CVE-2024-25943
📋 TL;DR
This CVE describes a session hijacking vulnerability in iDRAC9's IPMI interface that allows remote attackers to take over authenticated sessions. Successful exploitation could lead to arbitrary code execution on the vulnerable iDRAC9 system. Affected systems include Dell 14th, 15th, and 16th Generation servers with vulnerable iDRAC9 firmware versions.
💻 Affected Systems
- Dell iDRAC9
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Remote attacker gains full control of iDRAC9, executes arbitrary code, and potentially compromises the host server management interface, leading to server takeover or data exfiltration.
Likely Case
Attacker hijacks existing IPMI sessions to perform unauthorized management actions, modify configurations, or access sensitive server management data.
If Mitigated
With proper network segmentation and access controls, impact is limited to the management network, preventing lateral movement to production systems.
🎯 Exploit Status
Exploitation requires network access to IPMI interface and ability to hijack existing sessions. No public exploit code available at time of analysis.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 7.00.00.172 for 14th Generation, 7.10.50.00 for 15th and 16th Generations
Vendor Advisory: https://www.dell.com/support/kbdoc/en-us/000226503/dsa-2024-099-security-update-for-dell-idrac9-ipmi-session-vulnerability
Restart Required: Yes
Instructions:
1. Download appropriate iDRAC9 firmware update from Dell Support. 2. Apply update via iDRAC web interface or RACADM. 3. Reboot iDRAC after update completes. 4. Verify firmware version matches patched version.
🔧 Temporary Workarounds
Restrict IPMI Network Access
linuxLimit IPMI interface access to trusted management networks only using firewall rules
iptables -A INPUT -p tcp --dport 623 -s trusted_network -j ACCEPT
iptables -A INPUT -p tcp --dport 623 -j DROP
Disable IPMI if Not Required
allDisable IPMI interface if not needed for management operations
racadm config -g cfgIpmiLan -o cfgIpmiLanEnable 0
🧯 If You Can't Patch
- Implement strict network segmentation to isolate iDRAC management interfaces from untrusted networks
- Enable iDRAC authentication logging and monitor for suspicious IPMI session activity
🔍 How to Verify
Check if Vulnerable:
Check iDRAC9 firmware version via web interface or racadm command: racadm getversionCheck Version:
racadm getversion | grep -i idracVerify Fix Applied:
Verify firmware version is 7.00.00.172 or higher for 14th Gen, or 7.10.50.00 or higher for 15th/16th Gen📡 Detection & Monitoring
Log Indicators:
- Multiple failed IPMI authentication attempts
- IPMI sessions from unexpected source IPs
- IPMI configuration changes from unauthorized users
Network Indicators:
- Unusual IPMI traffic patterns
- IPMI connections from non-management networks
- IPMI session hijacking attempts
SIEM Query:
source="idrac" AND (event_type="authentication_failure" OR event_type="session_hijack")