CVE-2022-24422

Vulnerability

Dell iDRAC9 versions 5.00.00.00 and later, but prior to 5.10.10.00, contain an improper authentication vulnerability. The issue exists in the VNC Console component and allows access without proper authentication. [1]

Exploitation

A remote unauthenticated attacker can exploit this vulnerability by sending specially crafted network requests to the VNC service on an affected iDRAC9 system. The attacker does not require any prior credentials, but user interaction (such as a legitimate user connecting to the VNC Console) may be needed to trigger the race condition or improper authentication flow according to the CVSS vector (UI:R). [1]

Impact

Successful exploitation grants the attacker unauthorized access to the VNC Console, which provides full interactive control over the host server's graphical console. This can lead to complete compromise of confidentiality, integrity, and availability (CVSS 9.6, vector CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H). [1]

Mitigation

Dell has released iDRAC9 version 5.10.10.00 on 2022-05-11 to fix the vulnerability. All users should update to this patched version or later. No workaround is documented; the vulnerability cannot be mitigated without applying the update. [1]