Thanks for the input on the vulnerability result. I'll update it up in the case logs, so it can be pulled for review. Though, I'm not sure it's going to be on the next update.
There is only one password per user but you can set up multiple users. https://dell.to/3kJ871H Page 145 : Configuring local users using iDRAC web interface You can also enable LAN privilege level, Serial port privilege level, serial over LAN status, SNMPv3 authentication, authentication type and the privacy type for the user.
Hi Charles, thanks for the response. The 1st link you sent is not working.
But having 2 separate users ( One for Auth & other with only privacy enabled) does not address the problem. It makes Nessus & Rapid 7 Vulnerability scanners to flag it as critical vulnerability. This is because, if i create a user with only authentication enabled , the vulnerability scanner then complains that user is without a privacy password and vice versa. Would be glad if the next firmware update to Idrac 9 addresses this and lets us configure seperate passwords for the same snmpv3 user.
Thanks for the suggestion, I'll update up the case, and let the engineer pull it for future enhancement notes, though, I'm not sure if it is going to be on the next updates. Do you happen to have the vulnerability notes of the application that you're using. Is there specific codes to the vulnerability.
DELL-Joey C
Moderator
•
4.1K Posts
0
September 29th, 2020 21:00
Hi,
Thanks for the input on the vulnerability result. I'll update it up in the case logs, so it can be pulled for review. Though, I'm not sure it's going to be on the next update.
DELL-Charles R
Moderator
•
4.7K Posts
1
September 23rd, 2020 13:00
Hello scorpion81,
There is only one password per user but you can set up multiple users.
https://dell.to/3kJ871H
Page 145 : Configuring local users using iDRAC web interface
You can also enable LAN privilege level, Serial port privilege level, serial over LAN status, SNMPv3 authentication, authentication type and the privacy type for the user.
Example, this one has some good screen shots : https://dell.to/367OH2F
Please let me know if this helps.
scorpion81
3 Posts
0
September 28th, 2020 20:00
Hi Charles, thanks for the response. The 1st link you sent is not working.
But having 2 separate users ( One for Auth & other with only privacy enabled) does not address the problem. It makes Nessus & Rapid 7 Vulnerability scanners to flag it as critical vulnerability. This is because, if i create a user with only authentication enabled , the vulnerability scanner then complains that user is without a privacy password and vice versa. Would be glad if the next firmware update to Idrac 9 addresses this and lets us configure seperate passwords for the same snmpv3 user.
DELL-Joey C
Moderator
•
4.1K Posts
0
September 29th, 2020 00:00
Hi,
Thanks for the suggestion, I'll update up the case, and let the engineer pull it for future enhancement notes, though, I'm not sure if it is going to be on the next updates. Do you happen to have the vulnerability notes of the application that you're using. Is there specific codes to the vulnerability.
Let us know.
scorpion81
3 Posts
0
September 29th, 2020 16:00
Hi @DELL-Joey C Here is the vulnerability that gets triggered when the auth & privacy passwords are same for the user https://www.rapid7.com/db/vulnerabilities/snmp-v3-authentication-passphrase-equals-privacy-passphrase
Here is vulnerability when a user is created with either one of the passwords (authentication or privacy) : https://www.rapid7.com/db/vulnerabilities/snmp-v3-no-authentication-protocol
As you can see, both are Severity 8: High