CVE-2007-4360: Security Advisory für Dell DRAC4

Infrastruktur von Robert Scheck (Kommentare: 0)

Im August 2007 haben wir bei der Dell Remote Access Card 4 (DRAC4), welche die Fernwartung von Dell-Servern erlaubt, auch wenn noch kein Betriebssystem gestartet worden ist, eine Schwachstelle entdeckt, die aus der Ferne missbraucht werden kann. Diese Schwachstelle wurde mit einem Firmware-Update durch die Dell GmbH im November 2007 behoben. Nachfolgend noch einmal das Ausgangsdokument, mit welchem wir das Problem bekannt gemacht haben:

Remote Denial of Service for SSH service at Dell DRAC4 (maybe Mocana SSH)
ETES GmbH Security Advisory; August 13, 2007 - updated January 18, 2008

BACKGROUND

Dell Remote Access Card 4 (DRAC4) allows customers to effectively manage servers in remote locations where no administrative IT staff exists. It provides lights out management with continuous video that provides a graphical console regardless of the server's state and requires no operating system services or drivers. Virtual media support provides the server access to networked CD, floppy, and USB drives for server installation and updates (origin: Dell USA). The remote management is possible e.g. via web interface or via the provided integrated SSH daemon (running at port 22/TCP) based on Mocana SSH.

DESCRIPTION

Remote Denial of Service for the SSH service provided by the integrated SSH daemon is possible by the use of nmap-4.03-3 from Debian unstable, which is also included in Ubuntu Depper. Please note, that this vulnerability can't be reproduced with every nmap version, e.g. nmap-4.20 didn't work. After the use of such a port scanner, the SSH port is unavailable and can only be made available again by the use of the Dell utility "racadm" which causes a hard reboot of the whole system.

As there is another issue when having the DRAC4 virtual drives enabled, a second reboot needs to be performed manually, otherwise a SuSE Linux Enterprise Server 10 (SLES 10) with and without Service Pack 1 (SP1) will not boot up correctly and will end with lots of segmentation faults, I/O errors and so on. Please note, that the remote Denial of Service does not depend on the operating system used on the server.

ANALYSIS

There is NO exploitation which would allow unauthenticated remote attackers to gain root access. An affected machine has at least an unavailable SSH port at DRAC4, the web interface is working anyway, and in order to get SSH access at the DRAC4 back, one or multiple reboots are necessary.

As the provided feature to access DRAC4 by SSH is very useful and enabled per default, it is easy to attack machines and use this vulnerability for remote Denial of Service.

Presumably any "Dell Remote Access Controller 4/P (DRAC 4/P)" including "Firmware Version 1.50 (Build 02.16)" is affected by this vulnerability. At least, the problem is reproducible with version 1.50 (Build 02.16).

REPRODUCABILITY

Further information regarding the use of nmap and the port scan are below. A normal port scan of the management IPv4 address of DRAC4 should look like this (the output below is a bit trunicated for better readability):

$ nmap -sV [Management IPv4 address of DRAC4]

Starting Nmap 4.20 ( http://insecure.org ) at 2007-07-09 14:54 CEST
Interesting ports on xxx.xxx.xxx.xxx:
Not shown: 1693 closed ports
PORT     STATE SERVICE  VERSION
22/tcp   open  ssh      Mocanada embedded SSH (protocol 2.0)
80/tcp   open  http     Dell Embedded Remote Access card webserver 1.0
443/tcp  open  ssl/http Dell Remote Access Controller http interface 2.0
5900/tcp open  vnc?
Service Info: Devices: terminal server, remote management

Nmap finished: 1 IP address (1 host up) scanned in 21.559 seconds
$

To bring the SSH daemon running at the DRAC4 down, the following command can be used in combination with the already described nmap version:

$ nmap -O [Management IPv4 address of DRAC4]
Starting Nmap 4.03 ( http://www.insecure.org/nmap/ ) at 2007-07-09 14:55 CEST
Insufficient responses for TCP sequencing (0), OS detection may be less accurate
Insufficient responses for TCP sequencing (0), OS detection may be less accurate
Insufficient responses for TCP sequencing (0), OS detection may be less accurate
Interesting ports on xxx.xxx.xxx.xxx:
(The 1670 ports scanned but not shown below are in state: closed)
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
443/tcp  open  https
5900/tcp open  vnc
No exact OS matches for host (If you know what OS is running on it, see
http://www.insecure.org/cgi-bin/nmap-submit.cgi).

Nmap finished: 1 IP address (1 host up) scanned in 65.943 seconds
$

Now the SSH port is unavailable, a SSH connection establishment e.g. by OpenSSH client will time out, another port scan shows more details:

$ nmap -sV [Management IPv4 address of DRAC4]

Starting Nmap 4.20 ( http://insecure.org ) at 2007-07-09 14:56 CEST
Interesting ports on xxx.xxx.xxx.xxx:
Not shown: 1693 closed ports
PORT     STATE    SERVICE  VERSION
22/tcp   filtered ssh
80/tcp   open     http     Dell Embedded Remote Access card webserver 1.0
443/tcp  open     ssl/http Dell Remote Access Controller http interface 2.0
5900/tcp open     vnc?
Service Info: Devices: terminal server, remote management

Nmap finished: 1 IP address (1 host up) scanned in 21.378 seconds
$

In order to get SSH access back, "racadm racreset" has to be executed, maybe further parameters are needed. More information regarding this can be taken from the Dell Remote Access Controller Racadm User's Guide.

WORKAROUND

If not available, a firewall should be set up to restrict the network access to trusted networks only. This rule should be applied especially for the default SSH port (port 22/TCP). Since there is a new firmware available solving this problem, an update is highly recommented as well.

SOLUTION

On October 31, 2007 the "Firmware Version 1.60 (Build 10.04)" for "Dell Remote Access Controller 4" (DRAC 4/I and DRAC 4/P) was released to solve this vulnerability. An upgrade to this new version is highly recommented, but the whole DRAC4 configuration and settings have to be saved before, as a firmware update causes a loss of any DRAC4 specific settings. And for us, multiple firmware updates (EPROM flashings) failed during the upgrade; the only working one was the offline update using two floppy disks.

In the README file, the correction of this issue is mentioned with "Added fix for Remote Denial of Service for SSH service", but no reference to this advisory.

CVE INFORMATION

The MITRE Corporation Common Vulnerabilities and Exposures (CVE) number CVE-2007-4360 was assigned on August 15, 2007. Currently, the following other identifications are known for this issue:

  • CVE-2007-4360
  • Secunia SA26428
  • FrSIRT/ADV-2007-2908
  • SecurityFocus BID-25291
  • ISS X-Force 35998

DISCLOSURE TIMELINE

  • 2007-07-09: Initial vendor notification
  • 2007-07-11: Initial vendor response
  • 2007-07-16: Vendor communicated escalation to engineering
  • 2007-07-23: Vendor communicated the reproducibility
  • 2007-08-03: Vendor communicated the working for a solution
  • 2007-08-13: Vendor communicated an unknown timeframe
  • 2007-08-13: Coordinated public disclosure
  • 2007-10-31: Vendor released firmware update version 1.60
  • 2007-11-20: Vendor officially announced the new firmware
  • 2008-01-10: Verified the new firmware for reproducibility
  • 2008-01-18: Coordinated public advisory update

CREDIT

This vulnerability was discovered by Hendrik Weimer and Robert Scheck from ETES GmbH.

LEGAL NOTICES

Copyright © 2007-2008 ETES GmbH, referenced text belongs to its owner(s).

Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.

Kontaktieren Sie uns

X

Sie sind Ihrer digitalen Souveränität bereits einen großen Schritt näher gekommen.

Wir freuen uns auf Ihr Interesse und Ihre Fragen.

Bitte addieren Sie 4 und 6.
Diese Anfrage ist für Sie unverbindlich und keine Zahlungsmittel sind notwendig.
eteslogo4

Autoren

Markus Espenhain

Unser Geschäfts­führer und Gründer ist für die Strategie und den Kontakt zu Kunden & Partnern verantwortlich. Im Blog stellt er Ihnen neue Partnerschaften und Unternehmens-News vor.

Markus Espenhain Portrait

Ioannis Dimas

Datenschutz und Informationssicherheit sind seine Herzensangelegenheit. Er berät Unternehmen zu diesen Themen und kann viel dazu berichten.

Ioannis Dimas Portrait

Chantal Nußbaum

In den Bereichen Datenschutz und Informationssicherheit liegt ihr Schwerpunkt. Durch Fortbildungen ist sie immer auf dem neusten Stand der Gesetze.

Christian Gleich

Sein Schwerpunkt liegt in dem Kontakt zu Kunden. Durch seine tägliche Arbeit mit unserem gesamten Produktportfolio landen Neuigkeiten immer zuerst bei ihm.