iDRAC 8 Remote presence port cipher issues

Hello

This is intended behavior. There is no way to disable TLS 1.0 on the console/virtual media port.

Thanks

Why is this intended behavior? Why would disabling TLSv1 or disabling RC4 and 3DES be a bad move? It should only be a problem if you using an unsupported browser, and if you give folks the choice it still wouldn't be a problem. When are these 'features' expected to be removed? PCI-DSS audits look for exactly this type of issue and telling the auditors it's "by design" is not enough.

IDRAC firmware 2.40.40 gives you the ability to set TLS at 1.0 or higher, 1.1 or higher or 1.2 only and by default sets TLS at 1.1 .

See - http://www.dell.com/support/home/us/en/04/Drivers/DriversDetails?driverID=WH24V&productCode=poweredge-r720

"Security, support for TLS 1.1 and higher is enabled. You can select TLS 1.0 and higher, TLS 1.1 and higher, or TLS 1.2 only.

Please note that your OS and browser that you are connecting from will need to support TLS 1.2.

http://www.dell.com/Support/Article/us/en/19/SLN302365

Please re-read my question. I am aware and have already set my iDRAC to TLSv1.2 only. This question is specifically about the remote presence port (5900). The linked instructions don't apply.

Having the same problem - because of this issue we are failing audit. I hope there will be fix soon.

I have the same problem and I think the answer don't be acceptable...
The PCI auditor asked me a letter or a official document from Dell about the resolution for this issues...
Is there a way to disable the port 5900?

I hope this will help (my questions bold, answers below)

Hello

1 - port 5900 using TLS1 only - is there any posibility to set this to TLS1.2 ?

                No, the console port is only accessible by first authenticating through the web interface. We see the initial encryption through the web server as adequate. Encryption is less on this port for performance reasons.

2 - can you confirm on port 22 X11Forwarding is disabled ?

                X11 is not a feature of the iDRAC. It may trigger on a security scan, but it is not enabled.

3 - The Web server stopped responding to 3 consecutive connection attempts - any ideas on that ? is there some hardcoded limitation on the iDrac's web server ?

Yes, there is a limit to the number of networking requests the iDRAC will respond within a given time. If you have multiple monitoring applications requesting             information from the iDRAC you will likely need to configure a delay in the application. This affects most network requests to the iDRAC(ICMP, SSH, etc).

4 - Depending on the vulnerability being exploited, an unauthenticated remote attacker could conduct cross-site scripting, clickjacking or MIME-type sniffing attacks. - basically, web server is missing some headers - is it possible to set following headers on iDrac's web server - X-Frame-Options, X-XSS-Protection and X-Content-Type-Options ?

                I am not aware of any method to modify the web interface of the iDRAC. I'm fairly certain the tools used to do this are for development purposes only and are stripped out of the firmware prior to release.

The iDRAC is a security risk. There are ways that you can make it more secure, but we recommend access to the iDRAC be restricted by your network. It is recommended that it not be accessible on the WAN, that it be on a management network/VLAN, and that the management VLAN have limited access to only management stations utilizing something like access control lists. If you need to access the iDRAC from the WAN then it is recommended to first connect to a management station on the local network of the iDRAC. If someone gains access to the iDRAC they can bypass other security. iDRAC access is very similar to being physically at the server in regard to system BIOS and other access.

Thanks

Daniel Mysinger

Enterprise Engineer, Social Media and Communities

Dell EMC | Support Services

Get Support on Twitter: @DellCaresPRO

My work schedule is 9:00 am - 6:00 pm Monday - Friday CDT

Customer feedback | How am I doing? Please contact my manager, Amine.Elmesnaoui@Dell.com

We have new FW 2.50.50.50 (Link) released with fix for this. After flashing this FW you can disable both virtual console and virtual media to disable port 5900

I appreciate that you are looking at solutions, but this doesn't really solve the problem. We use the Virtual console, so having the option to disable it doesn't fix anything. 

"1 - port 5900 using TLS1 only - is there any posibility to set this to TLS1.2 ?

                No, the console port is only accessible by first authenticating through the web interface. We see the initial encryption through the web server as adequate. Encryption is less on this port for performance reasons."

If this was around performance concerns, why not allow users to enable it with a warning? How much of a performance overhead can TLS 1.2 add? Can you qualify your statements more with some actual data about how badly this impacts performance? If this was for performance reasons only, why is RC4 and 3DES enabled? 

EDIT:

I also wanted to address you final statement, namely:

"The iDRAC is a security risk. There are ways that you can make it more secure, but we recommend access to the iDRAC be restricted by your network. It is recommended that it not be accessible on the WAN, that it be on a management network/VLAN, and that the management VLAN have limited access to only management stations utilizing something like access control lists. If you need to access the iDRAC from the WAN then it is recommended to first connect to a management station on the local network of the iDRAC. If someone gains access to the iDRAC they can bypass other security. iDRAC access is very similar to being physically at the server in regard to system BIOS and other access."

While your concern about WAN/LAN connectivity is well founded and is sound advice, PCI/DSS requires audits of internal services as well as external. Simply segmenting off the iDRAC to a LAN only network, even behind a VLAN with an ACL, does NOT meet the regulatory standard. TLS 1.0 is not acceptable to PCI/DSS audits, regardless of other controls in place to limit exposure. There is no regulatory consideration given because the service is not internet accessible.

Hello,

We have the DELL PowerEdge 730xd, and PowerEdge 630r servers running the firmware 2.63.60.61(latest available on DELL portal) having no provision to set the Virtual Console Port 5900 to use TLS1.2 with custom Ciphers, which currently can only be set for the Port 443 at the moment on Dell servers. This is a big concern for the Security Audits of these iDRACs for us.

I came across this two year old update on port 5900 using the TLS1 only which was not having any provision to set this to TLS1.2 as per the last update on this forum by one of the Dell Engineer, Daniel Mysinger dated 22nd Sept 2017.

Has DELL managed to get a fix for this virtual console port to use TLS1.2 and custom Cipher settings yet? If not, are there any plans for getting this feature added in the upcoming iDRAC firmware? 

Kapil Bhuskute
Senior Cloud Infrastructure Engineer,

Qualys Inc.
kbhuskute@qualys.com

@psutty​ is the answer to question #4 still applicable today?