iDRACula Vulnerability Impacts Millions of Legacy Dell EMC Servers

Discussion in 'STH Main Site Posts' started by Patrick Kennedy, Sep 28, 2018.

  1. #1
    T_Minus, chilipepperz and markpower28 like this.
  2. timofeym

    timofeym New Member

    Joined:
    Jun 11, 2018
    Messages:
    5
    Likes Received:
    2
    Is that what the forum post was? Holy shit. I'm sharing this one with our team.
     
    #2
    fohdeesha likes this.
  3. cesmith9999

    cesmith9999 Well-Known Member

    Joined:
    Mar 26, 2013
    Messages:
    1,040
    Likes Received:
    318
    Well done article. Good job @Patrick

    Well done in responsible journalism and disclosure.

    Chris
     
    #3
  4. Dawg10

    Dawg10 Active Member

    Joined:
    Dec 24, 2016
    Messages:
    144
    Likes Received:
    69
    This vulnerability will no doubt be quickly patched, but is there an upside for homelab users?

    Could a hypervisor be loaded onto the BMC? Could it effectively control the server?
     
    #4
  5. sean

    sean Member

    Joined:
    Sep 26, 2013
    Messages:
    46
    Likes Received:
    14
    This might be the best source for default passwords when trying to access a new system. I can either dig through documentation or remember STH has them all.
     
    #5
    MiniKnight likes this.
  6. fohdeesha

    fohdeesha Kaini Industries

    Joined:
    Nov 20, 2016
    Messages:
    932
    Likes Received:
    679
    The SuperH/RISC cpus in the bmc's do not have anywhere near the power required for a hypervisor, but your usual linux scripts, absolutely. That was probably part of the reason uh, whoever found this wanted it in the first place. cough
     
    #6
    StammesOpfer and MiniKnight like this.
  7. mstone

    mstone Active Member

    Joined:
    Mar 11, 2015
    Messages:
    475
    Likes Received:
    111
    LOL
     
    #7
    fohdeesha likes this.
  8. MiniKnight

    MiniKnight Well-Known Member

    Joined:
    Mar 30, 2012
    Messages:
    2,787
    Likes Received:
    786
    If someone posts this on Reddit, people there are going to have a field day.

    Hey, if they need the security hardware for iDRAC 9 wouldn't they need it for iDRAC 8? If that's the case, they ultimately can't patch it completely as @Dawg10 suggested. Just the fact that they added the new hardware to fix this means they've been aware for some time right?

    Before the Reddit crowd comes, I agree with @cesmith9999 that this was done well.
     
    #8
    fohdeesha likes this.
  9. Aluminum

    Aluminum Active Member

    Joined:
    Sep 7, 2012
    Messages:
    418
    Likes Received:
    42
    +1 to that, anyone want to bet on it?

    I think a year from now I could pay $20 for every patched system and collect a $1 for every unpatched system, then retire to an island.
     
    #9
  10. amalurk

    amalurk Member

    Joined:
    Dec 16, 2016
    Messages:
    100
    Likes Received:
    12
    STH has made the big time!
     
    #10
  11. chilipepperz

    chilipepperz Active Member

    Joined:
    Mar 17, 2016
    Messages:
    169
    Likes Received:
    50
    Great journalism. @Aluminum when you say retire to an island, you mean buy an island nation?
     
    #11
  12. fohdeesha

    fohdeesha Kaini Industries

    Joined:
    Nov 20, 2016
    Messages:
    932
    Likes Received:
    679

    sshhh, only quiet times now
     
    #12
  13. cesmith9999

    cesmith9999 Well-Known Member

    Joined:
    Mar 26, 2013
    Messages:
    1,040
    Likes Received:
    318
    #13
  14. mstone

    mstone Active Member

    Joined:
    Mar 11, 2015
    Messages:
    475
    Likes Received:
    111
    because it's basically just a twist on "if you expose your management interface you're already f'd" so there's not really that much to see.
     
    #14
  15. cesmith9999

    cesmith9999 Well-Known Member

    Joined:
    Mar 26, 2013
    Messages:
    1,040
    Likes Received:
    318
    Where I just left there are over 20K server that we managed. 20K BMC/iLo/iDRAC that could be running mining or a an easy way to destroy a whole company/environment.

    We did change the default passwords as a normal measure. however even changing from the default to a new default has its (own) issues.

    Chris
     
    #15
  16. PigLover

    PigLover Moderator

    Joined:
    Jan 26, 2011
    Messages:
    2,689
    Likes Received:
    1,054
    IPMI and its various extensions (iDRAC/iLO/etc) have always been weak links in the security chain. I know perimeter security is not considered sufficient in today's world, but this is one place you need to build fences and do things to make the management interfaces almost impossible to breach. They need to be on separate NICs (disable all forms of NIC sharing with production traffic). They need to be on isolated, dedicated physical networks (don't even trust VLAN separation - physically separate). These networks need to be almost impossible to access from outside (private address spaces, tightly controlled "jump servers", for human access and well managed gateways for automation). And you need to be diligent beyond measure about logging and analyzing activity on these jump/gateway servers.

    All of this remains true even after vendors like Dell implement trusted compute methods to protect the iDRAC flash.
     
    #16
    fohdeesha and Patrick like this.
  17. Patrick

    Patrick Administrator
    Staff Member

    Joined:
    Dec 21, 2010
    Messages:
    11,195
    Likes Received:
    4,147
    #17
  18. zir_blazer

    zir_blazer Active Member

    Joined:
    Dec 5, 2016
    Messages:
    155
    Likes Received:
    46
    You are pretty much answering a question that I did recently. Dedicated NIC and Switches for the BMC > shared NIC.


    I would love to see this being a push for OpenBMC and Coreboot. At the very least end users can actually audit that code instead of being a complete black box. It also makes possible for a community effort to upgrade and maintain it, otherwise, the manufacturer holds you hostage whenever you want a feature, and typically forces you to purchase newer Hardware when what you want could be backported.
    Is like when Intel introduced Firmware support for NVMe boot in their 9x Series Chipsets for Broadwell, BIOS modders at WinRAID managed to transplant the NVMe Firmware Driver to previous generations Intel Motherboards and it worked well. If the Firmware was open source instead of having to rely on a multitude of BIOS hacking tools, doing so would have been easier. Alas, Intel wouldn't have given you what they touted as one of the major selling points of the 9x Chipsets for free.
     
    #18
  19. Evan

    Evan Well-Known Member

    Joined:
    Jan 6, 2016
    Messages:
    2,344
    Likes Received:
    328
    I agree with separate including the dedicated remote management NIC but different switch is really not needed just a seperate secure vlan and ports really.

    This is certianly not the first remote management exploit and won’t be the last, remember was it last year HPE iLo v4 had an issue.
     
    #19
  20. kapone

    kapone Active Member

    Joined:
    May 23, 2015
    Messages:
    457
    Likes Received:
    159
    I'm adamant about IPMI/Mgmt ports being on a physically different switch. These ports are by far the most important ports in your network. If BMCs can have a vulnerability ... who's to say a switch firmware can't? I will not trust these ports to just VLAN segmentation.

    In fact in my setup, the IPMI/Mgmt ports are on a different switch, connected to the router/firewall on a dedicated interface and have very tight firewall rules on that interface. This switch even has port security and MAC address restrictions enabled so that you can't just plug something in, physically, to get access.
     
    #20
Similar Threads: iDRACula Vulnerability
Forum Title Date
STH Main Site Posts Dell EMC Plan to Address iDRACula Vulnerability Oct 3, 2018
STH Main Site Posts Broader Implications of iDRACula Vulnerability a Perspective Sep 30, 2018
STH Main Site Posts Kubernetes and the Challenge of a Huge Security Vulnerability CVE-2018-1002105 Yesterday at 4:12 PM
STH Main Site Posts NetSpectre Slow and Remote Vulnerability Jul 27, 2018
STH Main Site Posts Branchscope Intel Security Vulnerability Revealed Mar 28, 2018

Share This Page