Unsolved
This post is more than 5 years old
2 Posts
0
3267
April 6th, 2018 08:00
drac 5 latest Firmware will fix Apache HTTPD Vulnerability
Hi,
Can someone please let me know what is the latest firmware for drac 5 and where can i download it.
Also, need to check if it fixes the below vulnerability or is there any other solution for below. We are already on Firmware 1.65
Vulnerability Title: Apache HTTPD: mod_proxy_ftp FTP command injection (CVE-2009-3095)
Vulnerability Proof:
"* Running HTTP service
* Product HTTPD exists -- Apache HTTPD 2.2.3
* Vulnerable version of product HTTPD found -- Apache HTTPD 2.2.3"
Thanks in Advance
No Events found!
Daniel My
10 Elder
•
6.2K Posts
0
April 6th, 2018 10:00
Hello
Please send a private message with your service tag to ensure we have all appropriate information on your system.
Thanks
Daniel My
10 Elder
•
6.2K Posts
0
April 6th, 2018 12:00
Thank you for the service tag.
I show that 1.65 was the last firmware update released for the DRAC 5. I was unable to find any mention of CVE-2009-3095 in any of our updates or statements.
https://www.dell.com/support/home/drivers/driversdetails?driverId=D8GP9
Most detected vulnerabilities in relation to the Apache server on our DRACs are false positives. The Apache server running on the DRAC does not have full functionality. Most of the security alerts just check if Apache is running and what version it is. They do not perform penetration tests to see if the device is actually vulnerable.
I can't say for sure if the DRAC5 is vulnerable to this type of attack. The DRAC5 has been end-of-life for several years, and even if it was vulnerable it is unlikely we will ever release another firmware update for the DRAC5. 1.65 looks to be the last firmware update it will receive.
Thanks