Notified:  December 01, 2014 Updated: December 16, 2014

Statement Date:   December 09, 2014

Status

Affected

Vendor Statement

Dell Response to VU #843044 – Arbitrary Command Injection for IPMI 1.5 [05 December 2014] Summary Due to the vulnerabilities inherent in IPMI 1.5, Dell has removed IPMI 1.5 code completely. Dell recommends upgrading to the following firmware release or greater to eliminate all such vulnerabilities related to the IPMI 1.5 protocol: iDRAC6 modular – version 3.65 iDRAC6 monolithic - version 1.98 iDRAC7 – version 1.57.57 iDRAC8 – N/A - IPMI 1.5 not present in iDRAC8 firmware The legacy nature of the IPMI 1.5 protocol exposes several weaknesses in the overall design and implementation. These are: Use of an insecure (unencrypted) channel for communication. Poor password management including limited password length. Limited session management capability. These weaknesses are inherent in the overall design and implementation of the protocol, therefore support for the IPMI 1.5 version of the protocol has been permanently removed. This means that it will not be possible to reactivate or enable it in an operational setting. Dell Best Practices Dell advises the following: DRAC’s are intended to be on a separate management network; they are not designed nor intended to be placed on or connected to the internet. Doing so could expose the connected system to security and other risks for which Dell is not responsible. Along with locating DRACs on a separate management subnet, users should isolate the management subnet/vLAN with technologies such as firewalls, and limit access to the subnet/vLAN to authorized server administrators. Dell would like to thank Mr. Yong Chuan Koh for reporting this vulnerability by following responsible disclosure process and we appreciate his patience and cooperation through the period he interacted with Dell on discussions related to this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.