In 2022, Dell released an important security advisory for their popular iDRAC9 remote management controllers, impacting thousands of enterprise servers worldwide. The vulnerability, tracked as CVE-2022-24422, could allow remote hackers to access a server’s console—without needing a username or password—just by exploiting a flaw in the authentication process. If you use Dell’s iDRAC9 management interface, here’s what you need to know, how it works, and what you can do to protect your servers.
What is iDRAC9?
iDRAC9 is Dell’s “Integrated Dell Remote Access Controller,” a piece of hardware built into many Dell PowerEdge servers. It lets IT administrators manage, monitor, and access their servers remotely—even if the system is powered off. One key feature is the Virtual Network Computing (VNC) Console that allows you to remotely view and interact with the server’s screen.
Understanding CVE-2022-24422
CVE-2022-24422 is an “improper authentication” bug in iDRAC9’s VNC service. According to Dell’s original advisory, this bug exists in iDRAC9 versions starting from 5.00.00.00 up to (but not including) 5.10.10.00.
How Does the Exploit Work?
This section provides a conceptual look at how the vulnerability could be exploited. For obvious ethical reasons, this post doesn’t provide a fully working exploit—but enough to understand the risk and recognize attack attempts.
The Issue
Under certain network conditions, iDRAC9’s built-in VNC server didn’t properly check authentication requests. So, if an attacker connects at just the right moment, they could bypass the password step entirely.
Step-by-Step (Simplified)
1. Attacker Scans Network: They look for open iDRAC9 management interfaces, often defaulting to TCP port 590 (VNC).
2. Direct VNC Connection: Using a VNC client (like vncviewer), they attempt to connect to the host’s VNC server.
3. Authentication Bypass: Due to the bug in affected versions, iDRAC9 responds by allowing a session without asking for a password.
Code Snippet (Python, for Educational Purposes)
Here’s a demonstration of a simplified Python script *structure* that attempts VNC connections. This is for defensive/awareness purposes only!
import socket
def try_vnc(ip, port=590):
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.settimeout(5)
try:
s.connect((ip, port))
banner = s.recv(1024)
print(f'VNC banner from {ip}: {banner}')
# In vulnerable iDRAC9, this might proceed without needing authentication
# In real exploit, next would be protocol-specific handshake to trigger the bug
except Exception as e:
print(f'Failed to connect: {e}')
finally:
s.close()
try_vnc('192..2.10') # Replace with the target iDRAC IP
For the actual exploit, attackers might use VNC client tools and simply skip entering any password
vncviewer <target_ip>:590
# On vulnerable iDRAC9, the console could appear without authentication!
Check your firmware version by logging into the web UI or running Dell’s racadm tool
racadm getversion
1. Patch Immediately
Dell’s fix is to update iDRAC9 firmware to at least 5.10.10.00. Download the latest firmware from the official Dell support page.
2. Restrict Network Access
Always keep your iDRAC interfaces on a private management network. Do not expose them directly to the internet.
3. Monitor and Detect
Watch for unexplained VNC connections in your server logs and use network firewalls to block unauthorized access.
References and Further Reading
- Dell Security Advisory DSA-2022-053
- NIST NVD CVE-2022-24422
- Mitre CVE Page
- Dell iDRAC9 Documentation
Conclusion
CVE-2022-24422 is an easy-to-exploit bug with severe consequences: simple, remote, no password required. If your Dell iDRAC9 is unpatched and reachable, you are at serious risk. Patch now, check your network exposure, and watch for unauthorized access.
Timeline
Published on: 05/26/2022 16:15:00 UTC
Last modified on: 06/07/2022 17:07:00 UTC