Hackers Can Turn Off Your Dell Servers Remotely Using the Newly Found iDRAC Vulnerability
Researchers who found the path transversal vulnerability also found hundreds of exposed servers via the internet.
A recently discovered security vulnerability in remote-access firmware on Dell servers can give hackers full access to the same systems data center managers use, enabling them to do things like turn off a server’s cooling fans or shut the machine down completely.
Security researchers who found the flaw have already identified hundreds of servers accessible in this way through the internet. The flaw is a “path transversal vulnerability.” It is a common type of vulnerability. A similar one was found recently in Zoom’s infrastructure, for example.
"This is a dangerous vulnerability," Georgy Kiguradze, one of the two researchers at Positive Technologies who discovered the flaw in Dell servers, told Data Center Knowledge. "They could gain full control of server operation, turn servers on or off, and change server cooling settings."
Kiguradze’s team announced last week that they had found the path transversal vulnerability in the Integrated Dell Remote Access Controller (iDRAC). Fortunately, there's a patch available. Unfortunately, criminals can sometimes exploit a vulnerability faster than data center managers can patch it, as happened in May with the SaltStack server management software.
If data centers don't move fast enough to install the new iDRAC patch, they could be facing some significant risks. Kiguradze couldn't say how many systems were potentially vulnerable for the attack, but Dell sells more servers than any other company in the world. "iDRAC is offered as an option for almost all current Dell servers," he said.
Dell recommends that iDRAC not be directly connected to the internet, but not all organizations are following that advice. "Public search engines already indicate several internet-accessible connections," said Kiguradze. His team was able to find more than 500 iDRAC controllers accessible over SNMP, a standard protocol for administering devices on IP networks.
In addition to installing the patch, he recommends that data center security managers should use web firewalls to defend against this and similar vulnerabilities. He also recommends placing iDRAC on a separate administration network, with access limited to authorized server administrators.
Dell, which did not respond to a request for comment from DCK, has also published a list of recommendations, which include using strong encryption, IP range filtering, System Lockdown Mode, and additional security authentication options, such as Microsoft Active Directory.
Dell's iDRAC is a baseband management controller used to monitor things like server power and hardware health. They're also known as “Lights Out Management,” Trevor Pott, product marketing director at Juniper Networks, told us.
"As with every other kind of sensor, LOMs are rarely updated and a massive security risk," he said. It's so much of a risk that hyperscalers don't include them in their servers. Instead, they designed their entire cloud platforms in such a way that if a physical server failed, operations would continue.
Path Traversal – an Old Flaw That Won’t Go Away
The path traversal vulnerability at the heart of this security flaw is nothing new. As a subcategory of broken access control, it's been on the OWASP Top 10 list since 2004, when the list first came out. You can read more about path traversal on the OWASP site.
But even though this vulnerability has been around for years, and developers should in theory be aware of it, it keeps popping up. Dell isn't the only high-profile vendor to have to release a patch to fix a path traversal flaw recently.
In June, researchers at Talos, Cisco's threat intelligence team, discovered a path traversal flaw in the video conferencing app Zoom. The vulnerability would allow an attacker to send a chat message to another Zoom user, or group, that would force the victim's computer to install a file or execute code.
In May, Cisco itself admitted that there was a vulnerability in the web services interface of its Cisco Adaptive Security Appliance Software and Cisco Firepower Threat Defense Software that could allow an attacker to use path traversal to get access to files on targeted systems.
About the Authors
You May Also Like