DSA-2021-189: Dell EMC SmartFabric OS10 Security Update for a Multiple Security Vulnerabilities
Summary: Dell EMC SmartFabric OS10 remediation is available for multiple security vulnerabilities that may be exploited by malicious users to compromise the affected system.
This article applies to
This article does not apply to
This article is not tied to any specific product.
Not all product versions are identified in this article.
Impact
High
Details
| Proprietary Code CVEs | Description | CVSS Base Score | CVSS Vector String |
| CVE-2021-36306 | Networking OS10, versions before October 2021 with RESTCONF API enabled, contain an authentication bypass vulnerability. A remote unauthenticated attacker may potentially exploit this vulnerability to gain access and perform actions on the affected system. | 8.1 | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H |
| CVE-2021-36307 | Networking OS10, versions before October 2021 with RESTCONF API enabled, contain a privilege escalation vulnerability. A malicious low privileged user with specific access to the API may potentially exploit this vulnerability to gain admin privileges on the affected system. | 8.8 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
| CVE-2021-36308 | Networking OS10, versions before October 2021 with Smart Fabric Services enabled, contain an authentication bypass vulnerability. A remote unauthenticated attacker may potentially exploit this vulnerability to gain access and perform actions on the affected system. | 5.9 | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H |
| CVE-2021-36310 | Dell Networking OS10, versions 10.4.3.x, 10.5.0.x, 10.5.1.x, and 10.5.2.x, contain an uncontrolled resource consumption flaw in its API service. A high-privileged API user may potentially exploit this vulnerability, leading to a denial of service. | 4.9 | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H |
| CVE-2021-36319 | Dell Networking OS10 versions 10.4.3.x, 10.5.0.x, and 10.5.1.x contain an information exposure vulnerability. A low privileged authenticated malicious user may potentially gain access to SNMP authentication failure messages. | 3.3 | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N |
| Third-Party Component | CVEs | More information |
| OpenSSL | CVE-2021-23840 | https://www.openssl.org/news/secadv/20210216.txt https://www.openssl.org/news/secadv/20210824.txt https://www.openssl.org/news/secadv/20220315.txt |
| CVE-2021-3711 | ||
| CVE-2021-3712 | ||
| CVE-2022-0778 |
| Proprietary Code CVEs | Description | CVSS Base Score | CVSS Vector String |
| CVE-2021-36306 | Networking OS10, versions before October 2021 with RESTCONF API enabled, contain an authentication bypass vulnerability. A remote unauthenticated attacker may potentially exploit this vulnerability to gain access and perform actions on the affected system. | 8.1 | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H |
| CVE-2021-36307 | Networking OS10, versions before October 2021 with RESTCONF API enabled, contain a privilege escalation vulnerability. A malicious low privileged user with specific access to the API may potentially exploit this vulnerability to gain admin privileges on the affected system. | 8.8 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
| CVE-2021-36308 | Networking OS10, versions before October 2021 with Smart Fabric Services enabled, contain an authentication bypass vulnerability. A remote unauthenticated attacker may potentially exploit this vulnerability to gain access and perform actions on the affected system. | 5.9 | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H |
| CVE-2021-36310 | Dell Networking OS10, versions 10.4.3.x, 10.5.0.x, 10.5.1.x, and 10.5.2.x, contain an uncontrolled resource consumption flaw in its API service. A high-privileged API user may potentially exploit this vulnerability, leading to a denial of service. | 4.9 | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H |
| CVE-2021-36319 | Dell Networking OS10 versions 10.4.3.x, 10.5.0.x, and 10.5.1.x contain an information exposure vulnerability. A low privileged authenticated malicious user may potentially gain access to SNMP authentication failure messages. | 3.3 | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N |
| Third-Party Component | CVEs | More information |
| OpenSSL | CVE-2021-23840 | https://www.openssl.org/news/secadv/20210216.txt https://www.openssl.org/news/secadv/20210824.txt https://www.openssl.org/news/secadv/20220315.txt |
| CVE-2021-3711 | ||
| CVE-2021-3712 | ||
| CVE-2022-0778 |
Affected Products & Remediation
| Product | Affected Versions | Updated Versions | Link to Update |
| SmartFabric OS10 | Versions before 10.4.3.8 | 10.4.3.9 | Link to update |
| Versions before 10.5.0.10 | 10.5.0.10 | Link to update | |
| Versions before 10.5.1.11 | 10.5.1.11 | Link to update | |
| Versions before 10.5.2.11 | 10.5.2.11 | Link to update | |
| Versions before 10.5.3.5 | 10.5.3.5 | Link to update |
Note: The table above may not be a comprehensive list of all affected supported versions and may be updated as more information becomes available.
| Product | Affected Versions | Updated Versions | Link to Update |
| SmartFabric OS10 | Versions before 10.4.3.8 | 10.4.3.9 | Link to update |
| Versions before 10.5.0.10 | 10.5.0.10 | Link to update | |
| Versions before 10.5.1.11 | 10.5.1.11 | Link to update | |
| Versions before 10.5.2.11 | 10.5.2.11 | Link to update | |
| Versions before 10.5.3.5 | 10.5.3.5 | Link to update |
Note: The table above may not be a comprehensive list of all affected supported versions and may be updated as more information becomes available.
Revision History
| Revision | Date | Description |
| 1.0 | 2021-11-01 | Initial Release |
| 1.1 | 2022-01-13 | Updated CVE |
| 1.2 | 2022-09-01 | Version Update |
Acknowledgements
Dell Technologies would like to thank James Hebden for reporting CVE-2021-36306, CVE-2021-36307, and CVE-2021-36308.
Related Information
Legal Disclaimer
Affected Products
Product Security Information, SmartFabric OS10 SoftwareArticle Properties
Article Number: 000193076
Article Type: Dell Security Advisory
Last Modified: 01 Sep 2022
Find answers to your questions from other Dell users
Support Services
Check if your device is covered by Support Services.