DSA-2021-133: Dell iDRAC Security Update for Multiple Security Vulnerabilities

Oversigt: Dell iDRAC remediation is available for multiple security vulnerabilities that may be exploited by malicious users to compromise the affected system.

Denne artikel gælder for Denne artikel gælder ikke for Denne artikel er ikke knyttet til et bestemt produkt. Det er ikke alle produktversioner, der er identificeret i denne artikel.
Udforsk andre ressourcer

Virkning

Medium

Oplysninger

Proprietary Code CVEs Description CVSS Base Score CVSS Vector String
CVE-2021-21581 Dell EMC iDRAC9 versions before 5.00.00.00 contain a cross-site scripting vulnerability. A remote attacker may potentially exploit this vulnerability to run malicious HTML or JavaScript in a victim’s browser by tricking a victim to following a specially crafted link. 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
CVE-2021-21580 Dell EMC iDRAC8 versions before 2.80.80.80 and Dell EMC iDRAC9 versions before 5.00.00.00 contain a Content spoofing or Text injection, where a malicious URL can inject text to present a customized message on the application that can phish users into believing that the message is legitimate. 4.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
CVE-2021-21579
 		 Dell EMC iDRAC9 versions before 4.40.40.00 contain an open redirect vulnerability. A remote unauthenticated attacker may exploit this vulnerability to redirect users to arbitrary web URLs by tricking the victim users to click maliciously crafted links. 6.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CVE-2021-21578 Dell EMC iDRAC9 versions before 4.40.40.00 contain an open redirect vulnerability. A remote unauthenticated attacker may exploit this vulnerability to redirect users to arbitrary web URLs by tricking the victim users to click maliciously crafted links. 6.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CVE-2021-21577 Dell EMC iDRAC9 versions before 4.40.40.00 contain a DOM-based cross-site scripting vulnerability. A remote attacker may potentially exploit this vulnerability to run malicious HTML or JavaScript in a victim’s browser by tricking a victim in to following a specially crafted link. 6.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CVE-2021-21576 Dell EMC iDRAC9 versions before 4.40.40.00 contain a DOM-based cross-site scripting vulnerability. A remote attacker may potentially exploit this vulnerability to run malicious HTML or JavaScript in a victim’s browser by tricking a victim in to following a specially crafted link. 6.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Proprietary Code CVEs Description CVSS Base Score CVSS Vector String
CVE-2021-21581 Dell EMC iDRAC9 versions before 5.00.00.00 contain a cross-site scripting vulnerability. A remote attacker may potentially exploit this vulnerability to run malicious HTML or JavaScript in a victim’s browser by tricking a victim to following a specially crafted link. 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
CVE-2021-21580 Dell EMC iDRAC8 versions before 2.80.80.80 and Dell EMC iDRAC9 versions before 5.00.00.00 contain a Content spoofing or Text injection, where a malicious URL can inject text to present a customized message on the application that can phish users into believing that the message is legitimate. 4.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
CVE-2021-21579
 		 Dell EMC iDRAC9 versions before 4.40.40.00 contain an open redirect vulnerability. A remote unauthenticated attacker may exploit this vulnerability to redirect users to arbitrary web URLs by tricking the victim users to click maliciously crafted links. 6.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CVE-2021-21578 Dell EMC iDRAC9 versions before 4.40.40.00 contain an open redirect vulnerability. A remote unauthenticated attacker may exploit this vulnerability to redirect users to arbitrary web URLs by tricking the victim users to click maliciously crafted links. 6.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CVE-2021-21577 Dell EMC iDRAC9 versions before 4.40.40.00 contain a DOM-based cross-site scripting vulnerability. A remote attacker may potentially exploit this vulnerability to run malicious HTML or JavaScript in a victim’s browser by tricking a victim in to following a specially crafted link. 6.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CVE-2021-21576 Dell EMC iDRAC9 versions before 4.40.40.00 contain a DOM-based cross-site scripting vulnerability. A remote attacker may potentially exploit this vulnerability to run malicious HTML or JavaScript in a victim’s browser by tricking a victim in to following a specially crafted link. 6.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Dell Technologies anbefaler, at alle kunder tager hensyn til både CVSS-basisresultatet og alle relevante tidsmæssige og miljømæssige resultater, som kan have betydning for den potentielle alvorsgrad, der er forbundet med en bestemt sikkerhedsrisiko.

Berørte produkter og udbedring

CVEs Addressed  Product Affected Versions Updated Versions Link to Update
CVE-2021-21576 Dell EMC iDRAC9 Versions before 4.40.40.00 4.40.40.00 4.40.40.00
CVE-2021-21579
CVE-2021-21578
 
CVE-2021-21577
 
CVE-2021-21581 Dell EMC iDRAC9 Versions before 5.00.00.00 5.00.00.00 5.00.00.00
CVE-2021-21580 Dell EMC iDRAC8 and Dell EMC iDRAC9
 		 Versions before 2.80.80.80 & 5.00.00.00 2.80.80.80 and 5.00.00.00 2.80.80.80
5.00.00.00

Note: The table above may not be a comprehensive list of all affected supported versions and may be updated as more information becomes available.
CVEs Addressed  Product Affected Versions Updated Versions Link to Update
CVE-2021-21576 Dell EMC iDRAC9 Versions before 4.40.40.00 4.40.40.00 4.40.40.00
CVE-2021-21579
CVE-2021-21578
 
CVE-2021-21577
 
CVE-2021-21581 Dell EMC iDRAC9 Versions before 5.00.00.00 5.00.00.00 5.00.00.00
CVE-2021-21580 Dell EMC iDRAC8 and Dell EMC iDRAC9
 		 Versions before 2.80.80.80 & 5.00.00.00 2.80.80.80 and 5.00.00.00 2.80.80.80
5.00.00.00

Note: The table above may not be a comprehensive list of all affected supported versions and may be updated as more information becomes available.

Revisionshistorik

RevisionDateDescription
1.02021-06-30Initial Release

Bekræftelser

CVE-2021-21580: Dell Technologies would like to thank Jameel Nabbo for reporting this issue.

CVE-2021-21576, CVE-2021-21577, CVE-2021-21578, and CVE-2021-21579: Dell Technologies would like to thank Kajetan Rostojek for reporting these issues.

Relaterede oplysninger

Dell Security Advisories and Notices
Dell Vulnerability Response Policy
CVSS Scoring Guide

Ansvarsfraskrivelse

Berørte produkter

iDRAC8, iDRAC9, iDRAC7/8 with Lifecycle Controller Version 2.50.50.50, iDRAC7/8 with Lifecycle Controller Version 2.52.52.52, iDRAC7/8 with Lifecycle Controller Version 2.60.60.60, iDRAC7/8 with Lifecycle Controller Version 2.61.60.60 , iDRAC7/8 with Lifecycle Controller Version 2.62.60.60, iDRAC7/8 with Lifecycle Controller Version 2.63.60.61, iDRAC8 with Lifecycle Controller Version 2.12.12.12, iDRAC8 with Lifecycle Controller Version 2.14.14.12, iDRAC8 with Lifecycle Controller Version 2.17.17.13, iDRAC8 with Lifecycle Controller Version 2.18.17.13, iDRAC8 with Lifecycle Controller Version 2.30.119.30, iDRAC8 with Lifecycle Controller Version 2.35.35.35, iDRAC8 with Lifecycle Controller Version 2.42.110.40, iDRAC8 with Lifecycle Controller Version 2.45.45.40, iDRAC8 with Lifecycle Controller Version 2.55.55.50, iDRAC8 with Lifecycle Controller version 2.70.70.70, iDRAC8 with Lifecycle Controller version 2.75.75.75, iDRAC8 with Lifecycle Controller Version 2.04.02.01, iDRAC8 with Lifecycle Controller Version 2.05.05.05, iDRAC8 with Lifecycle Controller Version 2.23.23.21, iDRAC9 - 3.0x Series, iDRAC9 - 3.1x Series, iDRAC9 - 3.2x Series, iDRAC9 - 3.3x Series, iDRAC9 - 3.4x Series, iDRAC9 - 4.xx Series, iDRAC8 with Lifecycle Controller Version 2.00.00.00, iDRAC8 with Lifecycle Controller Version 2.02.01.01, Product Security Information ...
Artikelegenskaber
Artikelnummer: 000189193
Artikeltype: Dell Security Advisory
Senest ændret: 30 jun. 2021
Find svar på dine spørgsmål fra andre Dell-brugere
Supportservices
Kontrollér, om din enhed er dækket af supportservices.