DSA-2019-001: Dell Networking OS10 Improper Certificate Validation Vulnerability

DSA-2019-001: Dell Networking OS10 Improper Certificate Validation Vulnerability




CVE Identifier: CVE-2018-15784

Dell Identifier: DSA-2019-001

Severity: High

Severity Rating: CVSS Base Score: 7.4 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N)

Affected products:

Dell Networking OS10 versions prior to 10.4.3.0

Summary:

Dell Networking OS10 has been updated to address a vulnerability which may be potentially exploited to compromise the system.

Details:

Dell Networking OS10 versions prior to 10.4.3.0 contain a vulnerability in the Phone Home feature which does not properly validate the server’s certificate authority during TLS handshake. Use of an invalid or malicious certificate could potentially allow an attacker to spoof a trusted entity by using a man-in-the-middle (MITM) attack.

Resolution:

The following Dell OS10 versions have been patched to resolve this vulnerability:

  • Dell OS10 versions 10.3.2-R2,
  • Dell OS10 versions 10.4.0-R3S,
  • Dell OS10 versions 10.4.1.4,
  • Dell OS10 versions 10.4.2.1 and later.

Dell recommends all customers upgrade or apply available patches at the earliest opportunity.

If an upgrade cannot be done immediately, Dell recommends to disable the SupportAssist feature on Dell Networking OS10 versions prior to 10.4.3.0.

Link to remedies:

Customers can download software from https://www.dell.com/support/software/.

Customers can disable the phone home feature by disabling SupportAssist. Command reference: Page 945 of OS10 Enterprise Edition User Guide Release 10.4.2.0 https://topics-cdn.dell.com/pdf/force10-s3048-on_Connectivity-Guide4_en-us.pdf

Credit:

Dell would like to thank Thorsten Tüllmann from the Karlsruhe Institute of Technology for reporting this vulnerability.





Dell recommends that all users determine the applicability of this information to their individual situations and take appropriate action. The information set forth herein is provided "as is" without warranty of any kind. Dell disclaims all warranties, either express or implied, including the warranties of merchantability, fitness for a particular purpose, title and non-infringement. In no event, shall Dell or its suppliers, be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Dell or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages, so the foregoing limitation may not apply.




Quick Tips content is self-published by the Dell Support Professionals who resolve issues daily. In order to achieve a speedy publication, Quick Tips may represent only partial solutions or work-arounds that are still in development or pending further proof of successfully resolving an issue. As such Quick Tips have not been reviewed, validated or approved by Dell and should be used with appropriate caution. Dell shall not be liable for any loss, including but not limited to loss of data, loss of profit or loss of revenue, which customers may incur by following any procedure or advice set out in the Quick Tips.

Article ID: SLN315899

Last Date Modified: 02/07/2019 03:57 PM


Rate this article

Accurate
Useful
Easy to understand
Was this article helpful?
Yes No
Send us feedback
Comments cannot contain these special characters: <>()\
Sorry, our feedback system is currently down. Please try again later.

Thank you for your feedback.