CVE-2022-34435

Vulnerability

An improper input validation vulnerability exists in the racadm command-line interface of Dell iDRAC9 versions before 6.00.30.00 [1]. When the firmware lock-down configuration is set, the software fails to properly validate certain inputs, allowing a remote high-privileged attacker to bypass the lockdown and perform a firmware update [1]. The vulnerability affects all iDRAC9 versions prior to 6.00.30.00 [1].

Exploitation

An attacker must already have a high-privileged account (e.g., administrator) on the iDRAC9 management interface [1]. With that access, the attacker can send a crafted racadm command that exploits the input validation flaw to bypass the firmware lock-down setting [1]. No additional user interaction is required beyond the attacker's existing privileged session. The attack is performed remotely over the network [1].

Impact

Successful exploitation allows the attacker to bypass the firmware lock-down protection and install a modified or unauthorized firmware image on the iDRAC9 [1]. This can lead to a complete compromise of the iDRAC management controller, potentially giving the attacker persistent control over the server's management plane and the ability to hide malicious activity from the host operating system [1]. The confidentiality, integrity, and availability of the system may be severely impacted [1].

Mitigation

Dell has released iDRAC9 version 6.00.30.00 to fix this vulnerability [1]. Users must update their iDRAC9 firmware to version 6.00.30.00 or later [1]. The update is available from the Dell support site [1]. No workaround is provided in the advisory. The vulnerability is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog as of this writing.