iDRAC10 Security Configuration Guide
Network Vulnerability Scanning
Network vulnerability scanning is one of the many controls included as part of iDRAC’s Security Design Lifecycle (SDL). Multiple industry-leading tools are used to verify that iDRAC maintains secure protocols and is not exposed to newly published CVEs and vulnerabilities. The table below outlines the known findings that may be highlighted when using these scanning tools and the Dell Response.
NOTE:Dell Technologies recommends configuring the iDRAC to secure settings that are recommended in the table below before running the scans.
| Vulnerability | Port | Dell Response |
|---|---|---|
| 1. Self-signed SSL certificate | 443 | This is a result of having self-signed SSL keys which cannot be verified by a certificate authority. To remove this finding, follow the steps that are outlined in the Importing iDRAC Firmware SSL Certificate section of the iDRAC10 User Guide. |
| 2. SSL certificate cannot be trusted. | 443 | |
| 3. The subject common name does not match the entity name (FQDN) | 443 | |
| 4. Improper SSL certificate usage | 443 | |
| 5. SSL signature verification failed | 443 | |
| 6. SSL certificate invalid maximum validity date detected | 443 | |
| 7. TLS/SSL Weak Message Authentication Code Cipher Suites | 443 | This is a result of the server using the following two cipher suites:
|
| 8. Default/Guessable SNMP community names resulting in readable SNMP information (CVE-1999-0516, CVE-1999-0517) | 161 | This is a result of SNMP being enabled. To remove this finding, disable SNMP or update to SNMPv3 with an updated SNMP Community Agent Name. To update the Community Agent name, use the racadm command- racadm set idrac.SNMP.CommunityAgent <name>. To update to SNMP v3, use the racadm command- racadm set idrac.SNMP.SNMPProtocol 1. |
| 9. SNMP credentials transmitted in cleartext | 161 | This is a result of SNMPv2 being enabled. To remove this finding, disable SNMP or enable SNMPv3 only. To update to SNMP v3, use the racadm command- racadm set idrac.SNMP.SNMPProtocol 1. |
| 10. SNMP protocol version detected | 161 | |
| 11. SNMP GETBULK reflected distributed DOS | 161 | |
| 12. IPMIv2 Password Hash exposure (CVE-2013-4786, CVE-2013-4037) | 623 | This is a result of IPMI over LAN being enabled. To remove this finding disable IPMI over LAN. To disable IPMI over LAN, use the racadm command- racadm set idrac.ipmilan.Enable 0. |
| 13. IPMIv1.5 GetChannelAuth response information disclosure | 623 | |
| 14. IPMIv2 Authentication Username Disclosure | 623 | |
| 15. SSH brute force login with default credentials | 22 | This is a result of a default password being used. To remove this finding, change the password. For more information about changing passwords, see the Configuring User Accounts and Privileges section of the iDRAC10 User Guide. |
| 16. Dell Remote Access Controller default password for "root" account | N/A | |
| 17. UDP constant IP identification field fingerprinting (CVE-2002-0510) | N/A | Dell does not consider this an issue and there are many ways to identify or fingerprint a Linux machine. |
| 18. VNC remote control service detected | 5901 | This is a result of VNC being enabled. To remove this finding, disable VNC. To disable VNC, use the racadm command- racadm set idrac.VNCServer.enable 0. |
| 19. Anonymous root login is allowed. | N/A | False positive. There is no root login or access to the iDRAC file system. |
| 20. Nonabsolute directory entries found in the PATH variable | N/A | |
| 21. TCP timestamp response | N/A | Dell does not consider the TCP timestamp response to be a security vulnerability given iDRAC’s design and use. Knowledge of iDRAC’s uptime is not considered a risk and its operating system is well-known and documented. |
| 22. TCP sequence number approximation-based DOS (CVE-2004-0230) | N/A | Dell considers CVE-2004-0230 to be a vulnerability with minimal security risk, as it mainly effects long-lived connections, such as BGP routers. If the systems are installed according to Dell Best Practices, then the management network is separate from the host data network and can be isolated from the Internet over a firewall/VPN combination if connected at all. Access to the management network is limited to authorized administrative personnel, so security risks are minimized. |
| 23. The host is vulnerable to the TLS Triple Handshake Vulnerability. | 443 | The TLS Triple Handshake attack is a false positive because iDRAC does not use client certificates or channel binding for authentication. Many scan tools are looking for this extension and are simply reporting that the extension is not present. |
| 24. SSH Weak Key Exchange Algorithms Enabled | N/A | Use racadm get idRAC.SSHCrypto.KexAlgorithms to check the SSH algorithms in use. Remove the weaker SHA1 algorithm from the string and set it using racadm set idRAC.SSHCrypto.KexAlgorithms. |
| 25. SSH Server CBC Mode Ciphers Enabled | N/A | Use racadm get idRAC.SSHCrypto.Ciphers to check the SSH ciphers in use. Remove the weaker CBC ciphers from the string and set it using racadm set idRAC.SSHCrypto.Ciphers. |
| 26. OpenSSH remote code execution (CVE-2023-38408) | 22 | There is no impact for this OpenSSH Vulnerability because Dell does not enable AllowAgentForwarding on sshd configuration in iDRAC. |
| 27. OpenSSH authentication bypass (CVE-2021-36368) | 22 | There is no impact for this OpenSSH Vulnerability because Dell does not support Authentication type None of OpenSSH in iDRAC. |
| 28. OpenSSH row hammer attack (CVE-2023-51767) | 22 | There is no impact for this OpenSSH Vulnerability because of iDRAC's design and RACADM's restricted Shell. |
| 29. OpenSSH command injection (CVE-2023-51385) | 22 | There is no impact for this OpenSSH Vulnerability as it only affects SSH client devices. |
| 30. OpenSSH privilege escalation (CVE-2021-41617) | 22 | There is no impact for OpenSSH Vulnerability because Dell does not enable AuthorizedKeysCommand and AuthorizedPrincipalsCommand of OpenSSH in iDRAC. |
| 34. OpenSSH sensitive information Disclosure (CVE-2023-28531) | 22 | There is no impact for OpenSSH Vulnerability because Dell does not support Smartcard keys or use ssh-add in iDRAC. |
| 35. OpenSSH vulnerability (CVE-2023-51385) | 22 | Affects SSH clients and hence no impact on iDRAC. |
| 36. OpenSSH vulnerability (CVE-2023-51767) | 22 | There is no impact on iDRAC because of its design and how it is deployed. The restricted Shell scripts of RACADM help to mitigate this vulnerability. |
| 37. OpenSSH vulnerability (CVE-2024-39894) | 22 | Affects SSH clients and hence no impact on iDRAC. |
Please provide ratings (1-5 stars).
Please provide ratings (1-5 stars).
Please provide ratings (1-5 stars).
Please select whether the article was helpful or not.
Comments cannot contain these special characters: <>()\