DSA-2021-133: Dell iDRAC Security Update for Multiple Security Vulnerabilities
요약: Dell iDRAC remediation is available for multiple security vulnerabilities that may be exploited by malicious users to compromise the affected system.
이 문서는 다음에 적용됩니다.
이 문서는 다음에 적용되지 않습니다.
이 문서는 특정 제품과 관련이 없습니다.
모든 제품 버전이 이 문서에 나와 있는 것은 아닙니다.
영향
Medium
세부 정보
| Proprietary Code CVEs | Description | CVSS Base Score | CVSS Vector String |
| CVE-2021-21581 | Dell EMC iDRAC9 versions before 5.00.00.00 contain a cross-site scripting vulnerability. A remote attacker may potentially exploit this vulnerability to run malicious HTML or JavaScript in a victim’s browser by tricking a victim to following a specially crafted link. | 6.5 | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N |
| CVE-2021-21580 | Dell EMC iDRAC8 versions before 2.80.80.80 and Dell EMC iDRAC9 versions before 5.00.00.00 contain a Content spoofing or Text injection, where a malicious URL can inject text to present a customized message on the application that can phish users into believing that the message is legitimate. | 4.3 | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N |
| CVE-2021-21579 |
Dell EMC iDRAC9 versions before 4.40.40.00 contain an open redirect vulnerability. A remote unauthenticated attacker may exploit this vulnerability to redirect users to arbitrary web URLs by tricking the victim users to click maliciously crafted links. | 6.1 | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |
| CVE-2021-21578 | Dell EMC iDRAC9 versions before 4.40.40.00 contain an open redirect vulnerability. A remote unauthenticated attacker may exploit this vulnerability to redirect users to arbitrary web URLs by tricking the victim users to click maliciously crafted links. | 6.1 | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |
| CVE-2021-21577 | Dell EMC iDRAC9 versions before 4.40.40.00 contain a DOM-based cross-site scripting vulnerability. A remote attacker may potentially exploit this vulnerability to run malicious HTML or JavaScript in a victim’s browser by tricking a victim in to following a specially crafted link. | 6.1 | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |
| CVE-2021-21576 | Dell EMC iDRAC9 versions before 4.40.40.00 contain a DOM-based cross-site scripting vulnerability. A remote attacker may potentially exploit this vulnerability to run malicious HTML or JavaScript in a victim’s browser by tricking a victim in to following a specially crafted link. | 6.1 | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |
| Proprietary Code CVEs | Description | CVSS Base Score | CVSS Vector String |
| CVE-2021-21581 | Dell EMC iDRAC9 versions before 5.00.00.00 contain a cross-site scripting vulnerability. A remote attacker may potentially exploit this vulnerability to run malicious HTML or JavaScript in a victim’s browser by tricking a victim to following a specially crafted link. | 6.5 | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N |
| CVE-2021-21580 | Dell EMC iDRAC8 versions before 2.80.80.80 and Dell EMC iDRAC9 versions before 5.00.00.00 contain a Content spoofing or Text injection, where a malicious URL can inject text to present a customized message on the application that can phish users into believing that the message is legitimate. | 4.3 | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N |
| CVE-2021-21579 |
Dell EMC iDRAC9 versions before 4.40.40.00 contain an open redirect vulnerability. A remote unauthenticated attacker may exploit this vulnerability to redirect users to arbitrary web URLs by tricking the victim users to click maliciously crafted links. | 6.1 | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |
| CVE-2021-21578 | Dell EMC iDRAC9 versions before 4.40.40.00 contain an open redirect vulnerability. A remote unauthenticated attacker may exploit this vulnerability to redirect users to arbitrary web URLs by tricking the victim users to click maliciously crafted links. | 6.1 | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |
| CVE-2021-21577 | Dell EMC iDRAC9 versions before 4.40.40.00 contain a DOM-based cross-site scripting vulnerability. A remote attacker may potentially exploit this vulnerability to run malicious HTML or JavaScript in a victim’s browser by tricking a victim in to following a specially crafted link. | 6.1 | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |
| CVE-2021-21576 | Dell EMC iDRAC9 versions before 4.40.40.00 contain a DOM-based cross-site scripting vulnerability. A remote attacker may potentially exploit this vulnerability to run malicious HTML or JavaScript in a victim’s browser by tricking a victim in to following a specially crafted link. | 6.1 | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |
영향을 받는 제품 및 문제 해결
| CVEs Addressed | Product | Affected Versions | Updated Versions | Link to Update |
| CVE-2021-21576 | Dell EMC iDRAC9 | Versions before 4.40.40.00 | 4.40.40.00 | 4.40.40.00 |
| CVE-2021-21579 | ||||
| CVE-2021-21578 |
||||
| CVE-2021-21577 |
||||
| CVE-2021-21581 | Dell EMC iDRAC9 | Versions before 5.00.00.00 | 5.00.00.00 | 5.00.00.00 |
| CVE-2021-21580 | Dell EMC iDRAC8 and Dell EMC iDRAC9 |
Versions before 2.80.80.80 & 5.00.00.00 | 2.80.80.80 and 5.00.00.00 | 2.80.80.80 5.00.00.00 |
Note: The table above may not be a comprehensive list of all affected supported versions and may be updated as more information becomes available.
| CVEs Addressed | Product | Affected Versions | Updated Versions | Link to Update |
| CVE-2021-21576 | Dell EMC iDRAC9 | Versions before 4.40.40.00 | 4.40.40.00 | 4.40.40.00 |
| CVE-2021-21579 | ||||
| CVE-2021-21578 |
||||
| CVE-2021-21577 |
||||
| CVE-2021-21581 | Dell EMC iDRAC9 | Versions before 5.00.00.00 | 5.00.00.00 | 5.00.00.00 |
| CVE-2021-21580 | Dell EMC iDRAC8 and Dell EMC iDRAC9 |
Versions before 2.80.80.80 & 5.00.00.00 | 2.80.80.80 and 5.00.00.00 | 2.80.80.80 5.00.00.00 |
Note: The table above may not be a comprehensive list of all affected supported versions and may be updated as more information becomes available.
개정 내역
| Revision | Date | Description |
| 1.0 | 2021-06-30 | Initial Release |
감사의 말
CVE-2021-21580: Dell Technologies would like to thank Jameel Nabbo for reporting this issue.
CVE-2021-21576, CVE-2021-21577, CVE-2021-21578, and CVE-2021-21579: Dell Technologies would like to thank Kajetan Rostojek for reporting these issues.
관련 정보
법적 고지 사항
해당 제품
iDRAC8, iDRAC9, iDRAC7/8 with Lifecycle Controller Version 2.50.50.50, iDRAC7/8 with Lifecycle Controller Version 2.52.52.52, iDRAC7/8 with Lifecycle Controller Version 2.60.60.60, iDRAC7/8 with Lifecycle Controller Version 2.61.60.60
, iDRAC7/8 with Lifecycle Controller Version 2.62.60.60, iDRAC7/8 with Lifecycle Controller Version 2.63.60.61, iDRAC8 with Lifecycle Controller Version 2.12.12.12, iDRAC8 with Lifecycle Controller Version 2.14.14.12, iDRAC8 with Lifecycle Controller Version 2.17.17.13, iDRAC8 with Lifecycle Controller Version 2.18.17.13, iDRAC8 with Lifecycle Controller Version 2.30.119.30, iDRAC8 with Lifecycle Controller Version 2.35.35.35, iDRAC8 with Lifecycle Controller Version 2.42.110.40, iDRAC8 with Lifecycle Controller Version 2.45.45.40, iDRAC8 with Lifecycle Controller Version 2.55.55.50, iDRAC8 with Lifecycle Controller version 2.70.70.70, iDRAC8 with Lifecycle Controller version 2.75.75.75, iDRAC8 with Lifecycle Controller Version 2.04.02.01, iDRAC8 with Lifecycle Controller Version 2.05.05.05, iDRAC8 with Lifecycle Controller Version 2.23.23.21, iDRAC9 - 3.0x Series, iDRAC9 - 3.1x Series, iDRAC9 - 3.2x Series, iDRAC9 - 3.3x Series, iDRAC9 - 3.4x Series, iDRAC9 - 4.xx Series, iDRAC8 with Lifecycle Controller Version 2.00.00.00, iDRAC8 with Lifecycle Controller Version 2.02.01.01, Product Security Information
...
문서 속성
문서 번호: 000189193
문서 유형: Dell Security Advisory
마지막 수정 시간: 30 6월 2021
다른 Dell 사용자에게 질문에 대한 답변 찾기
지원 서비스
디바이스에 지원 서비스가 적용되는지 확인하십시오.