Crisis averted for Dell PowerEdge servers, after a group of researchers disclosed details of a recently patched, high-severity flaw, which if exploited could allow an attacker to fully take over and control server operations.
The vulnerability was found in the Dell EMC iDRAC remote access controller, technology embedded within the latest versions of Dell PowerEdge servers.
While the flaw was remediated back at the start of July, Positive Technologies, the company behind the disclosure, just revealed the full details.
According to them the vulnerability (CVE-2020-5366), found in Dell EMC iDRAC9 versions prior to 4.20.20.20, is rated as a 7.1 in terms of exploitability, giving it a high-severity vulnerability rating.
Path traversal is one of the three most common vulnerabilities researchers said that they come across in their investigations.
A path traversal attack (also known as directory traversal) aims to access files and directories that are stored outside the web root folder. By manipulating variables that reference files with “dot-dot-slash (../)” sequences and its variations or by using absolute file paths, it may be possible to access arbitrary files and directories stored on file system including application source code or configuration and critical system files. It should be noted that access to files is limited by system operational access control (such as in the case of locked or in-use files on the Microsoft Windows operating system).
This attack is also known as “dot-dot-slash”, “directory traversal”, “directory climbing” and “backtracking”.
With a system vulnerable to directory traversal, an attacker can make use of this vulnerability to step out of the root directory and access other parts of the file system. This might give the attacker the ability to view restricted files, which could provide the attacker with more information required to further compromise the system.
iDRAC runs on Linux, and the specific appeal to hackers in exploiting the vulnerability would be the ability to read the file /etc/passwd, which stores information about Linux users, the researchers said.
iDRAC is designed to allow IT administrators to remotely deploy, update, monitor and maintain Dell servers without installing new software. Dell has already released an update to the iDRAC firmware that fixes the flaw and it recommends customers update as soon as possible.
The vulnerability may only be used if iDRAC is connected to the internet, which Dell does not recommend. IDRAC is also a relatively new technology, which means it may not be widely used yet.
Still, researchers said that public search engines already discovered several Internet-accessible connections to iDRAC that could be exploited, as well as 500 controllers available for access using SNMP.
To better secure Dell servers that use iDRAC, researchers recommended that customers place iDRAC on a separate administration network and don’t connect the controller to the internet. Companies also should isolate the administration network or VLAN (such as with a firewall) and restrict access to the subnet or VLAN to authorized server administrators only.
Other recommendations by Dell EMC to secure iDRAC against intrusion include using 256-bit encryption and TLS 1.2 or later; configuration options such as IP address range filtering and system lockdown mode; and additional authentication such as Microsoft Active Directory or LDAP.
How to defend from path traversal attacks
First of all, ensure you have installed the latest version of your web server software, and sure that all patches have been applied.
Secondly, effectively filter any user input. Ideally remove everything but the known good data and filter meta characters from the user input. This will ensure that only what should be entered in the field will be submitted to the server.