Vulnerabilities identified on DRAC/iDRAC

Hello

(CVE-2011-3192) Apache HTTPD: Range header remote DoS

Our DRACs use apache web server. This exploit is from 2011, so if it is an issue it should be corrected with a firmware update for the DRAC.

are they false positives?

Most of the security vulnerabilities triggered by the DRAC are false positives. Most of the vulnerabilities allow access to perform functions that are not available on the DRAC. For example, the DRAC may trigger on a vulnerability regarding the Apache Web Server that allows bypassing authentication for an application. That vulnerability would not apply to the DRAC since the application is not present, but it would still trigger an alert on a security scan because Apache is present.

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3192

That exploit spans many versions of Apache, so it would likely affect many of our DRACs/iDRACs. I am unable to find any information specific to it. I would suggest that you make sure your DRACs are up to date, but I have no information regarding this vulnerability on our DRACs.

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4752

That vulnerability can be ignored. The functionality that makes the vulnerability possible does not exist on our DRACs.

VNC remote control service installed

Having a remote control service is necessary for remote communication. This is the equivalent to saying that having internet access is a vulnerability. It is a vulnerability, but you have to decide what is an acceptable risk for your network.

Thanks

How is this an acceptable answer?  Understandably vulnerabilities in firmware for devices that are end-of-life will not be patched.  What about devices that are?  For example, the two M1000e Blade Chassis I am sitting on with an Apache vulnerability from 2013.  Oh wait...the last firmware update hasn't been since 2013 too.  Are we just going to stop supporting devices that are still very much alive?  Firmware updates don't just end in the middle of a cycle, and just because something is small doesn't mean it's not important.  The CVE affecting my blade chassis is a credible DoS vulnerability that shouldn't be ignored.  Apache didn't ignore it when they developed a patch for it, and neither should the vendors who use the products in their appliance deployments.  Another hint...stop stripping the system down so much and allow the users to do their own maintenance if you're not going to release consistent updates.  You provide SSH access to most products, such as DRACs and the CMC for the M1000e, but the commands are so basic, you can't do anything with it.  What are you hiding and who from?  The people running these things aren't idiots, and using the root account to update a package specifically is a mundane task at best, so what's the problem?

Obviously not all vulnerabilities will apply to appliances like this, but many actually do.  Mounting a firmware package, installing an update, testing and subsequently releasing is not a difficult task to do.

Daniel,

I have a couple questions for you. I am trying to resolve some vulnerabilities that are being detected on one of our DRAC 5. I believe we are running the latest firmware 1.60, is 1.60 the latest and last update available for DRAC5? I am just trying to confirm that the vulnerabilities listed below cannot be resolved because there is no other firmware to update to or find a resolution to resolve them. I will greatly appreciate any assistance.

Thanks

OpenSSH "X11UseLocalhost" X11 Forwarding Session Hijacking Vulnerability

OpenSSH CBC Mode Information Disclosure Vulnerability

OpenSSH X11 Forwarding Information Disclosure Vulnerability