Highlighted
rwhalen3
1 Copper

Dell iDRAC 7 - CVE-2011-3389

Vulnerability scans are reporting that iDRAC 7 has the following vulnerability:  CVE-2011-3389

I am running the lastest iDRAC 7 firmware version - 1.66.65.  Are there any firmware patches or configuration changes that can be applied to remediate this vulnerability?

Tags (2)
0 Kudos
3 Replies
Moderator
Moderator

RE: Dell iDRAC 7 - CVE-2011-3389

Hello

After reviewing that vulnerability it appears to be an issue with the security of the browser and not likely a vulnerability of the iDRAC. I did not find any information about this vulnerability with our iDRACs. If you don't find this to be a browser issue then let me know and I will look into it further.

Thanks

Daniel Mysinger
Dell EMC, Enterprise Engineer

Get support on Twitter @DellCaresPRO

0 Kudos
rwhalen3
1 Copper

RE: Dell iDRAC 7 - CVE-2011-3389

Please see below for additional information, and suggested remediation.

Additional Information:

This attack was identified in 2004 and later revisions of TLS protocol which contain a fix for this. If possible, upgrade to TLSv1.1 or TLSv1.2. If upgrading to TLSv1.1 or TLSv1.2 is not possible, then disabling CBC mode ciphers will remove the vulnerability.
 
Setting your SSL server to prioritize RC4 ciphers mitigates this vulnerability. Microsoft has posted information including workarounds for IIS at KB2588513 (http://technet.microsoft.com/en-us/security/advisory/2588513).
 
Using the following SSL configuration in Apache mitigates this vulnerability: 
SSLHonorCipherOrder On 
SSLCipherSuite RC4-SHA:HIGH:!ADH 
 
Qualys SSL/TLS Deployment Best Practices can be found here (https://www.ssllabs.com/projects/best-practices/).

 
Note: RC4 recommendation is only in situations where upgrade to TLSv1.2 is not possible. RC4 in TLS v1.0 has output bias problem as described in QID 38601. Therefore it is recommended to upgrade to TLS v1.2 or later.

0 Kudos
Moderator
Moderator

RE: Dell iDRAC 7 - CVE-2011-3389

I checked on this and was told that we looked into this vulnerability regarding our iDRACs a few years ago. It was found that this vulnerability is a false positive.

Thanks

Daniel Mysinger
Dell EMC, Enterprise Engineer

Get support on Twitter @DellCaresPRO

0 Kudos