Dell DRAC Response to CVE-2014-3566 (Poodle)

Dell DRAC Response to CVE-2014-3566 (Poodle)


A vulnerability in SSLv3 protocol (CVE-2014-3566) has been found that affects all SSLv3 traffic but not TLS traffic. Dell DRAC/iDRAC devices as well as CMC and PowerEdge-C BMC may report vulnerable for POODLE (Padding Oracle On Downgrade Legacy Encryption). This is because the web services built into these devices allows a client system to negotiate and fallback to the SSL protocols.



Until a firmware update is available for these devices, Dell recommends following the best practices as suggested by the browser vendors to disable SSLv3 support on client systems.

DRAC’s are intended to be on a separate management network; they are not designed nor intended to be placed on or connected to the internet. Doing so could expose the connected system to security and other risks for which Dell is not responsible. Along with locating DRACs on a separate management subnet, users should isolate the management subnet/vLAN with technologies such as firewalls, and limit access to the subnet/vLAN to authorized server administrators. No firmware update is planned for the DRAC5 as that platform is End of Life (EOL)

Update:
Firmware updates are available for the following devices (these links are provided for reference to release notes and may not be the latest firmware available)
iDRAC7/iDRAC8 2.15.10.10 - http://www.dell.com/support/home/us/en/04/Drivers/DriversDetails?driverId=VN754
iDRAC6 Monolithic 1.99 - http://www.dell.com/support/home/us/en/04/Drivers/DriversDetails?driverId=0F12K
iDRAC6 Modular 3.75 - http://www.dell.com/support/home/us/en/04/Drivers/DriversDetails?driverId=GR09H
CMC(M1000E) 5.01 - http://www.dell.com/support/home/us/en/04/Drivers/DriversDetails?driverId=J0J3N
CMC(FX) 1.20 - http://www.dell.com/support/home/us/en/04/Drivers/DriversDetails?driverId=JK17Y
CMC(VRTX) 2.0.1 - http://www.dell.com/support/home/us/en/04/Drivers/DriversDetails?driverId=K6FCR



Quick Tips content is self-published by the Dell Support Professionals who resolve issues daily. In order to achieve a speedy publication, Quick Tips may represent only partial solutions or work-arounds that are still in development or pending further proof of successfully resolving an issue. As such Quick Tips have not been reviewed, validated or approved by Dell and should be used with appropriate caution. Dell shall not be liable for any loss, including but not limited to loss of data, loss of profit or loss of revenue, which customers may incur by following any procedure or advice set out in the Quick Tips.

Article ID: SLN294304

Last Date Modified: 09/14/2019 06:05 AM


Rate this article

Accurate
Useful
Easy to understand
Was this article helpful?
Yes No
Send us feedback
Comments cannot contain these special characters: <>()\
Sorry, our feedback system is currently down. Please try again later.

Thank you for your feedback.