Dell EMC Response to Common Vulnerabilities and Exposures - CVE-2019-9506

[13 August 2019]
OVERVIEW

The following is the Dell EMC response to CVE-2019-9506.

TECHNICAL SUMMARY

The Bluetooth BR/EDR encryption key negotiation protocol is vulnerable to packet injection that could allow an unauthenticated user to decrease the size of the entropy of the encryption key, potentially causing information disclosure and/or escalation of privileges via adjacent access. There is not currently any knowledge of this being exploited.

For more information about any of the Common Vulnerabilities and Exposures (CVEs) mentioned here, consult the National Vulnerability Database (NVD) at http://nvd.nist.gov/home.cfm. To search for a particular CVE, use the database’s search utility at http://web.nvd.nist.gov/view/vuln/search.

Dell EMC Response

The above CVE is not applicable to "iDRAC Quick Sync 2" option given its design and intended use.  The iDRAC Quick Sync 2 solution uses Bluetooth Low Energy (BLE) and disables Bluetooth classic connections.  CVE-2019-9506 is specific to Bluetooth BR/EDR connection.  Quick Sync 2 allows only BLE specific connections.   Also, Quick Sync 2 does not use any of the standard security mechanisms defined in Bluetooth spec.   The Dell EMC solution uses "Just Works" (No-Authentication) pairing method.  All the security (Authentication and Encryption) is performed at application layer level using a Dell proprietary protocol.

The following table shows the various iDRAC firmware versions by server generation and the Dell EMC response.  

 

iDRAC	iDRAC firmware version	Target Release date	Dell EMC Response
iDRAC9	3.00.00.00 or higher	N/A	Not Affected (uses BLE only)
iDRAC8	Any	N/A	Does not use Bluetooth
iDRAC7	Any	N/A	Does not use Bluetooth
iDRAC6	Any	N/A	Does not use Bluetooth

Dell EMC Best Practices regarding iDRAC

In addition to maintaining up to date iDRAC firmware and disabling lower protocols in your browser, Dell EMC also advises the following:

• iDRACs are not designed nor intended to be placed on or connected to the internet; they are intended to be on a separate management network.  Placing or connecting iDRACs directly to the internet could expose the connected system to security and other risks for which Dell EMC is not responsible.   
• Along with locating iDRACs on a separate management subnet, users should isolate the management subnet/vLAN with technologies such as firewalls, and limit access to the subnet/vLAN to authorized server administrators.

Legal Information:

Dell recommends that all users determine the applicability of this information to their individual situations and take appropriate action. The information set forth herein is provided "as is" without warranty of any kind. Dell disclaims all warranties, either express or implied, including the warranties of merchantability, fitness for a particular purpose, title and non-infringement. In no event, shall Dell or its suppliers, be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Dell or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages, so the foregoing limitation may not apply.

PowerEdge, iDRAC7 with Lifecycle Controller Version 2.13.13.12, iDRAC7 with Lifecycle Controller Version 2.15.10.10, iDRAC7/8 with Lifecycle Controller Version 2.52.52.52, iDRAC7/8 with Lifecycle Controller Version 2.63.60.61 , iDRAC7/8 with Lifecycle Controller Version 2.63.60.62, iDRAC7 Version 1.65.65, iDRAC7 Version 1.66.65, iDRAC8 with Lifecycle Controller Version 2.12.12.12, iDRAC8 with Lifecycle Controller Version 2.14.14.12, iDRAC8 with Lifecycle Controller Version 2.17.17.13, iDRAC8 with Lifecycle Controller Version 2.04.02.01, iDRAC8 with Lifecycle Controller Version 2.05.05.05 ... View More about warranties View Less about warranties