Vulnerability Note VU#843044
Multiple Dell iDRAC IPMI v1.5 implementations use insufficiently random session ID values
The Intelligent Platform Management Interface (IPMI) v1.5 implementations in multiple Dell iDRAC releases are vulnerable to arbitrary command injection due to use of insufficiently random session ID values.
CWE-330: Use of Insufficiently Random Values - CVE-2014-8272
The IPMI v1.5 implementations in multiple Dell iDRAC releases, including versions of iDRAC6 modular/monolithic and iDRAC7, are vulnerable to arbitrary command injection due to use of predictable and limited session ID values. Session IDs are assigned incrementally rather than randomly, enabling an authenticated user to predict subsequent session IDs based on his own session. However, due to the small pool of possible session ID values, brute force guessing attacks are viable and authentication is not necessary.
These weaknesses are inherent in the overall design and implementation of the protocol, therefore support for the IPMI 1.5 version of the protocol has been permanently removed. This means that it will not be possible to reactivate or enable it in an operational setting.
A remote, unauthenticated attacker can inject arbitrary commands into a privileged session.
Apply an update
Note that removing IPMI v1.5 is a violation of the IPMI v2.0 specification, section 13.4, which requires backwards compatibility with IPMI v1.5. Other than requiring users to adopt IPMI v2.0 at the exclusion of the insecure IPMI v1.5, no additional impact of the violation is known.
As a general good security practice, only allow connections from trusted hosts and networks.
Dell advises the following:
Along with locating DRACs on a separate management subnet, users should isolate the management subnet/vLAN with technologies such as firewalls, and limit access to the subnet/vLAN to authorized server administrators.
Vendor Information (Learn More)
The following versions of Dell iDRAC are affected: iDRAC6 modular, versions 3.60 and below; iDRAC6 monolithic, versions 1.97 and below; iDRAC7, versions 1.56.55 and below.
|Vendor||Status||Date Notified||Date Updated|
|Dell Computer Corporation, Inc.||Affected||01 Dec 2014||16 Dec 2014|
CVSS Metrics (Learn More)
Thanks to Yong Chuan Koh for reporting this vulnerability from his time with IBM X-Force Research.
This document was written by Joel Land.
- CVE IDs: CVE-2014-8272
- Date Public: 18 Dec 2014
- Date First Published: 18 Dec 2014
- Date Last Updated: 18 Dec 2014
- Document Revision: 28
If you have feedback, comments, or additional information about this vulnerability, please send us email.