White Papers

ManualsBrandsDell ManualsConverged InfrastructureSystems Management Solution Resources

8 Improved security of iDRAC9 with Lifecycle Controller via SMB2 Protocol

3 Dell-EMC SMB2 client support

The support for CIFS/SMBv1 protocol has changed in recent releases of iDRAC with Lifecycle Controller.

While these changes are not visible to the end user, they remediate known issues of CIFS/SMBv1 protocol.

CIFS/SMBv1 reportedly have security flaws that an attacker can exploit to execute rouge code by sending

specially crafted messages to a SMBv1 server.

The releases starting which iDRAC with LC supports SMB2 protocol are listed in the table.

The versions marked as No for SMBv2 support CIFS/SMBv1.

PowerEdge server generation

iDRAC version

iDRAC supports

SMBv2

LC UI supports

SMBv2

and 13

generations

2.52.52.52

Yes

and 13

generations

2.60.60.60

Yes

generation

3.00.00.00

generation

3.02.00.01 - 3.21.21.21

Yes

In 14

generation, SMBv2 support in LC UI will be added in an upcoming iDRAC release targeted at Q1

CY2019.

For more details about the systems and iDRAC releases, see the following links:

PowerEdge systems product support site

www.dell.com/poweredgemanuals

iDRAC product support site

www.dell.com/idracmanuals

iDRAC with LC performs additional security checks and supports some of the required features of SMB2 with

a few simple measures. While some dialects (versions) and features are currently not supported, they will be

supported in future releases.

iDRAC SMBv2 client supports the following features:

• Supports SMB 2.1 (0x210) dialect only.

• Supports NTLMv2 protocol for authentication.

• Supports both 56-bit and 128-bit encryption.

• Supports message signing.

LC UI SMBv2 client supports the following features:

• Supports SMB 2.0.2 (0x202) and SMB 2.1 (0x210) dialects.

• Supports NTLMv2 protocol for authentication.

• Supports only 128-bit encryption as part of NTLMv2.

Note: Message signing is not supported in current releases. However, limited data intake, such as DUP

file as input, which is validated at different steps, reduces the need for message signing in this pre-boot

UEFI application.

At the time of writing this white paper. no SMBv3 protocol or dialects are supported.