Dell Computer Corporation, Inc. Affected

Notified:  June 26, 2006 Updated: July 13, 2006



Vendor Statement

We have been investigating possible security issues with OpenManage Dell Server Assistant(DSA) related to SSH and X11. Dell Server Assistant, or DSA, is a bootable CD that facilitates bare metal (pre-OS) preparation and OS-installation. DSA helps the customer configure RAID and update drivers to prepare a system for installation of a Dell-supported Operating System. After careful testing and consultation, we believe that there is minimal material affect on the security of the system. Nevertheless, customers' confidence in the durability, reliability and security of our products is paramount. We have found that the only risk of infiltration happens during the time when the DSA installation CD is booted, actively engaged in a system interview, and the system is connected to the network. The most effective mitigation of risk is keeping the system off the network until DSA completes the system installation. This is the recommended solution in all cases for users of OpenManage 4.x and prior releases of the DSA CD. DSA installs require no network connectivity unless using the Advanced custom features for RedHat Linux installs with NFS or SMB shares. In all cases, once the OS is installed with proper security measures in place, the system is no longer at risk. We have developed programmatic solutions to mitigate the risk with the release of OpenManage 5.0 (SSH fix in current shipping version) and OpenManage 5.1 (SSH and X11 fixes in the coming months).

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.