Improved security of iDRAC9 with Lifecycle Controller via SMB2 Protocol Maintaining best in class security of Dell EMC PowerEdge Servers Abstract This technical white paper provides detailed information about SMB2 Protocol support in iDRAC with Lifecycle controller.
Revisions Date Description October 2018 Initial release Acknowledgements This paper was produced by the following members of the Dell EMC storage engineering team: Authors: • Aniruddha Herekar • Doug Iler • Murali Somarothu The information in this publication is provided “as is.” Dell Inc. makes no representations or warranties of any kind with respect to the information in this publication, and specifically disclaims implied warranties of merchantability or fitness for a particular purpose.
Table of contents Revisions.............................................................................................................................................................................2 Acknowledgements .............................................................................................................................................................2 Executive summary & Commonly Used Terms ..............................................................................................
Executive summary Security is critical to the operational success of any data center. Dell EMC is committed to continually improve the code to provide the most secure solution to its customers. With the latest firmware release of iDRAC with Lifecycle Controller, support for CIFS/SMBv1 is deprecated and is replaced with SMB Protocol 2 support. SMB2 includes SMBv2 and SMBv3 and, in this document, the term SMB2 referred to both.
1 Introduction In 2017, there was a cyberattack by a crypto ransomware worm named WannaCry. This worm targeted systems with Microsoft Windows OS. WannaCry encrypted the files on the target computers and demanded ransom to decrypt them. The vulnerability that WannaCry exploits lies in the Windows implementation of the CIFS/SMBv1 protocol. Exploiting this protocol, the WannaCry ransomware pushed specifically crafted executable messages on the targets and execute code to encrypt the files.
2 Advantages of SMB2 over CIFS/SMB1 SMB2 protocol provides better security and durability. Following are advantages of SMB2 over CIFS and a summary of the changes in each version of SMB. SMB version Change history SMB 1.0 Initial release of SMB. SMB 2.
For more information about SMB and the versions, see the following Microsoft blog: https://blogs.technet.microsoft.com/josebda/2013/10/02/windows-server-2012-r2-which-version-of-the-smbprotocol-smb-1-0-smb-2-0-smb-2-1-smb-3-0-or-smb-3-02-are-you-using More details about the features listed earlier are as follows: • • • • • • • • • • • Password encryption and authentication is improved by using the stronger HMAC-MD5 algorithm (NTLMv2) compares to the previous DES algorithm (LAN Manager).
3 Dell-EMC SMB2 client support The support for CIFS/SMBv1 protocol has changed in recent releases of iDRAC with Lifecycle Controller. While these changes are not visible to the end user, they remediate known issues of CIFS/SMBv1 protocol. CIFS/SMBv1 reportedly have security flaws that an attacker can exploit to execute rouge code by sending specially crafted messages to a SMBv1 server. The releases starting which iDRAC with LC supports SMB2 protocol are listed in the table.
Even though CIFS protocol is replaced with SMB2 protocol at the backend, the interfaces (iDRAC and LC GUI) still display the name CIFS. Example are shown in the following images. Note: Dell EMC recommends updating the iDRAC firmware and other firmware such as BIOS, network card, and so on, to latest versions. Updating the firmware provides the security benefits of SMB2 protocol.
4 Conclusion SMBv2 protocol has replaced the older CIFS/SMBv1 protocol. SMBv2 protects against security threats and provides the benefits of other security measures. Dell EMC is committed to improve security measures and provide the users with secure products. We will be improving the security measures in SMB2 and other protocols in future releases. We recommend that users check the New and enhanced features section in the Release Notes for iDRAC releases for details of enhancements.
A Glossary Component Description AES-CCM Advanced Encryption Standard-Counter with Cipher Block Chaining-Message Authentication Code AES-CMAC Advanced Encryption Standard- Cipher-based Message Authentication Code CIFS Common Internet File System DES The Data Encryption Standard is a symmetric-key algorithm for the encryption of electronic data. DUP Dell Update Package - Firmware update executable file.
B Technical support and resources The Dell EMC Support website is focused on meeting customer needs with proven services and support. The Dell EMC Knowledge Base is an online technical community where IT professionals have access to numerous resources for Dell EMC software, hardware and services. This link takes you directly to the iDRAC page. B.1 12 Related references/ resources Document Name (Document Link) Document Description https://en.wikipedia.