iSM: Dell EMC iDRAC Service Module Improper File Permission Vulnerability

iSM: Dell EMC iDRAC Service Module Improper File Permission Vulnerability


CVE Identifier: CVE-2018-11053

Severity: Medium

Affected products: Dell EMC iDRAC Service Module 3.0.1, 3.0.2, 3.1.0, 3.2.0 (for all supported Linux and XenServer operating systems)

Summary:

Dell EMC iDRAC Service Module (iSM) has been updated to fix an improper file permission vulnerability that could potentially be exploited by malicious host operating system users or processes to compromise the affected system.

Details:

Dell EMC iDRAC Service Module for all supported Linux and XenServer versions 3.0.1, 3.0.2, 3.1.0, 3.2.0, when started, changes the default file permission of the hosts file of the host operating system (/etc/hosts) to world writable. A malicious low privileged operating system user or process could modify the host file and potentially redirect traffic from the intended destination to sites hosting malicious or unwanted content.


iDRAC Service Module for Windows or VMWare ESXi is not affected by this issue
If the /etc/hosts file permissions are changed after patch upgrade they will be changed back to Linux default read-only permissions at each iSM service start regardless if the permissions were intentionally changed later.

The following Dell EMC iDRAC Service Module releases contain resolution to this vulnerability:

  • Dell EMC iDRAC Service Module 3.2.0.1 (for all supported Linux and XenServer operating systems)
  • Dell EMC iDRAC Service Module 3.1.0.1 (for all supported Linux and XenServer operating systems)

Dell EMC recommends upgrading at the earliest opportunity. Downloads for the applicable operating system are below:

Security patch for iSM 3.2.0
Security patch for iSM 3.1.0

Dell EMC recommends that all users determine the applicability of this information to their individual situations and take appropriate action. The information set forth herein is provided "as is" without warranty of any kind. Dell EMC disclaims all warranties, either express or implied, including the warranties of merchantability, fitness for a particular purpose, title and non-infringement. In no event, shall Dell EMC or its suppliers, be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Dell EMC or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages, so the foregoing limitation may not apply.




Article ID: SLN310281

Last Date Modified: 07/02/2018 11:42 AM


Rate this article

Accurate
Useful
Easy to understand
Was this article helpful?
Yes No
Send us feedback
Comments cannot contain these special characters: <>()\
Sorry, our feedback system is currently down. Please try again later.

Thank you for your feedback.