Login Sign Up

CVE-2024-3411

9.1 CRITICAL
Authentication Bypass

📋 TL;DR

This vulnerability allows attackers to hijack IPMI authenticated sessions by exploiting insufficient randomness in session IDs or BMC random numbers. Attackers can spoof IPMI packets to bypass authentication and gain unauthorized management access to BMC devices. This affects systems using vulnerable IPMI implementations, particularly Dell iDRAC8 and other BMC implementations.

💻 Affected Systems

Products:
  • Dell iDRAC8
  • Other IPMI 2.0 implementations with vulnerable session management
Versions: iDRAC8 versions prior to 2.90.90.90 (check specific vendor advisories)
Operating Systems: Any OS using vulnerable IPMI/BMC implementations
Default Config Vulnerable: ⚠️ Yes
Notes: Affects systems with IPMI enabled. Dell iDRAC8 is specifically mentioned, but other IPMI implementations may also be vulnerable.

⚠️ Manual Verification Required

This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.

Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).

🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.

Recommended Actions:
  1. Review the CVE details at NVD
  2. Check vendor security advisories for your specific version
  3. Test if the vulnerability is exploitable in your environment
  4. Consider updating to the latest version as a precaution

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of BMC management interface allowing attacker to execute arbitrary commands, modify firmware, disable hardware, or establish persistent backdoor access to the server hardware.

🟠

Likely Case

Unauthorized access to BMC management functions allowing attacker to reboot systems, modify hardware settings, or gain foothold for further network exploitation.

🟢

If Mitigated

Limited impact if IPMI interfaces are properly isolated, but still potential for management plane compromise if exploited.

🌐 Internet-Facing: HIGH - If IPMI interfaces are exposed to the internet, attackers can directly exploit this vulnerability without network access.
🏢 Internal Only: MEDIUM - Requires internal network access, but once obtained, exploitation is straightforward and can lead to significant impact.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires network access to IPMI interface but does not require authentication once the vulnerability is understood.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Dell iDRAC8: 2.90.90.90 or later (check specific vendor for other implementations)

Vendor Advisory: https://www.dell.com/support/kbdoc/en-US/000226504/dsa-2024-295-security-update-for-dell-idrac8-ipmi-session-vulnerability

Restart Required: Yes

Instructions:

1. Check current iDRAC8 firmware version. 2. Download latest firmware from Dell support site. 3. Apply firmware update through iDRAC web interface or using racadm commands. 4. Reboot the iDRAC/BMC after update.

🔧 Temporary Workarounds

Network Isolation

all

Isolate IPMI/BMC management interfaces from untrusted networks

Configure firewall rules to restrict IPMI access to management VLAN only
Use network ACLs to limit source IP addresses

Disable IPMI if not needed

all

Completely disable IPMI interface if not required for management

racadm config -g cfgIpmiLan -o cfgIpmiLanEnable 0 (for Dell)
Check vendor documentation for disabling IPMI

🧯 If You Can't Patch

  • Implement strict network segmentation to isolate IPMI interfaces from all untrusted networks
  • Enable IPMI authentication and use strong, unique credentials (though this doesn't fix the vulnerability, it adds defense in depth)

🔍 How to Verify

Check if Vulnerable:

Check iDRAC8 firmware version: racadm getversion or via web interface. Versions prior to 2.90.90.90 are vulnerable.

Check Version:

racadm getversion (for Dell iDRAC8)

Verify Fix Applied:

Verify firmware version is 2.90.90.90 or later using racadm getversion command or web interface.

📡 Detection & Monitoring

Log Indicators:

  • Unusual IPMI authentication patterns
  • Multiple failed session attempts followed by successful authentication from different IP
  • IPMI session ID collisions or anomalies

Network Indicators:

  • Spoofed IPMI packets with predictable session IDs
  • IPMI traffic from unexpected source IPs
  • Abnormal IPMI session establishment patterns

SIEM Query:

source="ipmi" AND (event_type="session_hijack" OR auth_failure>3 AND auth_success=1)

📊 Metadata

CVE ID: CVE-2024-3411
CVSS v3 Score: 9.1 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
CWE: CWE-331
Published: April 30, 2024
Last Updated: November 4, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-3411, you might also want to check these:

CVE-2024-25730 9.8

This vulnerability allows attackers to easily guess the default pre-shared keys (PSKs) on Hitron COD...

Same vulnerability type (CWE-331)
CVE-2025-47781 9.8

CVE-2025-47781 allows unauthenticated attackers to brute-force 6-digit authentication tokens in Rall...

Same vulnerability type (CWE-331)
CVE-2021-33027 9.8

Sylabs Singularity Enterprise through version 1.6.2 uses insufficient entropy when generating nonces...

Same vulnerability type (CWE-331)