Remote Denial of Service for SSH service at Dell DRAC4 (maybe Mocana SSH)

[Robert Scheck <scheck@xxxxxxx>]

Remote Denial of Service for SSH service at Dell DRAC4 (maybe Mocana SSH)
ETES GmbH Security Advisory; August 13, 2007


BACKGROUND
==========

Dell Remote Access Card 4 (DRAC4) allows customers to effectively manage
servers in remote locations where no administrative IT staff exists. It
provides lights out management with continuous video that provides a
graphical console regardless of the server's state and requires no
operating system services or drivers. Virtual media support provides the
server access to networked CD, floppy, and USB drives for server
installation and updates (origin: Dell USA). The remote management is
possible e.g. via web interface or via the provided integrated SSH daemon
(running at port 22/TCP) based on Mocana SSH.


DESCRIPTION
===========

Remote Denial of Service for the SSH service provided by the integrated SSH
daemon is possible by the use of nmap-4.03-3 from Debian unstable, which is
also included in Ubuntu Depper. Please note, that this vulnerability can't
be reproduced with every nmap version, e.g. nmap-4.20 didn't work. After
the use of such a port scanner, the SSH port is unavailable and can only be
made available again by the use of the Dell utility "racadm" which causes a
hard reboot of the whole system.

As there is another issue when having the DRAC4 virtual drives enabled, a
second reboot needs to be performed manually, otherwise a SuSE Linux
Enterprise Server 10 (SLES 10) with and without Service Pack 1 (SP1) will
not boot up correctly and will end with lots of segmentation faults, I/O
errors and so on.


ANALYSIS
========

There is NO exploitation which would allow unauthenticated remote attackers
to gain root access. An affected machine has at least an unavailable SSH
port at DRAC4, the web interface is working anyway, and in order to get SSH
access at the DRAC4 back, one or multiple reboots are necessary.

As the provided feature to access DRAC4 by SSH is very useful and enabled
per default, it is easy to attack machines and use this vulnerability for
remote Denial of Service.

Presumably any "Dell Remote Access Controller 4/P (DRAC 4/P)" including
"Firmware Version 1.50 (Build 02.16)" is affected by this vulnerability. At
least, the problem is reproducable with version 1.50 (Build 02.16).


REPRODUCABILITY
===============

Further information regarding the use of nmap and the port scan are below.
A normal port scan of the management IPv4 address of DRAC4 should look like
this (the output below is a bit trunicated for better readability):

$ nmap -sV [Management IPv4 address of DRAC4]

Starting Nmap 4.20 ( http://insecure.org ) at 2007-07-09 14:54 CEST
Interesting ports on xxx.xxx.xxx.xxx:
Not shown: 1693 closed ports
PORT     STATE SERVICE  VERSION
22/tcp   open  ssh      Mocanada embedded SSH (protocol 2.0)
80/tcp   open  http     Dell Embedded Remote Access card webserver 1.0
443/tcp  open  ssl/http Dell Remote Access Controller http interface 2.0
5900/tcp open  vnc?
Service Info: Devices: terminal server, remote management

Nmap finished: 1 IP address (1 host up) scanned in 21.559 seconds
$

To bring the SSH daemon running at the DRAC4 down, the following command
can be used in combination with the already described nmap version:

$ nmap -O [Management IPv4 address of DRAC4]
Starting Nmap 4.03 ( http://www.insecure.org/nmap/ ) at 2007-07-09 14:55
CEST
Insufficient responses for TCP sequencing (0), OS detection may be less
accurate
Insufficient responses for TCP sequencing (0), OS detection may be less
accurate
Insufficient responses for TCP sequencing (0), OS detection may be less
accurate
Interesting ports on xxx.xxx.xxx.xxx:
(The 1670 ports scanned but not shown below are in state: closed)
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
443/tcp  open  https
5900/tcp open  vnc
No exact OS matches for host (If you know what OS is running on it, see
http://www.insecure.org/cgi-bin/nmap-submit.cgi).

Nmap finished: 1 IP address (1 host up) scanned in 65.943 seconds
$

Now the SSH port is unavailable, a SSH connection establishment e.g. by
OpenSSH client will time out, another port scan shows more details:

$ nmap -sV [Management IPv4 address of DRAC4]

Starting Nmap 4.20 ( http://insecure.org ) at 2007-07-09 14:56 CEST
Interesting ports on xxx.xxx.xxx.xxx:
Not shown: 1693 closed ports
PORT     STATE    SERVICE  VERSION
22/tcp   filtered ssh
80/tcp   open     http     Dell Embedded Remote Access card webserver 1.0
443/tcp  open     ssl/http Dell Remote Access Controller http interface 2.0
5900/tcp open     vnc?
Service Info: Devices: terminal server, remote management

Nmap finished: 1 IP address (1 host up) scanned in 21.378 seconds
$

In order to get SSH access back, "racadm racreset" has to be executed,
maybe further parameters are needed. More information regarding this can be
taken from the Dell Remote Access Controller Racadm User's Guide.


WORKAROUND
==========

If not available, a firewall should be set up to restrict the network
access to trusted networks only. This rule should be applied especially for
the default SSH port (port 22/TCP).


VENDOR RESPONSE
===============

The Dell GmbH communicates, that they're working on this issue. They also
stated, that there currently is no public timeframe for an update or a Dell
customer advisory.


CVE INFORMATION
===============

A MITRE Corporation Common Vulnerabilities and Exposures (CVE) number has
not been assigned, yet.


DISCLOSURE TIMELINE
===================

2007-07-09 Initial vendor notification
2007-07-11 Initial vendor response
2007-07-16 Vendor communicated escalation to engineering
2007-07-23 Vendor communicated the reproducibility
2007-08-03 Vendor communicated the working for a solution
2007-08-13 Vendor communicated an unknown timeframe
2007-08-13 Coordinated public disclosure


CREDIT
======

This vulnerability was discovered by the ETES GmbH <http://www.etes.de>.


LEGAL NOTICES
=============

Copyright © 2007 ETES GmbH <http://www.etes.de>, referenced text belongs to
its owner(s).

All actions regarding the use of in Germany so-called "hacker tools" like
ping, nmap, telnet, ssh etc. have been done before taking effect of the new
paragraph/law of combat of computer crime rate (Strafvorschriften zur
"Bekämpfung der Computerkriminalität"; have a look to the PDF for further
information: http://www.bgblportal.de/BGBL/bgbl1f/bgbl107s1786.pdf).

Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS condition.
There are no warranties with regard to this information. Neither the author
nor the publisher accepts any liability for any direct, indirect, or
consequential loss or damage arising from use of, or reliance on, this
information.


With kind regards

Robert Scheck

--
Robert Scheck
Web: http://www.etes.de         E-Mail: scheck@xxxxxxx
ETES GmbH  Libanonstrasse 58 A  D-70184 Stuttgart
Fon: +49 (7 11) 48 90 83 - 12   Fax: +49 (7 11) 48 90 83 - 50

Registergericht: Amtsgericht Stuttgart HRB 721182
Geschäftsführende Gesellschafter: Markus Espenhain und Jan Theofel
Sitz der Gesellschaft: Stuttgart
USt.-Id.Nr.: DE814767446

Attachment: pgphjLsl9ikZO.pgp
Description: PGP signature