Skip to main content
  • Place orders quickly and easily
  • View orders and track your shipping status
  • Enjoy members-only rewards and discounts
  • Create and access a list of your products
  • Manage your Dell EMC sites, products, and product-level contacts using Company Administration.
Some article numbers may have changed. If this isn't what you're looking for, try searching all articles. Search articles

Article Number: 000193076


DSA-2021-189: Dell EMC SmartFabric OS10 Security Update for a Multiple Security Vulnerabilities

Summary: Dell EMC SmartFabric OS10 remediation is available for multiple security vulnerabilities that may be exploited by malicious users to compromise the affected system.

Article Content


Impact

High

Details

Proprietary Code CVEs Description CVSS Base Score CVSS Vector String
CVE-2021-36306 Networking OS10, versions before October 2021 with RESTCONF API enabled, contain an authentication bypass vulnerability. A remote unauthenticated attacker may potentially exploit this vulnerability to gain access and perform actions on the affected system. 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
CVE-2021-36307 Networking OS10, versions before October 2021 with RESTCONF API enabled, contain a privilege escalation vulnerability. A malicious low privileged user with specific access to the API may potentially exploit this vulnerability to gain admin privileges on the affected system. 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CVE-2021-36308 Networking OS10, versions before October 2021 with Smart Fabric Services enabled, contain an authentication bypass vulnerability. A remote unauthenticated attacker may potentially exploit this vulnerability to gain access and perform actions on the affected system. 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
CVE-2021-36310 Dell Networking OS10, versions 10.4.3.x, 10.5.0.x, 10.5.1.x, and 10.5.2.x, contain an uncontrolled resource consumption flaw in its API service. A high-privileged API user may potentially exploit this vulnerability, leading to a denial of service. 4.9 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H
CVE-2021-36319 Dell Networking OS10 versions 10.4.3.x, 10.5.0.x, and 10.5.1.x contain an information exposure vulnerability. A low privileged authenticated malicious user may potentially gain access to SNMP authentication failure messages. 3.3 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
 
Third-Party Component CVEs More information
OpenSSL CVE-2021-23840 https://www.openssl.org/news/secadv/20210216.txt
https://www.openssl.org/news/secadv/20210824.txt
https://www.openssl.org/news/secadv/20220315.txt
CVE-2021-3711
CVE-2021-3712
CVE-2022-0778
Proprietary Code CVEs Description CVSS Base Score CVSS Vector String
CVE-2021-36306 Networking OS10, versions before October 2021 with RESTCONF API enabled, contain an authentication bypass vulnerability. A remote unauthenticated attacker may potentially exploit this vulnerability to gain access and perform actions on the affected system. 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
CVE-2021-36307 Networking OS10, versions before October 2021 with RESTCONF API enabled, contain a privilege escalation vulnerability. A malicious low privileged user with specific access to the API may potentially exploit this vulnerability to gain admin privileges on the affected system. 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CVE-2021-36308 Networking OS10, versions before October 2021 with Smart Fabric Services enabled, contain an authentication bypass vulnerability. A remote unauthenticated attacker may potentially exploit this vulnerability to gain access and perform actions on the affected system. 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
CVE-2021-36310 Dell Networking OS10, versions 10.4.3.x, 10.5.0.x, 10.5.1.x, and 10.5.2.x, contain an uncontrolled resource consumption flaw in its API service. A high-privileged API user may potentially exploit this vulnerability, leading to a denial of service. 4.9 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H
CVE-2021-36319 Dell Networking OS10 versions 10.4.3.x, 10.5.0.x, and 10.5.1.x contain an information exposure vulnerability. A low privileged authenticated malicious user may potentially gain access to SNMP authentication failure messages. 3.3 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
 
Third-Party Component CVEs More information
OpenSSL CVE-2021-23840 https://www.openssl.org/news/secadv/20210216.txt
https://www.openssl.org/news/secadv/20210824.txt
https://www.openssl.org/news/secadv/20220315.txt
CVE-2021-3711
CVE-2021-3712
CVE-2022-0778
Dell Technologies recommends all customers consider both the CVSS base score and any relevant temporal and environmental scores that may impact the potential severity associated with a particular security vulnerability.

Affected Products and Remediation

Product Affected Versions Updated Versions Link to Update
SmartFabric OS10 Versions before 10.4.3.8 10.4.3.9 Link to update
Versions before 10.5.0.10 10.5.0.10 Link to update
Versions before 10.5.1.11 10.5.1.11 Link to update
Versions before 10.5.2.11 10.5.2.11 Link to update
  Versions before 10.5.3.5 10.5.3.5 Link to update


Note: The table above may not be a comprehensive list of all affected supported versions and may be updated as more information becomes available.
Product Affected Versions Updated Versions Link to Update
SmartFabric OS10 Versions before 10.4.3.8 10.4.3.9 Link to update
Versions before 10.5.0.10 10.5.0.10 Link to update
Versions before 10.5.1.11 10.5.1.11 Link to update
Versions before 10.5.2.11 10.5.2.11 Link to update
  Versions before 10.5.3.5 10.5.3.5 Link to update


Note: The table above may not be a comprehensive list of all affected supported versions and may be updated as more information becomes available.

Acknowledgements

Dell Technologies would like to thank James Hebden for reporting CVE-2021-36306, CVE-2021-36307, and CVE-2021-36308. 

Revision History

RevisionDateDescription
1.02021-11-01Initial Release 
1.12022-01-13Updated CVE
1.22022-09-01Version Update

Related Information


Article Properties


Affected Product

Product Security Information, SmartFabric OS10 Software

Last Published Date

01 Sep 2022

Version

4

Article Type

Dell Security Advisory