DSA-2021-133: Dell iDRAC Security Update for Multiple Security Vulnerabilities

Summary: Dell iDRAC remediation is available for multiple security vulnerabilities that may be exploited by malicious users to compromise the affected system.

This article applies to This article does not apply to This article is not tied to any specific product. Not all product versions are identified in this article.
Check out other resources

Impact

Medium

Details

Proprietary Code CVEs Description CVSS Base Score CVSS Vector String
CVE-2021-21581 Dell EMC iDRAC9 versions before 5.00.00.00 contain a cross-site scripting vulnerability. A remote attacker may potentially exploit this vulnerability to run malicious HTML or JavaScript in a victim’s browser by tricking a victim to following a specially crafted link. 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
CVE-2021-21580 Dell EMC iDRAC8 versions before 2.80.80.80 and Dell EMC iDRAC9 versions before 5.00.00.00 contain a Content spoofing or Text injection, where a malicious URL can inject text to present a customized message on the application that can phish users into believing that the message is legitimate. 4.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
CVE-2021-21579
 		 Dell EMC iDRAC9 versions before 4.40.40.00 contain an open redirect vulnerability. A remote unauthenticated attacker may exploit this vulnerability to redirect users to arbitrary web URLs by tricking the victim users to click maliciously crafted links. 6.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CVE-2021-21578 Dell EMC iDRAC9 versions before 4.40.40.00 contain an open redirect vulnerability. A remote unauthenticated attacker may exploit this vulnerability to redirect users to arbitrary web URLs by tricking the victim users to click maliciously crafted links. 6.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CVE-2021-21577 Dell EMC iDRAC9 versions before 4.40.40.00 contain a DOM-based cross-site scripting vulnerability. A remote attacker may potentially exploit this vulnerability to run malicious HTML or JavaScript in a victim’s browser by tricking a victim in to following a specially crafted link. 6.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CVE-2021-21576 Dell EMC iDRAC9 versions before 4.40.40.00 contain a DOM-based cross-site scripting vulnerability. A remote attacker may potentially exploit this vulnerability to run malicious HTML or JavaScript in a victim’s browser by tricking a victim in to following a specially crafted link. 6.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Proprietary Code CVEs Description CVSS Base Score CVSS Vector String
CVE-2021-21581 Dell EMC iDRAC9 versions before 5.00.00.00 contain a cross-site scripting vulnerability. A remote attacker may potentially exploit this vulnerability to run malicious HTML or JavaScript in a victim’s browser by tricking a victim to following a specially crafted link. 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
CVE-2021-21580 Dell EMC iDRAC8 versions before 2.80.80.80 and Dell EMC iDRAC9 versions before 5.00.00.00 contain a Content spoofing or Text injection, where a malicious URL can inject text to present a customized message on the application that can phish users into believing that the message is legitimate. 4.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
CVE-2021-21579
 		 Dell EMC iDRAC9 versions before 4.40.40.00 contain an open redirect vulnerability. A remote unauthenticated attacker may exploit this vulnerability to redirect users to arbitrary web URLs by tricking the victim users to click maliciously crafted links. 6.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CVE-2021-21578 Dell EMC iDRAC9 versions before 4.40.40.00 contain an open redirect vulnerability. A remote unauthenticated attacker may exploit this vulnerability to redirect users to arbitrary web URLs by tricking the victim users to click maliciously crafted links. 6.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CVE-2021-21577 Dell EMC iDRAC9 versions before 4.40.40.00 contain a DOM-based cross-site scripting vulnerability. A remote attacker may potentially exploit this vulnerability to run malicious HTML or JavaScript in a victim’s browser by tricking a victim in to following a specially crafted link. 6.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CVE-2021-21576 Dell EMC iDRAC9 versions before 4.40.40.00 contain a DOM-based cross-site scripting vulnerability. A remote attacker may potentially exploit this vulnerability to run malicious HTML or JavaScript in a victim’s browser by tricking a victim in to following a specially crafted link. 6.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Dell Technologies recommends all customers consider both the CVSS base score and any relevant temporal and environmental scores that may impact the potential severity associated with a particular security vulnerability.

Affected Products & Remediation

CVEs Addressed  Product Affected Versions Updated Versions Link to Update
CVE-2021-21576 Dell EMC iDRAC9 Versions before 4.40.40.00 4.40.40.00 4.40.40.00
CVE-2021-21579
CVE-2021-21578
 
CVE-2021-21577
 
CVE-2021-21581 Dell EMC iDRAC9 Versions before 5.00.00.00 5.00.00.00 5.00.00.00
CVE-2021-21580 Dell EMC iDRAC8 and Dell EMC iDRAC9
 		 Versions before 2.80.80.80 & 5.00.00.00 2.80.80.80 and 5.00.00.00 2.80.80.80
5.00.00.00

Note: The table above may not be a comprehensive list of all affected supported versions and may be updated as more information becomes available.
CVEs Addressed  Product Affected Versions Updated Versions Link to Update
CVE-2021-21576 Dell EMC iDRAC9 Versions before 4.40.40.00 4.40.40.00 4.40.40.00
CVE-2021-21579
CVE-2021-21578
 
CVE-2021-21577
 
CVE-2021-21581 Dell EMC iDRAC9 Versions before 5.00.00.00 5.00.00.00 5.00.00.00
CVE-2021-21580 Dell EMC iDRAC8 and Dell EMC iDRAC9
 		 Versions before 2.80.80.80 & 5.00.00.00 2.80.80.80 and 5.00.00.00 2.80.80.80
5.00.00.00

Note: The table above may not be a comprehensive list of all affected supported versions and may be updated as more information becomes available.

Revision History

RevisionDateDescription
1.02021-06-30Initial Release

Acknowledgements

CVE-2021-21580: Dell Technologies would like to thank Jameel Nabbo for reporting this issue.

CVE-2021-21576, CVE-2021-21577, CVE-2021-21578, and CVE-2021-21579: Dell Technologies would like to thank Kajetan Rostojek for reporting these issues.

Related Information

Dell Security Advisories and Notices
Dell Vulnerability Response Policy
CVSS Scoring Guide

Legal Disclaimer

Affected Products

iDRAC8, iDRAC9, iDRAC7/8 with Lifecycle Controller Version 2.50.50.50, iDRAC7/8 with Lifecycle Controller Version 2.52.52.52, iDRAC7/8 with Lifecycle Controller Version 2.60.60.60, iDRAC7/8 with Lifecycle Controller Version 2.61.60.60 , iDRAC7/8 with Lifecycle Controller Version 2.62.60.60, iDRAC7/8 with Lifecycle Controller Version 2.63.60.61, iDRAC8 with Lifecycle Controller Version 2.12.12.12, iDRAC8 with Lifecycle Controller Version 2.14.14.12, iDRAC8 with Lifecycle Controller Version 2.17.17.13, iDRAC8 with Lifecycle Controller Version 2.18.17.13, iDRAC8 with Lifecycle Controller Version 2.30.119.30, iDRAC8 with Lifecycle Controller Version 2.35.35.35, iDRAC8 with Lifecycle Controller Version 2.42.110.40, iDRAC8 with Lifecycle Controller Version 2.45.45.40, iDRAC8 with Lifecycle Controller Version 2.55.55.50, iDRAC8 with Lifecycle Controller version 2.70.70.70, iDRAC8 with Lifecycle Controller version 2.75.75.75, iDRAC8 with Lifecycle Controller Version 2.04.02.01, iDRAC8 with Lifecycle Controller Version 2.05.05.05, iDRAC8 with Lifecycle Controller Version 2.23.23.21, iDRAC9 - 3.0x Series, iDRAC9 - 3.1x Series, iDRAC9 - 3.2x Series, iDRAC9 - 3.3x Series, iDRAC9 - 3.4x Series, iDRAC9 - 4.xx Series, iDRAC8 with Lifecycle Controller Version 2.00.00.00, iDRAC8 with Lifecycle Controller Version 2.02.01.01, Product Security Information ...
Article Properties
Article Number: 000189193
Article Type: Dell Security Advisory
Last Modified: 30 Jun 2021
Find answers to your questions from other Dell users
Support Services
Check if your device is covered by Support Services.