DSA-2022-043: Dell Precision Rack Security Update for Multiple iDRAC Vulnerabilities
Summary: Dell Client remediation is available for multiple security vulnerabilities that may be exploited by malicious users to compromise the affected system.
This article applies to
This article does not apply to
This article is not tied to any specific product.
Not all product versions are identified in this article.
Impact
High
Details
| Proprietary Code CVEs | Description | CVSS Base Score | CVSS Vector String |
| CVE-2021-36347 | Dell EMC iDRAC9 versions before 5.00.20.00 and iDRAC8 versions before 2.82.82.82 contain a stack-based buffer overflow vulnerability. An authenticated remote attacker with high privileges may potentially exploit this vulnerability to control process execution and gain access to the iDRAC operating system. | 6.2 | CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:L |
| CVE-2021-36348 | Dell EMC iDRAC9 versions before 5.00.20.00 contain an input injection vulnerability. A remote authenticated malicious user with low privileges may potentially exploit this vulnerability to cause information disclosure or denial of service by supplying specially crafted input data to iDRAC. | 5.9 | CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:L |
| CVE-2021-36346 | Dell EMC iDRAC8 versions before 2.82.82.82 contain a denial of service vulnerability. An unauthenticated remote attacker may potentially exploit this vulnerability to deny access to the iDRAC webserver. | 5.3 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L |
| CVE-2021-36299 | Dell iDRAC9 versions 4.40.00.00 and later but before 4.40.29.00 and 5.00.00.00 contain an SQL injection vulnerability. A remote authenticated malicious user with low privileges may potentially exploit this vulnerability to cause information disclosure or denial of service by supplying specially crafted input data to the affected application. | 7.1 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L |
| CVE-2021-36300 | iDRAC9 versions before 5.00.00.00 contain an improper input validation vulnerability. An unauthenticated remote attacker may potentially exploit this vulnerability by sending a specially crafted malicious request to make the webserver unresponsive or cause information disclosure. | 6.5 | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:L |
| CVE-2021-36301 | Dell iDRAC9 before version 4.40.40.00 and iDRAC8 before version 2.80.80.80 contain a Stack Buffer Overflow in Racadm. An authenticated remote attacker may potentially exploit this vulnerability to control process execution and gain access to the underlying operating system. | 5.9 | CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:N |
| CVE-2021-21581 | Dell EMC iDRAC9 versions before 5.00.00.00 contain a cross-site scripting vulnerability. A remote attacker may potentially exploit this vulnerability to run malicious HTML or JavaScript in a victim’s browser by tricking a victim to following a specially crafted link. | 6.5 | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N |
| CVE-2021-21580 | Dell EMC iDRAC8 versions before 2.80.80.80 and Dell EMC iDRAC9 versions before 5.00.00.00 contain a Content spoofing or Text injection, where a malicious URL may potentially inject text to present a customized message on the application that can phish users into believing that the message is legitimate. | 4.3 | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N |
| CVE-2021-21579 | Dell EMC iDRAC9 versions before 4.40.40.00 contain an open redirect vulnerability. A remote unauthenticated attacker may potentially exploit this vulnerability to redirect users to arbitrary web URLs by tricking the victim users to click maliciously crafted links. | 6.1 | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |
| CVE-2021-21578 | Dell EMC iDRAC9 versions before 4.40.40.00 contain an open redirect vulnerability. A remote unauthenticated attacker may potentially exploit this vulnerability to redirect users to arbitrary web URLs by tricking the victim users to click maliciously crafted links. | 6.1 | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |
| CVE-2021-21577 | Dell EMC iDRAC9 versions before 4.40.40.00 contain a DOM-based cross-site scripting vulnerability. A remote attacker may potentially exploit this vulnerability to run malicious HTML or JavaScript in a victim’s browser by tricking a victim in to following a specially crafted link. | 6.1 | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |
| CVE-2021-21576 | Dell EMC iDRAC9 versions before 4.40.40.00 contain a DOM-based cross-site scripting vulnerability. A remote attacker may potentially exploit this vulnerability to run malicious HTML or JavaScript in a victim’s browser by tricking a victim in to following a specially crafted link. | 6.1 | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |
| Third-party Component | CVE | More information |
| Openssl | CVE-2021-3712 | See NVD (https://nvd.nist.gov/vuln/detail/CVE-2021-3712) for individual scores for each CVE. |
| ZeroMQ | CVE-2021-20235 | See NVD (https://nvd.nist.gov/vuln/detail/CVE-2021-20235) for individual scores for each CVE. |
| Proprietary Code CVEs | Description | CVSS Base Score | CVSS Vector String |
| CVE-2021-36347 | Dell EMC iDRAC9 versions before 5.00.20.00 and iDRAC8 versions before 2.82.82.82 contain a stack-based buffer overflow vulnerability. An authenticated remote attacker with high privileges may potentially exploit this vulnerability to control process execution and gain access to the iDRAC operating system. | 6.2 | CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:L |
| CVE-2021-36348 | Dell EMC iDRAC9 versions before 5.00.20.00 contain an input injection vulnerability. A remote authenticated malicious user with low privileges may potentially exploit this vulnerability to cause information disclosure or denial of service by supplying specially crafted input data to iDRAC. | 5.9 | CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:L |
| CVE-2021-36346 | Dell EMC iDRAC8 versions before 2.82.82.82 contain a denial of service vulnerability. An unauthenticated remote attacker may potentially exploit this vulnerability to deny access to the iDRAC webserver. | 5.3 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L |
| CVE-2021-36299 | Dell iDRAC9 versions 4.40.00.00 and later but before 4.40.29.00 and 5.00.00.00 contain an SQL injection vulnerability. A remote authenticated malicious user with low privileges may potentially exploit this vulnerability to cause information disclosure or denial of service by supplying specially crafted input data to the affected application. | 7.1 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L |
| CVE-2021-36300 | iDRAC9 versions before 5.00.00.00 contain an improper input validation vulnerability. An unauthenticated remote attacker may potentially exploit this vulnerability by sending a specially crafted malicious request to make the webserver unresponsive or cause information disclosure. | 6.5 | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:L |
| CVE-2021-36301 | Dell iDRAC9 before version 4.40.40.00 and iDRAC8 before version 2.80.80.80 contain a Stack Buffer Overflow in Racadm. An authenticated remote attacker may potentially exploit this vulnerability to control process execution and gain access to the underlying operating system. | 5.9 | CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:N |
| CVE-2021-21581 | Dell EMC iDRAC9 versions before 5.00.00.00 contain a cross-site scripting vulnerability. A remote attacker may potentially exploit this vulnerability to run malicious HTML or JavaScript in a victim’s browser by tricking a victim to following a specially crafted link. | 6.5 | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N |
| CVE-2021-21580 | Dell EMC iDRAC8 versions before 2.80.80.80 and Dell EMC iDRAC9 versions before 5.00.00.00 contain a Content spoofing or Text injection, where a malicious URL may potentially inject text to present a customized message on the application that can phish users into believing that the message is legitimate. | 4.3 | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N |
| CVE-2021-21579 | Dell EMC iDRAC9 versions before 4.40.40.00 contain an open redirect vulnerability. A remote unauthenticated attacker may potentially exploit this vulnerability to redirect users to arbitrary web URLs by tricking the victim users to click maliciously crafted links. | 6.1 | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |
| CVE-2021-21578 | Dell EMC iDRAC9 versions before 4.40.40.00 contain an open redirect vulnerability. A remote unauthenticated attacker may potentially exploit this vulnerability to redirect users to arbitrary web URLs by tricking the victim users to click maliciously crafted links. | 6.1 | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |
| CVE-2021-21577 | Dell EMC iDRAC9 versions before 4.40.40.00 contain a DOM-based cross-site scripting vulnerability. A remote attacker may potentially exploit this vulnerability to run malicious HTML or JavaScript in a victim’s browser by tricking a victim in to following a specially crafted link. | 6.1 | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |
| CVE-2021-21576 | Dell EMC iDRAC9 versions before 4.40.40.00 contain a DOM-based cross-site scripting vulnerability. A remote attacker may potentially exploit this vulnerability to run malicious HTML or JavaScript in a victim’s browser by tricking a victim in to following a specially crafted link. | 6.1 | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |
| Third-party Component | CVE | More information |
| Openssl | CVE-2021-3712 | See NVD (https://nvd.nist.gov/vuln/detail/CVE-2021-3712) for individual scores for each CVE. |
| ZeroMQ | CVE-2021-20235 | See NVD (https://nvd.nist.gov/vuln/detail/CVE-2021-20235) for individual scores for each CVE. |
Affected Products & Remediation
| Product | Fixed Version | Release Date |
| Precision 7910 Rack | iDRAC8: 2.82.82.82 | 12/15/2021 |
| Precision 7920 Rack | iDRAC9: 5.10.00.00 | 12/08/2021 |
| Product | Fixed Version | Release Date |
| Precision 7910 Rack | iDRAC8: 2.82.82.82 | 12/15/2021 |
| Precision 7920 Rack | iDRAC9: 5.10.00.00 | 12/08/2021 |
Revision History
| Revision | Date | Description |
| 1.0 | 2022/02/17 | Initial Release |
| 1.1 | 2022/03/30 | Updated Fix Version |
Related Information
Legal Disclaimer
Affected Products
Precision 7920 Rack, Precision Rack 7910, Product Security InformationArticle Properties
Article Number: 000196401
Article Type: Dell Security Advisory
Last Modified: 18 Sep 2025
Find answers to your questions from other Dell users
Support Services
Check if your device is covered by Support Services.