DSA-2019-028:Dell Technologies iDRAC 多个漏洞

Summary: Dell Technologies iDRAC 已更新,以解决多个可能被利用来破坏受影响系统的漏洞。

This article applies to This article does not apply to This article is not tied to any specific product. Not all product versions are identified in this article.
Check out other resources

Symptoms

DSA ID:DSA-2019-028CVE

标识符:CVE-2019-3705、CVE-2019-3706、CVE-2019-3707

严重性:高

严重性评级:请参阅下面每个 CVE 的各个 CVSS 分数的详细信息部分。
                         
受影响的产品:
 

  • 低于 2.92 的 Dell Technologies iDRAC6 版本 (CVE-2019-3705)
  • 2.61.60.60 之前的 Dell Technologies iDRAC7/iDRAC8 版本 (CVE-2019-3705)
  • 3.30.30.30、3.20.21.20、3.21.24.22、3.21.26.22、3.23.23.23、3.24.24.24、3.22.22.22、3.21.25.22(CVE-2019-3705、CVE-2019-3706 和 CVE-2019-3707)之前的 Dell Technologies iDRAC9 版本

Cause

详细信息:  

  • 缓冲区溢出漏洞 (CVE-2019-3705)
     
低于 2.92 的 Dell Technologies iDRAC6 版本、低于 2.61.60.60 的 iDRAC7/iDRAC8 版本以及低于 3.20.21.20、3.21.24.22、3.21.26.22 和 3.23.23.23 的 iDRAC9 版本包含基于堆栈的缓冲区溢出漏洞。未经验证的远程攻击者可能会利用此漏洞,通过向受影响的系统发送特别编制的输入数据,使 Web 服务器崩溃或在具有 Web 服务器权限的系统上执行任意代码。

CVSSv3 基本分数 8.1 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)
 
  • Web 界面身份验证绕过漏洞 (CVE-2019-3706)
 
低于 3.24.24.24、3.21.26.22、3.22.22.22 和 3.21.25.22 的 Dell Technologies iDRAC9 版本包含身份验证绕过漏洞。远程攻击者可能会利用此漏洞来绕过身份验证,并通过向 iDRAC Web 界面发送特别编制的数据来获取对系统的访问权限。

CVSSv3 基本分数 8.6 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H)
 
  • WS-MAN 身份验证绕过漏洞 (CVE-2019-3707)
 
低于 3.30.30.30 的 Dell Technologies iDRAC9 版本包含身份验证绕过漏洞。远程攻击者可能会利用此漏洞来绕过身份验证,并通过向 WS-MAN 界面发送特别编制的输入数据来获取对系统的访问权限。
 
CVSSv3 基本分数 8.6 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H)

Resolution

以下 Dell Technologies iDRAC 固件版本包含这些漏洞的解决方案:
 

iDRAC

iDRAC 固件版本

iDRAC9

3.20.21.20

3.21.24.22

3.21.26.22

3.23.23.23

 

3.24.24.24

 

3.22.22.22

 

3.21.25.22

 

3.30.30.30

iDRAC8

2.61.60.60

iDRAC7

2.61.60.60

iDRAC6

2.92



Dell Technologies 建议所有客户尽早升级。  

有关 iDRAC 的戴尔最佳实践

除了维护最新的 iDRAC 固件外,戴尔还建议以下事项:

  • iDRAC 并非设计用于也无意置于互联网上或连接到互联网;它们应位于单独的管理网络上。将 iDRAC 直接放置或连接到互联网可能会使连接的系统面临安全风险和其他风险,戴尔对此概不负责。   
  • 不仅让iDRAC处于独立的管理子网上,用户还应利用防火墙等技术隔离管理子网/vLAN,并且仅限经授权的服务器管理员能够访问该子网/vLAN。
  • Dell Technologies 建议客户考虑可能与其环境相关的任何部署因素,以评估其总体风险。


补救措施链接

客户可以下载 适用于 PowerEdge 服务器的 iDRAC 固件。对于所有其他平台,请从 戴尔支持站点中选择平台。


Dell Technologies 建议所有用户根据自己的具体情况确定此信息的适用性,并采取适当的措施。此处所述的信息按“原样”提供,不含任何形式的担保。戴尔拒绝做出任何明示或暗示的保证,包括适销性、特定用途适用性、权利和不侵权保证。任何情况下戴尔或其供应商不对包括直接、间接、偶然、必然损失、业务利润损失或特殊损失在内的任何损失承担责任,即使戴尔或其供应商已被告知发生此类损失的可能性也是如此。某些州不允许限制或排除对偶然或必然的损坏的责任,上述限制可能不适用。

Affected Products

iDRAC7 with Lifecycle Controller Version 2.22.22.22, iDRAC6 for Monolithic Servers Version 2.85, iDRAC6 for Monolithic Servers Version 2.90, iDRAC6 for Monolithic Servers Version 2.91, iDRAC6 for Monolithic Servers Version 2.80 , iDRAC6 for Monolithic Servers Version 1.99, iDRAC7 with Lifecycle Controller Version 2.13.13.12, iDRAC7 with Lifecycle Controller Version 2.15.10.10, iDRAC7 with Lifecycle Controller Version 2.43.43.43, iDRAC7 with Lifecycle Controller Version 2.21.21.21, iDRAC7 with Lifecycle Controller Version 2.30.30.30, iDRAC7 with Lifecycle Controller Version 2.40.40.40, iDRAC7 with Lifecycle Controller Version 2.41.40.40, iDRAC7/8 with Lifecycle Controller Version 2.50.50.50, iDRAC7/8 with Lifecycle Controller Version 2.52.52.52, iDRAC7/8 with Lifecycle Controller Version 2.60.60.60, iDRAC7 with Lifecycle Controller Version 2.10.10.10, iDRAC7 with Lifecycle Controller Version 2.20.20.20, iDRAC7 with Lifecycle Controller Version 2.31.31.30, iDRAC7 with Lifecycle Controller Version 2.32.31.30, iDRAC7 Version 1.65.65, iDRAC7 Version 1.66.65, iDRAC8 with Lifecycle Controller Version 2.12.12.12, iDRAC8 with Lifecycle Controller Version 2.14.14.12, iDRAC8 with Lifecycle Controller Version 2.17.17.13, iDRAC8 with Lifecycle Controller Version 2.18.17.13, iDRAC8 with Lifecycle Controller Version 2.30.119.30, iDRAC8 with Lifecycle Controller Version 2.35.35.35, iDRAC8 with Lifecycle Controller Version 2.42.110.40, iDRAC8 with Lifecycle Controller Version 2.45.45.40, iDRAC8 with Lifecycle Controller Version 2.55.55.50, iDRAC8 with Lifecycle Controller Version 2.04.02.01, iDRAC8 with Lifecycle Controller Version 2.05.05.05, iDRAC8 with Lifecycle Controller Version 2.23.23.21, iDRAC9 - 3.0x Series, iDRAC9 - 3.1x Series, iDRAC9 - 3.2x Series, iDRAC6 for Blade Servers Version 2.0, iDRAC6 for Blade Servers Version 2.1, iDRAC6 for Blade Servers Version 2.2, iDRAC for Blade Servers Version 1.0, iDRAC for Blade Servers Version 1.11, iDRAC for Blade Servers Version 1.2, iDRAC for Blade Servers Version 1.4, iDRAC for Blade Servers Version 1.5, iDRAC6 for Monolithic Servers Version 1.0, iDRAC6 for Monolithic Servers Version 1.1, iDRAC6 for Monolithic Servers Version 1.2, iDRAC6 for Monolithic Servers Version 1.3, iDRAC6 for Monolithic Servers Version 1.5, iDRAC6 for Monolithic Servers Version 1.7, iDRAC6 for Monolithic Servers Version 1.8, iDRAC6 for Monolithic Servers Version 1.9, iDRAC6 for Monolithic Servers Version 1.95, iDRAC6 for Monolithic Servers Version 1.97, iDRAC6 for Monolithic Servers Version 1.98, iDRAC7 Version 1.00.00, iDRAC7 Version 1.10.10, iDRAC7 Version 1.20.20, iDRAC7 Version 1.30.30, iDRAC7 Version 1.35.35, iDRAC7 Version 1.40.40, iDRAC7 Version 1.50.50, iDRAC7 Version 1.51.51, iDRAC7 Version 1.55.55, iDRAC7 Version 1.56.55, iDRAC7 Version 1.57.57, iDRAC8 with Lifecycle Controller Version 2.00.00.00, iDRAC8 with Lifecycle Controller Version 2.02.01.01 ...
Article Properties
Article Number: 000176947
Article Type: Solution
Last Modified: 11 Dec 2024
Version:  4
Find answers to your questions from other Dell users
Support Services
Check if your device is covered by Support Services.