Dell iDRAC 7 - CVE-2011-3389

Hello

After reviewing that vulnerability it appears to be an issue with the security of the browser and not likely a vulnerability of the iDRAC. I did not find any information about this vulnerability with our iDRACs. If you don't find this to be a browser issue then let me know and I will look into it further.

Thanks

Please see below for additional information, and suggested remediation.

Additional Information:

This attack was identified in 2004 and later revisions of TLS protocol which contain a fix for this. If possible, upgrade to TLSv1.1 or TLSv1.2. If upgrading to TLSv1.1 or TLSv1.2 is not possible, then disabling CBC mode ciphers will remove the vulnerability.
 
Setting your SSL server to prioritize RC4 ciphers mitigates this vulnerability. Microsoft has posted information including workarounds for IIS at KB2588513 (http://technet.microsoft.com/en-us/security/advisory/2588513).
 
Using the following SSL configuration in Apache mitigates this vulnerability: 
SSLHonorCipherOrder On 
SSLCipherSuite RC4-SHA:HIGH:!ADH 
 
Qualys SSL/TLS Deployment Best Practices can be found here (https://www.ssllabs.com/projects/best-practices/).

 
Note: RC4 recommendation is only in situations where upgrade to TLSv1.2 is not possible. RC4 in TLS v1.0 has output bias problem as described in QID 38601. Therefore it is recommended to upgrade to TLS v1.2 or later.