Unsolved
This post is more than 5 years old
4 Posts
0
84917
Dell iDRAC 7 - CVE-2011-3389
Vulnerability scans are reporting that iDRAC 7 has the following vulnerability: CVE-2011-3389
I am running the lastest iDRAC 7 firmware version - 1.66.65. Are there any firmware patches or configuration changes that can be applied to remediate this vulnerability?
DELL-Daniel My
Moderator
Moderator
•
6.2K Posts
0
April 2nd, 2015 17:00
Hello
After reviewing that vulnerability it appears to be an issue with the security of the browser and not likely a vulnerability of the iDRAC. I did not find any information about this vulnerability with our iDRACs. If you don't find this to be a browser issue then let me know and I will look into it further.
Thanks
rwhalen3
4 Posts
0
April 7th, 2015 12:00
Please see below for additional information, and suggested remediation.
Additional Information:
This attack was identified in 2004 and later revisions of TLS protocol which contain a fix for this. If possible, upgrade to TLSv1.1 or TLSv1.2. If upgrading to TLSv1.1 or TLSv1.2 is not possible, then disabling CBC mode ciphers will remove the vulnerability.
Setting your SSL server to prioritize RC4 ciphers mitigates this vulnerability. Microsoft has posted information including workarounds for IIS at KB2588513 (http://technet.microsoft.com/en-us/security/advisory/2588513).
Using the following SSL configuration in Apache mitigates this vulnerability:
SSLHonorCipherOrder On
SSLCipherSuite RC4-SHA:HIGH:!ADH
Qualys SSL/TLS Deployment Best Practices can be found here (https://www.ssllabs.com/projects/best-practices/).
Note: RC4 recommendation is only in situations where upgrade to TLSv1.2 is not possible. RC4 in TLS v1.0 has output bias problem as described in QID 38601. Therefore it is recommended to upgrade to TLS v1.2 or later.
DELL-Daniel My
Moderator
Moderator
•
6.2K Posts
0
April 8th, 2015 12:00
I checked on this and was told that we looked into this vulnerability regarding our iDRACs a few years ago. It was found that this vulnerability is a false positive.
Thanks