DSA-2019-028:Dell Technologies iDRAC 多個漏洞

Summary: Dell Technologies 更新 iDRAC,以解決多個漏洞,這些漏洞可能會被利用來入侵受影響的系統。

This article applies to This article does not apply to This article is not tied to any specific product. Not all product versions are identified in this article.
Check out other resources

Symptoms

DSA ID:DSA-2019-028

CVE 識別符:CVE-2019-3705、CVE-2019-3706、CVE-2019-3707

嚴重性:高

嚴重性等級:請參閱下方各個 CVE 的各個 CVSS 分數詳細資料一節。
                         
受影響的產品:
 

  • Dell Technologies 2.92 之前的 iDRAC6 版本 (CVE-2019-3705)
  • Dell Technologies 2.61.60.60 之前的 iDRAC7/iDRAC8 版本 (CVE-2019-3705)
  • 低於 3.30.30.30、3.20.21.20、3.21.24.22、3.21.26.22、3.23.23.23、3.24.24.24、3.22.22.22、3.21.25.22 (CVE-2019-3705、CVE-2019-3706 及 CVE-2019-3707) 的 Dell Technologies iDRAC9 版本。

Cause

詳情:  

  • 緩衝區溢位漏洞 (CVE-2019-3705)
     
Dell Technologies 2.92 之前的 iDRAC6 版本、2.61.60.60 之前的 iDRAC7/iDRAC8 版本,以及 3.20.21.20、3.21.24.22、3.21.26.22 和 3.23.23.23 之前的 iDRAC9 版本,包含堆疊式緩衝區溢位漏洞。未經身份驗證的遠端攻擊者可能會利用此漏洞,通過向受影響的系統發送特別構建的輸入數據,使 Web 伺服器崩潰或以 Web 伺服器許可權在系統上執行任意代碼。

CVSSv3 基本分數 8.1 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)
 
  • Web 介面驗證繞過漏洞 (CVE-2019-3706)
 
3.24.24.24、3.21.26.22、3.22.22.22 及 3.21.25.22 之前的 Dell Technologies iDRAC9 版本包含一個認證略過漏洞。遠端攻擊者可能會利用此漏洞略過驗證,並透過將特別設計的資料傳送至 iDRAC Web 介面,以取得系統存取權。

CVSSv3 基本分數 8.6 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H)
 
  • WS-MAN 驗證略過漏洞 (CVE-2019-3707)
 
在 3.30.30.30 之前的 Dell Technologies iDRAC9 版本包含一個驗證略過漏洞。遠端攻擊者可能會利用此漏洞繞過身份驗證,並通過向 WS-MAN 介面發送特製輸入數據來獲取對系統的訪問許可權。
 
CVSSv3 基本分數 8.6 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H)

Resolution

下列 Dell Technologies iDRAC 韌體版本包含這些漏洞的解決方案:
 

iDRAC

iDRAC 韌體版本

iDRAC9

3.20.21.20

3.21.24.22

3.21.26.22

3.23.23.23

 

3.24.24.24

 

3.22.22.22

 

3.21.25.22

 

3.30.30.30

iDRAC8

2.61.60.60

iDRAC7

2.61.60.60

iDRAC6

2.92



Dell Technologies 建議所有客戶儘早升級。  

Dell 關於 iDRAC 的最佳實務

除了維護最新的 iDRAC 韌體,Dell 也會提供下列建議:

  • iDRAC 並非設計或打算放置在網際網路上或連線至網際網路;它們應位於單獨的管理網路上。將 iDRAC 放置或直接連線至網際網路,可能會使連線系統面臨安全性和其他風險,Dell 概不負責。   
  • 除了將 iDRAC 放置在個別管理子網路上,使用者也應使用防火牆等技術隔離管理子網路/vLAN,並限制只有經過授權的伺服器系統管理員才能存取子網路/vLAN。
  • Dell Technologies 建議客戶考慮可能與其環境相關的任何部署因素,以評估其整體風險。


補救措施連結

客戶可下載 PowerEdge 伺服器的 iDRAC 韌體。若為所有其他平台,請從 Dell 支援網站中選取平台。


Dell Technologies 建議所有使用者都將此資訊的適用性依他們的個別情況來決定,並採取適當措施。本文提及的資訊以「現狀」提供,不提供任何形式的擔保。Dell 不提供任何擔保,包括適售性、特定用途的適用性、權利和非侵權明示或默示的擔保。Dell 或其供應商在任何情況下對於任何形式的損失均不負責,包括直接、間接、附帶性或衍生性損失、損失商業利潤或特殊損失,即使 Dell 或其供應商已被告知此類損失發生的可能性。有些州不允許排除或限制衍生性或附帶性損失的責任,所以前述限制可能不適用。

Affected Products

iDRAC7 with Lifecycle Controller Version 2.22.22.22, iDRAC6 for Monolithic Servers Version 2.85, iDRAC6 for Monolithic Servers Version 2.90, iDRAC6 for Monolithic Servers Version 2.91, iDRAC6 for Monolithic Servers Version 2.80 , iDRAC6 for Monolithic Servers Version 1.99, iDRAC7 with Lifecycle Controller Version 2.13.13.12, iDRAC7 with Lifecycle Controller Version 2.15.10.10, iDRAC7 with Lifecycle Controller Version 2.43.43.43, iDRAC7 with Lifecycle Controller Version 2.21.21.21, iDRAC7 with Lifecycle Controller Version 2.30.30.30, iDRAC7 with Lifecycle Controller Version 2.40.40.40, iDRAC7 with Lifecycle Controller Version 2.41.40.40, iDRAC7/8 with Lifecycle Controller Version 2.50.50.50, iDRAC7/8 with Lifecycle Controller Version 2.52.52.52, iDRAC7/8 with Lifecycle Controller Version 2.60.60.60, iDRAC7 with Lifecycle Controller Version 2.10.10.10, iDRAC7 with Lifecycle Controller Version 2.20.20.20, iDRAC7 with Lifecycle Controller Version 2.31.31.30, iDRAC7 with Lifecycle Controller Version 2.32.31.30, iDRAC7 Version 1.65.65, iDRAC7 Version 1.66.65, iDRAC8 with Lifecycle Controller Version 2.12.12.12, iDRAC8 with Lifecycle Controller Version 2.14.14.12, iDRAC8 with Lifecycle Controller Version 2.17.17.13, iDRAC8 with Lifecycle Controller Version 2.18.17.13, iDRAC8 with Lifecycle Controller Version 2.30.119.30, iDRAC8 with Lifecycle Controller Version 2.35.35.35, iDRAC8 with Lifecycle Controller Version 2.42.110.40, iDRAC8 with Lifecycle Controller Version 2.45.45.40, iDRAC8 with Lifecycle Controller Version 2.55.55.50, iDRAC8 with Lifecycle Controller Version 2.04.02.01, iDRAC8 with Lifecycle Controller Version 2.05.05.05, iDRAC8 with Lifecycle Controller Version 2.23.23.21, iDRAC9 - 3.0x Series, iDRAC9 - 3.1x Series, iDRAC9 - 3.2x Series, iDRAC6 for Blade Servers Version 2.0, iDRAC6 for Blade Servers Version 2.1, iDRAC6 for Blade Servers Version 2.2, iDRAC for Blade Servers Version 1.0, iDRAC for Blade Servers Version 1.11, iDRAC for Blade Servers Version 1.2, iDRAC for Blade Servers Version 1.4, iDRAC for Blade Servers Version 1.5, iDRAC6 for Monolithic Servers Version 1.0, iDRAC6 for Monolithic Servers Version 1.1, iDRAC6 for Monolithic Servers Version 1.2, iDRAC6 for Monolithic Servers Version 1.3, iDRAC6 for Monolithic Servers Version 1.5, iDRAC6 for Monolithic Servers Version 1.7, iDRAC6 for Monolithic Servers Version 1.8, iDRAC6 for Monolithic Servers Version 1.9, iDRAC6 for Monolithic Servers Version 1.95, iDRAC6 for Monolithic Servers Version 1.97, iDRAC6 for Monolithic Servers Version 1.98, iDRAC7 Version 1.00.00, iDRAC7 Version 1.10.10, iDRAC7 Version 1.20.20, iDRAC7 Version 1.30.30, iDRAC7 Version 1.35.35, iDRAC7 Version 1.40.40, iDRAC7 Version 1.50.50, iDRAC7 Version 1.51.51, iDRAC7 Version 1.55.55, iDRAC7 Version 1.56.55, iDRAC7 Version 1.57.57, iDRAC8 with Lifecycle Controller Version 2.00.00.00, iDRAC8 with Lifecycle Controller Version 2.02.01.01 ...
Article Properties
Article Number: 000176947
Article Type: Solution
Last Modified: 11 Dec 2024
Version:  4
Find answers to your questions from other Dell users
Support Services
Check if your device is covered by Support Services.