Vulnerabilites found on iDRAC port - but don't make sense?


#1

Hey, wondering if someone can help - we have two iDRAC ports which have been scanned - and two vulnerabilities found -

  1. HTTP negative content bugger overflow - summary being “we could crash the web server by sending an invalid POST HTTP request”
  2. Header overflow against HTTP proxy - summary being “it was possible to kill the HTTP proxy by sending an invalid request”

the thing is, neither of those iDRAC’s act as either web servers or proxy servers - it says the solution for is to “upgrade your software” for the proxy, and “upgrade your web server” for the web server - but does this mean the firmwares (which are up to date anyway) or something else?

or are they just false positives?

greatly appreciate any response


Microsoft Windows SMB2 Remote Code Execution Vulnerability on Windows 2012 R2
#2

Hi,

if you’re getting this vulnerability messages this means you’re using either any of the pre-defined Ultimate scan configs or using an own scan configuration with safe_checks set to no.

Such scan configurations are running active Denial of Service attacks against the target host with the goal to stop exposed services. Especially such embedded devices like iDRAC ones might be affected even if the actual vulnerability description is naming different products / protocols.

Basically it is also always possible that the usage of such scan configurations are showing possible false positives if some Firewall or IDS/IPS devices in between the scanner and the target host are interfering with the probes send out to test for the vulnerabilities: False positive or not false positive


#3

Hey,

thank you for your quick response. Yeah that’s right, we’re using own scan config - ok that sort of makes sense, we are scanning internally so our perimeter firewall, which does have IDS, shouldn’t be playing a part, so perhaps it is showing a vulnerability because of the DoS - especially as looking into it further, the application specific to that error is something called “avirt gateway suite”, which we don’t use.

We’ll run another scan and see what comes up. thanks for your help.