated as a 7.1 in terms of exploitability, giving it a high-severity vulnerability rating, according to an advisory published online by Dell.
‘Path traversal’ is one of the 3 most common vulnerabilities researchers outlined that they come across in their investigations.
If exploited, the flaw could allow attackers to view the content of server folders that should not be accessible even to someone who is logged in as an ordinary site user. iDRAC runs on Linux, & the appeal to hackers in using this vulnerability would be the ability to read the file /etc/passwd, which stores information about Linux users, the researchers observed.
One example of how this can be used by attackers is a recent attack on 2 vulnerabilities found on the Zoom video conferencing app that could allow remote attackers to breach the system of any participant in a group call.
A remote, authenticated malicious user with low privileges potentially could exploit the iDRAC flaw by means of manipulating input parameters to gain unauthorised read access to the arbitrary files, Dell EMC warned in the advisory.
iDRAC is designed to allow IT admins. to remotely deploy, update, monitor & maintain Dell servers without installing new software. Dell has now released an update to the iDRAC firmware that fixes this flaw, & it recommends customers update asap.
The vulnerability can only be exploited if iDRAC is connected to the internet, which Dell EMC does not recommend, researchers suggested. IDRAC also is a relatively new technology in Dell EMC servers, so it may not be widely used yet.
Researchers revealed that public search engines had already found a number of Internet-accessible connections to iDRAC that could be exploited, as well as 500 controllers available for access using SNMP.
The iDRAC controller is used by network administrators to manage key servers, “effectively functioning as a separate computer inside the server itself,” Kiguradze explained to the press.
“iDRAC runs on ordinary Linux, although in a limited configuration, & has a fully-fledged file system,” he said. “The vulnerability makes it possible to read any file in the controller’s operating system, & in some cases, to interfere with operation of the controller–for instance during reading symbolic Linux devices like /dev/urandom.”
Attackers can exploit the flaw externally by obtaining the back-up of a privileged user, or if they have credentials or use brute-force to get in, Kiguradze observed. They also could use the account of a junior administrator with limited server access to use the flaw internally, he commented. Once an attacker gains control, they can externally block or disrupt the server’s operation.
To secure Dell servers that use iDRAC, researchers recommended that users put iDRAC on a different administration network & do not connect the controller to the internet.
Companies also should isolate the administration network or VLAN (such as with a firewall) & restrict access to the subnet or VLAN to authorized server administrators only.
Other recommendations by Dell EMC to secure iDRAC against intrusion include using 256-bit encryption & TLS 1.2 or later; configuration options such as IP address range filtering & system lockdown mode; and additional authentication such as Microsoft Active Directory or LDAP.