DSA-2019-034: Dell EMC Networking OS10 Undocumented Default Cryptographic Key Vulnerability

DSA-2019-034: Dell EMC Networking OS10 Undocumented Default Cryptographic Key Vulnerability

CVE Identifier: CVE-2019-3710
Dell Identifier: DSA-2019-034
Severity: High

Severity Rating: CVSS Base Score: 8.3 (AV:A/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H)

Affected products:
Dell Networking OS10 versions prior to 10.4.3.

Dell Networking OS10 has been updated to address a vulnerability which may be potentially exploited to compromise the system.

Dell EMC Networking OS10 versions prior to 10.4.3 contain a cryptographic key vulnerability due to an underlying application using undocumented, pre-installed X.509v3 key/certificate pairs. An unauthenticated remote attacker with the knowledge of the default keys may potentially be able to intercept communications or operate the system with elevated privileges.

Dell EMC Networking OS10 version 10.4.3 provides the ability for the users to replace the pre-installed X.509 key/certificate pairs with their own pairs. The key/certificate replacement is recommended to be done when operating in a Fabric Mode such as Virtual Link Trunking in order to secure the system.

The following Dell EMC Networking OS10 version have been updated to address this vulnerability:

  • Dell Networking OS10 versions 10.4.3

    Dell EMC recommends all customers upgrade at the earliest opportunity.

    Customers are advised to follow the OS 10.4.3 User Guide (https://downloads.dell.com/manuals/common/os10-4-3-0-enterprise_ug_en-us.pdf)
    to securely configure OS10 and install/replace the X.509v3 key/certificate pairs (see the System Management, Security, X.509v3 certificates section in the User Guide).

    Link to remedies:
    Customers can download software from https://www.dell.com/support/software/

    Dell would like to thank Thorsten Tüllmann from the Karlsruhe Institute of Technology for reporting this vulnerability.

    Dell recommends that all users determine the applicability of this information to their individual situations and take appropriate action. The information set forth herein is provided "as is" without warranty of any kind. Dell disclaims all warranties, either express or implied, including the warranties of merchantability, fitness for a particular purpose, title and non-infringement. In no event, shall Dell or its suppliers, be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Dell or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages, so the foregoing limitation may not apply.

  • Quick Tips content is self-published by the Dell Support Professionals who resolve issues daily. In order to achieve a speedy publication, Quick Tips may represent only partial solutions or work-arounds that are still in development or pending further proof of successfully resolving an issue. As such Quick Tips have not been reviewed, validated or approved by Dell and should be used with appropriate caution. Dell shall not be liable for any loss, including but not limited to loss of data, loss of profit or loss of revenue, which customers may incur by following any procedure or advice set out in the Quick Tips.

    Article ID: SLN316558

    Last Date Modified: 04/15/2019 09:57 AM

    Rate this article

    Easy to understand
    Was this article helpful?
    0/3000 characters
    Please provide ratings (1-5 stars).
    Please provide ratings (1-5 stars).
    Please provide ratings (1-5 stars).
    Please select whether the article was helpful or not.
    Comments cannot contain these special characters: <>()\
    characters left.