Skip to main content
Sign Out

Welcome to Dell

My Account
  • Place orders quickly and easily
  • View orders and track your shipping status
  • Enjoy members-only rewards and discounts
  • Create and access a list of your products
Sign In Create an Account Premier Sign In Dell Financial Services Partner Program Sign In
Contact Us

Your Dell.com Carts

DSA-2024-018: Security Update for Dell iDRAC Service Module for Weak Folder Permission Vulnerabilities

Summary: Dell iDRAC Service Module remediation is available for iSM for Windows versions 5.3.0.0, 5.2.0.0 and 5.1.0.0 , which could be exploited by malicious users to compromise the affected system. ...

This article applies to This article does not apply to This article is not tied to any specific product. Not all product versions are identified in this article.
Check out other resources

Impact

High

Additional Details

This remediation is only applicable if Dell iDRAC Service Module (iSM) for Windows is installed in a custom location other than C:\Program Files\Dell\SysMgt.

Details

Proprietary Code CVEs Description CVSS Base Score CVSS Vector String
CVE-2024-22428 Dell iDRAC Service Module, versions 5.2.0.0 and prior, contain an Incorrect Default Permissions vulnerability. It may allow a local unprivileged user to escalate privileges and execute arbitrary code on the affected system. Dell recommends customers upgrade at the earliest opportunity. 7.0 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:HThis hyperlink is taking you to a website outside of Dell Technologies.
Proprietary Code CVEs Description CVSS Base Score CVSS Vector String
CVE-2024-22428 Dell iDRAC Service Module, versions 5.2.0.0 and prior, contain an Incorrect Default Permissions vulnerability. It may allow a local unprivileged user to escalate privileges and execute arbitrary code on the affected system. Dell recommends customers upgrade at the earliest opportunity. 7.0 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:HThis hyperlink is taking you to a website outside of Dell Technologies.
Dell Technologies recommends all customers consider both the CVSS base score and any relevant temporal and environmental scores that may impact the potential severity associated with a particular security vulnerability.

Affected Products & Remediation

CVEs Addressed Product Software/Firmware Affected Versions Remediated Versions Link
CVE-2024-22428 iDRAC Service Module iDRAC Service Module Release Build for Windows Versions prior to 5.3.0.0, A00  Version 5.3.0.0, A00 or later iDRAC Service Module Release Build for Windows, v5.3.0.0
CVE-2024-22428 iDRAC Service Module iDRAC Service Module Release Build for Windows Versions prior to 5.2.0.0, A00 Version 5.2.0.0, A00 or later iDRAC Service Module Release build for windows, v5.2.0.0
CVE-2024-22428 iDRAC Service Module iDRAC Service Module Release Build for Windows Versions prior to 5.1.0.0, A00  Version 5.1.0.0, A00 or later iDRAC Service Module Release build for windows, v5.1.0.0
CVEs Addressed Product Software/Firmware Affected Versions Remediated Versions Link
CVE-2024-22428 iDRAC Service Module iDRAC Service Module Release Build for Windows Versions prior to 5.3.0.0, A00  Version 5.3.0.0, A00 or later iDRAC Service Module Release Build for Windows, v5.3.0.0
CVE-2024-22428 iDRAC Service Module iDRAC Service Module Release Build for Windows Versions prior to 5.2.0.0, A00 Version 5.2.0.0, A00 or later iDRAC Service Module Release build for windows, v5.2.0.0
CVE-2024-22428 iDRAC Service Module iDRAC Service Module Release Build for Windows Versions prior to 5.1.0.0, A00  Version 5.1.0.0, A00 or later iDRAC Service Module Release build for windows, v5.1.0.0
 
NOTE: In addition to the below wording pointing specifically at a Windows-based tree structure. Dell confirms the issue discussed in this Security Advisory:

- does not impact the Linux version of the iDRAC Service Module,
- does not impact the iDRAC Service Module ViB for ESXi.

The hotfix is only applicable to hosts running Microsoft Windows Server and Client operating systems.

This patch is only applicable if Dell iDRAC Service Module (iSM) is installed in a custom location other than the default path: “C:\Program Files\Dell\SysMgt\”

 

Workarounds & Mitigations

CVE ID Workaround and Mitigation
CVE-2024-22428 Install iSM at the default location

Revision History

Revision DateDescription
1.02024-01-15Initial Release.
2.02024-01-16Changes to formatting without content changes.
3.02024-01-18Updated the "Affected Versions" to read 5.2.0.0.
4.02024-01-30Updated the additional info field to highlight this only applies to specific OSes.
5.02024-02-07added specific links to hotfix and full download for Windows.
6.02024-02-12minor formatting changes and URL link spelling update.
7.02024-02-13formating update without content changes.
8.02024-02-16Added specific language targeted at Linux-based and ESXi versions of iSM
9.02024-02-16formatting changes without content changes
10.02024-03-07Multiple content updates: Summary, additional details, remediation table
11.02024-06-13Updated for enhanced presentation with no other changes to content.
12.02024-06-21Updated for enhanced presentation with no other changes to content.
13.02024-06-21spelling enhancements

Related Information

Dell Security Advisories and Notices
Dell Vulnerability Response Policy
CVSS Scoring Guide

Legal Disclaimer

Affected Products

iDRAC Service Module, iDRAC Service Module 5.x, 7920 XL Rack, Poweredge C4140, PowerEdge C6420, PowerEdge C6520, PowerEdge C6525, PowerEdge C6600, PowerEdge C6615, PowerEdge C6620, PowerEdge FC640, PowerEdge HS5610, PowerEdge HS5620, PowerEdge M640 , PowerEdge M640 (for PE VRTX), PowerEdge MX740C, PowerEdge MX750c, PowerEdge MX760c, PowerEdge MX840C, PowerEdge R240, PowerEdge R250, PowerEdge R340, PowerEdge R350, PowerEdge R360, PowerEdge R440, PowerEdge R450, PowerEdge R540, PowerEdge R550, PowerEdge R6415, PowerEdge R650, PowerEdge R650xs, PowerEdge R6515, PowerEdge R6525, PowerEdge R660, PowerEdge R660xs, PowerEdge R6615, PowerEdge R6625, PowerEdge R740, PowerEdge R740XD, PowerEdge R740XD2, PowerEdge R7415, PowerEdge R7425, PowerEdge R750, PowerEdge R750XA, PowerEdge R750xs, PowerEdge R7515, PowerEdge R7525, PowerEdge R760, PowerEdge R760XA, PowerEdge R760xd2, PowerEdge R760xs, PowerEdge R7615, PowerEdge R7625, PowerEdge R840, PowerEdge R860, PowerEdge R940, PowerEdge R940xa, PowerEdge R960, PowerEdge T140, PowerEdge T150, PowerEdge T340, PowerEdge T350, PowerEdge T360, PowerEdge T440, PowerEdge T550, PowerEdge T560, PowerEdge T640, PowerEdge XE2420, PowerEdge XE7420, PowerEdge XE7440, PowerEdge XE8545, PowerEdge XE8640, PowerEdge XE9640, PowerEdge XE9680, PowerEdge XR11, PowerEdge XR12, PowerEdge XR4510c, PowerEdge XR4520c, PowerEdge XR5610, PowerEdge XR7620, PowerEdge XR8000r, PowerEdge XR8610t, PowerEdge XR8620t, Precision 7960 Rack ...
Article Properties
Article Number: 000221129
Article Type: Dell Security Advisory
Last Modified: 24 Jun 2024
Find answers to your questions from other Dell users
Support Services
Check if your device is covered by Support Services.