Manualshelf

Release Notes

ManualsBrandsDell ManualsActive System ManagerDRAC4 Version 1.70
10111213141516171819
file:///T|/htdocs/SOFTWARE/smdrac3/drac4/170/en/readme/readme.txt[10/26/2012 8:38:00 AM]
may see the following vulnerabilities reported:
- Nessus reports HTTP (80/tcp) vulnerability as: "The remote
proxy is vulnerable to format strings attacks when issued a
badly-formed user name. This flaw allows an attacker to execute
arbitrary code on this host."
This report is displayed due to all HTTP requests
(legal or not) being forwarded by the DRAC 4 to HTTPS.
It is not a security issue on the DRAC 4.
- Nessus reports HTTP (80/tcp) vulnerability as: "It may be
possible to make a web server execute arbitrary code by sending
it a too long URL after/jsp.
For example, GET /jsp/AAAA.....AAAAA."
This report is displayed due to all HTTP requests (legal or
not) being forwarded by the DRAC 4 to HTTPS. It is not a
security issue on the DRAC 4.
- Nessus reports HTTP (80/tcp) vulnerability as: "It was possible
to disable the remote IIS server by making a specially formed
PROPFIND request."
This report is displayed due to all HTTP requests (legal
or not) being forwarded by the DRAC 4 to HTTPS. It is not
a security issue on the DRAC 4.
- Nessus reports HTTPS (443/tcp) vulnerability as: "The remote
web server is vulnerable to a format string attack. If it is
ePolicy Orchestrator, an attacker may use this flaw to execute
code with the SYSTEM privileges on this host."
The DRAC 4 returns Error 414 with an unsupported long format
string in the GET operation. This operation is correct and
should not cause any security vulnerability.
- Nessus reports syslog (514/udp) vulnerability as: "WinSyslog is
an enhanced syslog server for Windows. A vulnerability in the
product allows remote attackers to cause the WinSyslog to
freeze, which in turn will also freeze the operating system
on which the product executes."
Since the DRAC 4 does not support WinSyslog port 514,
the Nessus plug-in gets confused. This report is not a
security issue on the DRAC 4.
* The DRAC 4 racadm version 4.0.0 does not support management of
remote ERA/MC DRAC configurations. ERA/MC configurations should
continue to be managed by the racadm utility that officially
supports the ERA/MC configuration.
* DRAC 4 allows CA Enterprise Root Server and all user type
certificates to be uploaded into the DRAC 4 Web server, which