CVE-2024-3411

CRITICAL

Dell iDRAC8 - Insufficient Entropy in IPMI Session Authentication

Title source: llm

Description

Implementations of IPMI Authenticated sessions does not provide enough randomness to protect from session hijacking, allowing an attacker to use either predictable IPMI Session ID or weak BMC Random Number to bypass security controls using spoofed IPMI packets to manage BMC device.

References (4)

Core 4

Core References

Various Sources

https://www.intel.la/content/dam/www/public/us/en/documents/specification-updates/ipmi-intelligent-platform-mgt-interface-spec-2nd-gen-v2-0-spec-update.pdf

Various Sources

https://www.dell.com/support/kbdoc/en-US/000226504/dsa-2024-295-security-update-for-dell-idrac8-ipmi-session-vulnerability

Third Party Advisory, US Government Resource

https://kb.cert.org/vuls/id/163057

Third Party Advisory, US Government Resource

https://www.kb.cert.org/vuls/id/163057

Scores

CVSS v3 9.1

EPSS 0.0072

EPSS Percentile 48.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-331

Status published

Products (2)

Dell/iDRAC8 2.86.86.86

Intel/IPMI 2.0, revision 1.1E7

Published Apr 30, 2024

Tracked Since Feb 18, 2026