CVE Identifier: CVE-2019-3710
Dell Identifier: DSA-2019-034
Severity Rating: CVSS Base Score: 8.3 (AV:A/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H)
Dell Networking OS10 versions prior to 10.4.3.
Dell Networking OS10 has been updated to address a vulnerability which may be potentially exploited to compromise the system.
Dell EMC Networking OS10 versions prior to 10.4.3 contain a cryptographic key vulnerability due to an underlying application using undocumented, pre-installed X.509v3 key/certificate pairs. An unauthenticated remote attacker with the knowledge of the default keys may potentially be able to intercept communications or operate the system with elevated privileges.
Dell EMC Networking OS10 version 10.4.3 provides the ability for the users to replace the pre-installed X.509 key/certificate pairs with their own pairs. The key/certificate replacement is recommended to be done when operating in a Fabric Mode such as Virtual Link Trunking in order to secure the system.
The following Dell EMC Networking OS10 version have been updated to address this vulnerability:
Dell EMC recommends all customers upgrade at the earliest opportunity.
Customers are advised to follow the OS 10.4.3 User Guide (https://downloads.dell.com/manuals/common/os10-4-3-0-enterprise_ug_en-us.pdf)
to securely configure OS10 and install/replace the X.509v3 key/certificate pairs (see the System Management, Security, X.509v3 certificates section in the User Guide).
Link to remedies:
Customers can download software from https://www.dell.com/support/software/
Dell would like to thank Thorsten Tüllmann from the Karlsruhe Institute of Technology for reporting this vulnerability.
Dell recommends that all users determine the applicability of this information to their individual situations and take appropriate action. The information set forth herein is provided "as is" without warranty of any kind. Dell disclaims all warranties, either express or implied, including the warranties of merchantability, fitness for a particular purpose, title and non-infringement. In no event, shall Dell or its suppliers, be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Dell or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages, so the foregoing limitation may not apply.
Article ID: SLN316558Last Date Modified: 04/15/2019 09:57 AM