iDRAC9 Security Configuration Guide

1. Self-signed SSL certificate

9,8,7

443, 5900

This is a result of having self-signed SSL keys which cannot be verified by a certificate authority. To remove this finding, follow the steps outlined in the Importing iDRAC Firmware SSL Certificate section of the iDRAC9 User Guide.

2. SSL certificate cannot be trusted

9, 8, 7

443

3. Subject common name does not match the entity name (FQDN)

9, 8, 7

443, 5900

4. Improper SSL certificate usage

9, 8, 7

443, 5900

5. SSL signature verification failed

9, 8, 7

443, 5900

6. SSL certificate invalid maximum validity date detected

9

443, 5900

7. TLS/SSL server is using commonly used prime numbers

9, 8, 7

443

Alternatively, configure the custom cipher string using iDRAC Web GUI by navigating to iDRAC Settings > Web Server > Settings > Custom Cipher String and adding ALL:!DHE

8. TLS version 1.1 is supported

9, 8, 7

443, 5900

This is a result of TLS 1.1 being an option provided. Enable only TLS 1.2 to remove this finding. To set the version of TLS to 1.2 only, see the Configuring TLS section of the iDRAC9 User Guide.

9. Default/Guessable SNMP community names resulting in readable SNMP information (CVE-1999-0517)

9, 8, 7

161

This is a result of SNMP v1/v2 being enabled by default. To remove this finding, update to SNMP v3, or update the SNMP Community Agent name. To update the Community Agent name, use the racadm command- racadm set idrac.SNMP.CommunityAgent <name>. To update to SNMP v3, use the racadm command- racadm set idrac.SNMP.SNMPProtocol 1.

10. SNMP credentials transmitted in cleartext

9, 8, 7

161

This is a result of SNMP v1/v2 being enabled by default. To remove this finding, enable SNMP v3 only. To update to SNMP v3, use the racadm command- racadm set idrac.SNMP.SNMPProtocol 1.

11. SNMP protocol version detected

9, 8, 7

161

12. SNMP GETBULK reflected distributed DOS

9, 8, 7

161

13. IPMIv2 Password Hash exposure (CVE-2013-4786, CVE-2013-4037)

9, 8, 7

623

This is a result of IPMI over LAN being enabled. To remove this finding disable IPMI over LAN. To disable IPMI over LAN, use the racadm command- racadm set idrac.ipmilan.Enable 0.

14. IPMIv1.5 GetChannelAuth response information disclosure

9, 8, 7

623

15. IPMIv2 Authentication Username Disclosure

9, 8, 7

623

16. Telnet Server not encrypted

9, 8, 7

23

This is a result of Telnet being enabled. To remove this finding, disable Telnet and use SSH instead. To disable Telnet, use the racadm command- racadm set idrac.Telnet.Enable 0.

To enable ssh, use the racadm command- racadm set idrac.SSH.Enable 1

17. Remote management service accepting unencrypted credentials

9

23

18. FreeBSD Telnetd code execution (CVE-2011-4862)

9

False positive. To remove this from the report, disable Telnet. To disable Telnet, use the racadm command- racadm set idrac.Telnet.Enable 0

19. SSH brute force login with default credentials

9

22

This is a result of a default password being used. To remove this finding, change the password. For more information on changing passwords, see the Configuring User Accounts and Privileges section of the iDRAC9 User Guide.

20. Dell Remote Access Controller default password for "root" account

9

21. OpenSSH username enumeration (CVE-2018-15473)

9,8,7

22

This issue has been fixed in iDRAC8 2.70.70.70 and later releases on 12/13G systems, and in iDRAC9 3.30.30.30 and later releases for 14/15G systems.

22. UDP constant IP identification field fingerprinting (CVE-2002-0510)

9

Dell does not consider this an issue and there are many ways to identify or fingerprint a Linux machine.

23. VNC remote control service detected

9, 8, 7

5901

This is a result of VNC being enabled. To remove this finding, disable VNC. To disable VNC, use the racadm command- racadm set idrac.VNCServer.enable 0.

24. Anonymous root login is allowed

9, 8, 7

False positive. There is no root login or access to the iDRAC file system.

25. Non-absolute directory entries found in the PATH variable

9, 8, 7

26. TCP timestamp response

9, 8, 7

Dell does not consider the TCP timestamp response to be a security vulnerability given iDRAC’s design and use. Knowledge of iDRAC’s uptime is not considered a risk and its operating system is well-known and documented.

27. TCP sequence number approximation-based DOS (CVE-2004-0230)

9

Dell considers CVE-2004-0230 to be a vulnerability with minimal security risk, as it mainly effects long-lived connections, such as BGP routers. If the systems are installed according to Dell Best Practices, then the management network is separate from the host data network and can be isolated from the Internet via a firewall/VPN combination if connected at all. Access to the management network is limited to authorized administrative personnel, so security risks are minimized.

28. Host is vulnerable to extended master secret TLS extension (TLS triple handshake)

9, 8, 7

443

Support for the TLS Extended Master Secret Extension is not implemented in iDRAC code, but TLS Triple Handshake attack is a false positive because iDRAC does not use client certificates or channel binding for authentication. Many scan tools are looking for this extension and are simply reporting that the extension is not present.

29. SSH Weak Key Exchange Algorithms Enabled

9

Use racadm get idRAC.SSHCrypto.KexAlgorithms to check the SSH algorithms in use. Remove the weaker SHA1 algorithm from the string and set it using racadm set idRAC.SSHCrypto.KexAlgorithms.

30. SSH Server CBC Mode Ciphers Enabled

9

Use racadm get idRAC.SSHCrypto.Ciphers to check the SSH ciphers in use. Remove the weaker CBC ciphers from the string and set it using racadm set idRAC.SSHCrypto.Ciphers.

31. OpenSSH privilege escalation (CVE-2021-41617)

9

22

There is no impact for OpenSSH Vulnerability since Dell does not enable AuthorizedKeysCommand and AuthorizedPrincipalsCommand of OpenSSH in iDRAC.