DSA-2024-018: Security Update for Dell iDRAC Service Module for Weak Folder Permission Vulnerabilities
Oversigt: Dell iDRAC Service Module remediation is available for iSM for Windows versions 5.3.0.0, 5.2.0.0 and 5.1.0.0 , which could be exploited by malicious users to compromise the affected system. ...
Denne artikel gælder for
Denne artikel gælder ikke for
Denne artikel er ikke knyttet til et bestemt produkt.
Det er ikke alle produktversioner, der er identificeret i denne artikel.
Virkning
High
Yderligere oplysninger
This remediation is only applicable if Dell iDRAC Service Module (iSM) for Windows is installed in a custom location other than C:\Program Files\Dell\SysMgt.
Oplysninger
| Proprietary Code CVEs | Description | CVSS Base Score | CVSS Vector String |
|---|---|---|---|
| CVE-2024-22428 | Dell iDRAC Service Module, versions 5.2.0.0 and prior, contain an Incorrect Default Permissions vulnerability. It may allow a local unprivileged user to escalate privileges and execute arbitrary code on the affected system. Dell recommends customers upgrade at the earliest opportunity. | 7.0 | CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H |
| Proprietary Code CVEs | Description | CVSS Base Score | CVSS Vector String |
|---|---|---|---|
| CVE-2024-22428 | Dell iDRAC Service Module, versions 5.2.0.0 and prior, contain an Incorrect Default Permissions vulnerability. It may allow a local unprivileged user to escalate privileges and execute arbitrary code on the affected system. Dell recommends customers upgrade at the earliest opportunity. | 7.0 | CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H |
Berørte produkter og udbedring
| CVEs Addressed | Product | Software/Firmware | Affected Versions | Remediated Versions | Link |
|---|---|---|---|---|---|
| CVE-2024-22428 | iDRAC Service Module | iDRAC Service Module Release Build for Windows | Versions prior to 5.3.0.0, A00 | Version 5.3.0.0, A00 or later | iDRAC Service Module Release Build for Windows, v5.3.0.0 |
| CVE-2024-22428 | iDRAC Service Module | iDRAC Service Module Release Build for Windows | Versions prior to 5.2.0.0, A00 | Version 5.2.0.0, A00 or later | iDRAC Service Module Release build for windows, v5.2.0.0 |
| CVE-2024-22428 | iDRAC Service Module | iDRAC Service Module Release Build for Windows | Versions prior to 5.1.0.0, A00 | Version 5.1.0.0, A00 or later | iDRAC Service Module Release build for windows, v5.1.0.0 |
| CVEs Addressed | Product | Software/Firmware | Affected Versions | Remediated Versions | Link |
|---|---|---|---|---|---|
| CVE-2024-22428 | iDRAC Service Module | iDRAC Service Module Release Build for Windows | Versions prior to 5.3.0.0, A00 | Version 5.3.0.0, A00 or later | iDRAC Service Module Release Build for Windows, v5.3.0.0 |
| CVE-2024-22428 | iDRAC Service Module | iDRAC Service Module Release Build for Windows | Versions prior to 5.2.0.0, A00 | Version 5.2.0.0, A00 or later | iDRAC Service Module Release build for windows, v5.2.0.0 |
| CVE-2024-22428 | iDRAC Service Module | iDRAC Service Module Release Build for Windows | Versions prior to 5.1.0.0, A00 | Version 5.1.0.0, A00 or later | iDRAC Service Module Release build for windows, v5.1.0.0 |
NOTE: In addition to the below wording pointing specifically at a Windows-based tree structure. Dell confirms the issue discussed in this Security Advisory:
- does not impact the Linux version of the iDRAC Service Module,
- does not impact the iDRAC Service Module ViB for ESXi.
- does not impact the Linux version of the iDRAC Service Module,
- does not impact the iDRAC Service Module ViB for ESXi.
The hotfix is only applicable to hosts running Microsoft Windows Server and Client operating systems.
This patch is only applicable if Dell iDRAC Service Module (iSM) is installed in a custom location other than the default path: “C:\Program Files\Dell\SysMgt\”
Løsninger og afhjælpninger
| CVE ID | Workaround and Mitigation |
|---|---|
| CVE-2024-22428 | Install iSM at the default location |
Revisionshistorik
| Revision | Date | Description |
|---|---|---|
| 1.0 | 2024-01-15 | Initial Release. |
| 2.0 | 2024-01-16 | Changes to formatting without content changes. |
| 3.0 | 2024-01-18 | Updated the "Affected Versions" to read 5.2.0.0. |
| 4.0 | 2024-01-30 | Updated the additional info field to highlight this only applies to specific OSes. |
| 5.0 | 2024-02-07 | added specific links to hotfix and full download for Windows. |
| 6.0 | 2024-02-12 | minor formatting changes and URL link spelling update. |
| 7.0 | 2024-02-13 | formating update without content changes. |
| 8.0 | 2024-02-16 | Added specific language targeted at Linux-based and ESXi versions of iSM |
| 9.0 | 2024-02-16 | formatting changes without content changes |
| 10.0 | 2024-03-07 | Multiple content updates: Summary, additional details, remediation table |
| 11.0 | 2024-06-13 | Updated for enhanced presentation with no other changes to content. |
| 12.0 | 2024-06-21 | Updated for enhanced presentation with no other changes to content. |
| 13.0 | 2024-06-21 | spelling enhancements |
Relaterede oplysninger
Ansvarsfraskrivelse
Berørte produkter
iDRAC Service Module, iDRAC Service Module 5.x, 7920 XL Rack, Poweredge C4140, PowerEdge C6420, PowerEdge C6520, PowerEdge C6525, PowerEdge C6600, PowerEdge C6615, PowerEdge C6620, PowerEdge FC640, PowerEdge HS5610, PowerEdge HS5620, PowerEdge M640
, PowerEdge M640 (for PE VRTX), PowerEdge MX740C, PowerEdge MX750c, PowerEdge MX760c, PowerEdge MX840C, PowerEdge R240, PowerEdge R250, PowerEdge R340, PowerEdge R350, PowerEdge R360, PowerEdge R440, PowerEdge R450, PowerEdge R540, PowerEdge R550, PowerEdge R6415, PowerEdge R650, PowerEdge R650xs, PowerEdge R6515, PowerEdge R6525, PowerEdge R660, PowerEdge R660xs, PowerEdge R6615, PowerEdge R6625, PowerEdge R740, PowerEdge R740XD, PowerEdge R740XD2, PowerEdge R7415, PowerEdge R7425, PowerEdge R750, PowerEdge R750XA, PowerEdge R750xs, PowerEdge R7515, PowerEdge R7525, PowerEdge R760, PowerEdge R760XA, PowerEdge R760xd2, PowerEdge R760xs, PowerEdge R7615, PowerEdge R7625, PowerEdge R840, PowerEdge R860, PowerEdge R940, PowerEdge R940xa, PowerEdge R960, PowerEdge T140, PowerEdge T150, PowerEdge T340, PowerEdge T350, PowerEdge T360, PowerEdge T440, PowerEdge T550, PowerEdge T560, PowerEdge T640, PowerEdge XE2420, PowerEdge XE7420, PowerEdge XE7440, PowerEdge XE8545, PowerEdge XE8640, PowerEdge XE9640, PowerEdge XE9680, PowerEdge XR11, PowerEdge XR12, PowerEdge XR4510c, PowerEdge XR4520c, PowerEdge XR5610, PowerEdge XR7620, PowerEdge XR8000r, PowerEdge XR8610t, PowerEdge XR8620t, Precision 7960 Rack
...
Artikelegenskaber
Artikelnummer: 000221129
Artikeltype: Dell Security Advisory
Senest ændret: 24 jun. 2024
Find svar på dine spørgsmål fra andre Dell-brugere
Supportservices
Kontrollér, om din enhed er dækket af supportservices.