Medium
Summary:
Dell EMC iDRAC (Integrated Dell Remote Access Controller) in VxRACK Flex, requires a security update to address multiple vulnerabilities.
Privilege Escalation Vulnerability
CVE-2018-15774
Dell EMC iDRAC7/iDRAC8 versions prior to 2.61.60.60 and iDRAC9 versions prior to 3.20.21.20, 3.21.24.22, 3.21.26.22, and 3.23.23.23 contain a privilege escalation vulnerability. An authenticated malicious iDRAC user with operator privileges may potentially exploit a permissions check flaw in the Redfish interface to gain administrator access.
Improper Error Handling Vulnerability
CVE-2018-15776
Dell EMC iDRAC7/iDRAC8 versions prior to 2.61.60.60 contain an improper error handling vulnerability. An unauthenticated attacker with physical access to the system may potentially exploit this vulnerability to get access to the u-boot shell.
See NVD (http://nvd.nist.gov/) for individual scores for each CVE
Privilege Escalation Vulnerability
CVE-2018-15774
Dell EMC iDRAC7/iDRAC8 versions prior to 2.61.60.60 and iDRAC9 versions prior to 3.20.21.20, 3.21.24.22, 3.21.26.22, and 3.23.23.23 contain a privilege escalation vulnerability. An authenticated malicious iDRAC user with operator privileges may potentially exploit a permissions check flaw in the Redfish interface to gain administrator access.
Improper Error Handling Vulnerability
CVE-2018-15776
Dell EMC iDRAC7/iDRAC8 versions prior to 2.61.60.60 contain an improper error handling vulnerability. An unauthenticated attacker with physical access to the system may potentially exploit this vulnerability to get access to the u-boot shell.
See NVD (http://nvd.nist.gov/) for individual scores for each CVE
Affected products:
Dell EMC VxRACK Flex system RCM releases 3.0.8 to 3.0.11, 3.0.12.0, and 3.0.12.1
Dell EMC VxRACK Flex system RCM releases 3.2.1 to 3.2.7
Dell EMC VxRACK Flex system RCM releases 3.3.1, 3.3.2, 3.3.3.0, 3.3.3.1, and 3.3.4
Remediation:
The following Dell EMC VxRack System Flex releases address these issues:
For customers who are on RCMs 3.0.8 to 3.0.11, 3.0.12.0, and 3.0.12.1, upgrade to RCM 3.0.13.1
For customers who are on RCMs 3.2.1 to 3.2.7, upgrade to RCM 3.2.7.1
For customers who are on RCMs 3.3.1, 3.3.2, 3.3.3.0, 3.3.3.1, and 3.3.4, upgrade to RCM 3.3.4.1
Dell EMC recommends all customers upgrade at the earliest opportunity.
Customers can download software and firmware updates from Dell EMC Online Support at https://cpsdocs.dellemc.com/rcm/#/home.
Affected products:
Dell EMC VxRACK Flex system RCM releases 3.0.8 to 3.0.11, 3.0.12.0, and 3.0.12.1
Dell EMC VxRACK Flex system RCM releases 3.2.1 to 3.2.7
Dell EMC VxRACK Flex system RCM releases 3.3.1, 3.3.2, 3.3.3.0, 3.3.3.1, and 3.3.4
Remediation:
The following Dell EMC VxRack System Flex releases address these issues:
For customers who are on RCMs 3.0.8 to 3.0.11, 3.0.12.0, and 3.0.12.1, upgrade to RCM 3.0.13.1
For customers who are on RCMs 3.2.1 to 3.2.7, upgrade to RCM 3.2.7.1
For customers who are on RCMs 3.3.1, 3.3.2, 3.3.3.0, 3.3.3.1, and 3.3.4, upgrade to RCM 3.3.4.1
Dell EMC recommends all customers upgrade at the earliest opportunity.
Customers can download software and firmware updates from Dell EMC Online Support at https://cpsdocs.dellemc.com/rcm/#/home.