PowerEdge:Dell EMC iDRAC多个漏洞(CVE-2018-15774和CVE-2018-15776)
Summary: Dell EMC缓解风险和解决iDRAC多个漏洞的指导。有关受影响的 iDRAC 版本和应用更新的后续步骤的特定信息,请参阅本指南。
This article applies to
This article does not apply to
This article is not tied to any specific product.
Not all product versions are identified in this article.
Symptoms
CVE 标识符:CVE-2018-15774、CVE-2018-15776
严重性:受
介质影响产品:
- Dell EMC iDRAC7/iDRAC8 2.61.60.60以前的版本(CVE-2018-15774和CVE-2018-15776)
- Dell EMC iDRAC9 3.20.21.20、3.21.24.22、3.21.26.22和3.23.23.23以前的版本(CVE-2018-15774)
摘要:
Dell EMC iDRAC进行了更新,解决多个漏洞,黑客有可能利用这些漏洞来破坏受影响的系统。
详细信息:
- 权限升级漏洞(CVE-2018-15774)
Dell EMC iDRAC7/iDRAC8 2.61.60.60以前的版本及iDRAC9 3.20.21.20、3.21.24.22、3.21.26.22和3.23.23.23以前的版本包含权限升级漏洞。经授权具有操作员权限的恶意iDRAC用户可能会利用Redfish接口中的权限检查缺陷获得管理员访问权。
- 不当的错误处理漏洞(CVE-2018-15776)
Dell EMC iDRAC7/iDRAC8 2.61.60.60以前的版本包含不当的错误处理漏洞。对系统有物理访问权的未经授权的攻击者可能利用该漏洞获得u-boot shell访问权。
提醒:其他型号的 iDRAC 不受上述漏洞的影响。
Cause
。
Resolution
解决办法:
以下Dell EMC iDRAC固件版本包含对这些漏洞的解决办法:
| iDRAC | iDRAC固件版本 |
|
iDRAC9 |
3.20.21.20 |
| 3.21.24.22 | |
| 3.21.26.22 | |
| 3.23.23.23 | |
| iDRAC8 | 2.61.60.60 |
| iDRAC7 | 2.61.60.60 |
提醒:截至发布之日可用
Dell Technologies 建议所有客户尽早升级。
Dell EMC有关iDRAC的妥善做法:
除了保持最新的iDRAC固件,Dell EMC还提出如下建议:
- iDRAC的设计用途不是放在或连接到互联网上,而是处于独立的管理网络上。直接将iDRAC放在或连接到互联网上可能危及所连接系统的安全性或遭受其他风险,Dell EMC对此概不负责。
- 不仅让iDRAC处于独立的管理子网上,用户还应利用防火墙等技术隔离管理子网/vLAN,并且仅限经授权的服务器管理员能够访问该子网/vLAN。
- Dell Technologies 建议客户考虑可能与其环境相关的任何部署因素,以评估其总体风险。
修复链接:
客户可以下载 适用于 PowerEdge 服务器 和所有其他平台的 iDRAC 固件,只需从 戴尔支持站点中选择平台即可。
致谢:
CVE-2018-15776:Dell EMC 感谢 Jon Sands 和 Adam Nielsen 向我们报告了此问题。
Dell Technologies 建议所有用户根据自己的具体情况确定此信息的适用性,并采取适当的措施。此处所述的信息按“原样”提供,不含任何形式的担保。Dell EMC 拒绝做出任何明示或暗示的担保,包括适销性、特定用途适用性、权利和不侵权担保。在任何情况下,Dell EMC或其供应商对包括直接、间接、偶然、必然损失、业务利润损失或特殊损失在内的任何损失均不承担责任,即使Dell EMC或其供应商已被告知发生此类损失的可能性也是如此。某些州不允许限制或排除对偶然或必然的损坏的责任,上述限制可能不适用。
Affected Products
Hyper-converged Systems, Datacenter Scalable Solutions, PowerEdge, iDRAC7/8 with Lifecycle Controller Version 2.61.60.60, Precision 7920 Rack, Precision Rack 7910Products
PowerEdge XR2, PowerEdge FC640, PowerEdge M640, PowerEdge M640 (for PE VRTX), PowerEdge MX740C, PowerEdge MX750c, PowerEdge MX760c, PowerEdge MX840C, PowerEdge R240, PowerEdge R250, PowerEdge R260, PowerEdge R340, PowerEdge R350, PowerEdge R360
, PowerEdge R440, PowerEdge R450, PowerEdge R540, PowerEdge R550, PowerEdge R640, PowerEdge R6415, PowerEdge R650, PowerEdge R650xs, PowerEdge R6515, PowerEdge R6525, PowerEdge R660, PowerEdge R660xs, PowerEdge R6615, PowerEdge R6625, PowerEdge R740, PowerEdge R740XD, PowerEdge R740XD2, PowerEdge R7415, PowerEdge R7425, PowerEdge R750, PowerEdge R750XA, PowerEdge R750xs, PowerEdge R7515, PowerEdge R7525, PowerEdge R760, PowerEdge R760XA, PowerEdge R760xd2, PowerEdge R760xs, PowerEdge R7615, PowerEdge R7625, PowerEdge R840, PowerEdge R860, PowerEdge R940, PowerEdge R940xa, PowerEdge R960, PowerEdge T140, PowerEdge T150, PowerEdge T160, PowerEdge T340, PowerEdge T350, PowerEdge T360, PowerEdge T440, PowerEdge T550, PowerEdge T560, PowerEdge T640, PowerEdge XE2420, PowerEdge XE7420, PowerEdge XE7440, PowerEdge XE8545, PowerEdge XE8640, PowerEdge XE9640, PowerEdge XE9680, PowerEdge XR11, PowerEdge XR12, PowerEdge XR4510c, PowerEdge XR4520c
...
Article Properties
Article Number: 000177031
Article Type: Solution
Last Modified: 09 Dec 2024
Version: 6
Find answers to your questions from other Dell users
Support Services
Check if your device is covered by Support Services.