CVE-2022-24422
📋 TL;DR
CVE-2022-24422 is an improper authentication vulnerability in Dell iDRAC9 that allows remote unauthenticated attackers to bypass authentication and gain access to the VNC Console. This affects organizations using Dell iDRAC9 versions 5.00.00.00 through 5.10.00.00 for server management.
💻 Affected Systems
- Dell iDRAC9
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of server management interface leading to full administrative control over affected servers, potential data exfiltration, and server manipulation.
Likely Case
Unauthorized access to server console allowing attackers to execute commands, install malware, or disrupt server operations.
If Mitigated
Limited impact with proper network segmentation and access controls preventing external access to iDRAC interfaces.
🎯 Exploit Status
The vulnerability allows unauthenticated access, making exploitation straightforward for attackers who can reach the iDRAC interface.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 5.10.10.00 or later
Vendor Advisory: https://www.dell.com/support/kbdoc/en-us/000199267/dsa-2022-068-dell-idrac9-security-update-for-an-improper-authentication-vulnerability
Restart Required: Yes
Instructions:
1. Download iDRAC9 firmware 5.10.10.00 or later from Dell Support. 2. Log into iDRAC web interface. 3. Navigate to Maintenance > System Update. 4. Upload and install the firmware update. 5. Reboot the iDRAC controller when prompted.
🔧 Temporary Workarounds
Network Segmentation
allRestrict access to iDRAC interfaces to trusted management networks only.
Disable VNC Console
allDisable the VNC console feature in iDRAC settings if not required.
🧯 If You Can't Patch
- Implement strict network access controls to isolate iDRAC interfaces from untrusted networks
- Enable multi-factor authentication and strong password policies for iDRAC access
🔍 How to Verify
Check if Vulnerable:
Check iDRAC firmware version via web interface or SSH: racadm getversionCheck Version:
racadm getversion | grep -i firmwareVerify Fix Applied:
Verify firmware version is 5.10.10.00 or later using racadm getversion command📡 Detection & Monitoring
Log Indicators:
- Unauthenticated VNC connection attempts
- Failed authentication followed by successful VNC access
- Multiple authentication attempts from single IP
Network Indicators:
- Unusual VNC traffic to iDRAC ports (5900, 5901)
- Direct connections to iDRAC from external IPs
SIEM Query:
source="idrac" AND (event="VNC_CONNECT" AND user="anonymous") OR (auth_failure_count>0 AND subsequent_vnc_success=true)