Researchers have disclosed details of a recently patched, high-severity Dell PowerEdge server flaw, which if exploited could allow an attacker to fully take over and control server operations.
The web vulnerability was found in the Dell EMC iDRAC remote access controller, technology embedded within the latest versions of Dell PowerEdge servers. While the vulnerability was fixed earlier in July, Georgy Kiguradze and Mark Ermolov, the researchers with Positive Technologies who discovered the flaw, published a detailed analysis, Tuesday.
The path traversal vulnerability (CVE-2020-5366), found in Dell EMC iDRAC9 versions prior to 126.96.36.199, is rated as a 7.1 in terms of exploitability, giving it a high-severity vulnerability rating, according to an advisory published online by Dell.
Path traversal is one of the three most common vulnerabilities researchers said that they come across in their investigations. If exploited, the flaw can allow attackers to view the content of server folders that should not be accessible even to someone who’s logged in as an ordinary site user. iDRAC runs on Linux, and the specific appeal to hackers in exploiting the vulnerability would be the ability to read the file /etc/passwd, which stores information about Linux users, the researchers said.
An example of how this can be used by attackers is a recent attack on two vulnerabilities found on the Zoom video conferencing app that could allow remote attackers to breach the system of any participant in a group call. Indeed, a remote, authenticated malicious user with low privileges could potentially exploit the iDRAC flaw by manipulating input parameters to gain unauthorized read access to the arbitrary files, Dell EMC warned in its advisory.
iDRAC is designed to allow IT administrators to remotely deploy, update, monitor and maintain Dell servers without installing new software. Dell has already released an update to the iDRAC firmware that fixes the flaw and it recommends customers update as soon as possible.
The vulnerability can only be exploited if iDRAC is connected to the internet, which Dell EMC does not recommend, researchers said. IDRAC also is a relatively new technology in Dell EMC servers, which means it may not be widely used yet.
Still, researchers said that public search engines already discovered several Internet-accessible connections to iDRAC that could be exploited, as well as 500 controllers available for access using SNMP.
The iDRAC controller is used by network administrators to manage key servers, “effectively functioning as a separate computer inside the server itself,” Kiguradze explained in a press statement.
“iDRAC runs on ordinary Linux, although in a limited configuration, and has a fully-fledged file system,” he said. “The vulnerability makes it possible to read any file in the controller’s operating system, and in some cases, to interfere with operation of the controller–for instance during reading symbolic Linux devices like /dev/urandom.”
Attackers can exploit the flaw externally by obtaining the back-up of a privileged user or if they have credentials or brute-force their way in, Kiguradze said. They also could use the account of a junior administrator with limited server access to exploit the flaw internally, he said. Once an attacker gains control, he or she can externally block or disrupt the server’s operation.
To better secure Dell servers that use iDRAC, researchers recommended that customers place iDRAC on a separate administration network and don’t connect the controller to the internet. Companies also should isolate the administration network or VLAN (such as with a firewall) and restrict access to the subnet or VLAN to authorized server administrators only.
Other recommendations by Dell EMC to secure iDRAC against intrusion include using 256-bit encryption and TLS 1.2 or later; configuration options such as IP address range filtering and system lockdown mode; and additional authentication such as Microsoft Active Directory or LDAP.