DSA-2021-177: Dell EMC iDRAC Security Update for Multiple Security Vulnerabilities
Sommaire: Dell EMC iDRAC remediation is available for multiple security vulnerabilities that may be exploited by malicious users to compromise the affected system.
Cet article s’applique à
Cet article ne s’applique pas à
Cet article n’est lié à aucun produit spécifique.
Toutes les versions de produits ne sont pas identifiées dans cet article.
Impact
High
Détails
| Proprietary Code CVEs | Description | CVSS Base Score | CVSS Vector String |
| CVE-2021-36299 | Dell iDRAC9 versions 4.40.00.00 and later but before 4.40.29.00 and 5.00.00.00 contain an SQL injection vulnerability. A remote authenticated malicious user with low privileges may potentially exploit this vulnerability to cause information disclosure or denial of service by supplying specially crafted input data to the affected application. | 7.1 | CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L |
| CVE-2021-36300 | iDRAC9 versions before 5.00.00.00 contain an improper input validation vulnerability. An unauthenticated remote attacker may potentially exploit this vulnerability by sending a specially crafted malicious request to make the webserver unresponsive or cause information disclosure. |
6.5 | CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:L |
| CVE-2021-36301 | Dell iDRAC9 before version 4.40.40.00 and iDRAC8 before version 2.80.80.80 contain a Stack Buffer Overflow in Racadm. An authenticated remote attacker may potentially exploit this vulnerability to control process execution and gain access to the underlying operating system. | 5.9 | CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:N |
| Third-party Component | CVEs | More information |
| ZeroMQ | CVE-2021-20235 | See NVD (https://nvd.nist.gov/vuln/detail/CVE-2021-20235) for individual scores for each CVE. |
| Proprietary Code CVEs | Description | CVSS Base Score | CVSS Vector String |
| CVE-2021-36299 | Dell iDRAC9 versions 4.40.00.00 and later but before 4.40.29.00 and 5.00.00.00 contain an SQL injection vulnerability. A remote authenticated malicious user with low privileges may potentially exploit this vulnerability to cause information disclosure or denial of service by supplying specially crafted input data to the affected application. | 7.1 | CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L |
| CVE-2021-36300 | iDRAC9 versions before 5.00.00.00 contain an improper input validation vulnerability. An unauthenticated remote attacker may potentially exploit this vulnerability by sending a specially crafted malicious request to make the webserver unresponsive or cause information disclosure. |
6.5 | CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:L |
| CVE-2021-36301 | Dell iDRAC9 before version 4.40.40.00 and iDRAC8 before version 2.80.80.80 contain a Stack Buffer Overflow in Racadm. An authenticated remote attacker may potentially exploit this vulnerability to control process execution and gain access to the underlying operating system. | 5.9 | CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:N |
| Third-party Component | CVEs | More information |
| ZeroMQ | CVE-2021-20235 | See NVD (https://nvd.nist.gov/vuln/detail/CVE-2021-20235) for individual scores for each CVE. |
Produits touchés et correction
| CVEs Addressed | Product | Affected Versions | Updated Versions | Link to Update |
| CVE-2021-36299 | Dell EMC iDRAC9 | Versions 4.40.00.00 and later, but before 4.40.29.00 and 5.00.00.00 | 4.40.29.00 and 5.00.00.00 | 4.40.29.00 5.00.00.00 |
| CVE-2021-36300 | Dell EMC iDRAC9 |
Versions before 5.00.00.00 | 5.00.00.00 | 5.00.00.00 |
| CVE-2021-20235 | Dell EMC iDRAC9 Group Manager feature over the IPv6 linklocal interface |
Versions before 5.00.10.00 | 5.00.10.00 | 5.10.10.00 Note: Version 5.00.10.00 has been demoted. If version 5.00.10.00 was not applied before demotion, see Workarounds and Mitigations section. |
| CVE-2021-36301 | Dell EMC iDRAC8 and Dell EMC iDRAC9 |
Versions before 2.80.80.80 and 4.40.40.00 | 2.80.80.80 and 4.40.40.00 | 2.80.80.80 4.40.40.00 |
| CVEs Addressed | Product | Affected Versions | Updated Versions | Link to Update |
| CVE-2021-36299 | Dell EMC iDRAC9 | Versions 4.40.00.00 and later, but before 4.40.29.00 and 5.00.00.00 | 4.40.29.00 and 5.00.00.00 | 4.40.29.00 5.00.00.00 |
| CVE-2021-36300 | Dell EMC iDRAC9 |
Versions before 5.00.00.00 | 5.00.00.00 | 5.00.00.00 |
| CVE-2021-20235 | Dell EMC iDRAC9 Group Manager feature over the IPv6 linklocal interface |
Versions before 5.00.10.00 | 5.00.10.00 | 5.10.10.00 Note: Version 5.00.10.00 has been demoted. If version 5.00.10.00 was not applied before demotion, see Workarounds and Mitigations section. |
| CVE-2021-36301 | Dell EMC iDRAC8 and Dell EMC iDRAC9 |
Versions before 2.80.80.80 and 4.40.40.00 | 2.80.80.80 and 4.40.40.00 | 2.80.80.80 4.40.40.00 |
Solutions de contournement et mesures d’atténuation
CVE-2021-20235 is mitigated in Dell EMC iDRAC9 when the Group Manager Feature is disabled. For Group Manager configuration steps, see the iDRAC9 Security Configuration Guide.
Historique de révision
| Revision | Date | Description |
| 1.0 | 2021-09-09 | Initial Release |
| 2.0 | 2021-10-01 | Update to Affected Products and Remediation section and Workarounds and Mitigations section |
| 2.1 | 2022-05-26 | Updated Affected Products and Remediation section |
| 2.2 | 2023-05-01 | Reformatted for improved presentation without any changes to content. |
Renseignements connexes
Avis de non-responsabilité
Produits touchés
iDRAC8, iDRAC9, iDRAC9 - 3.0x Series, iDRAC9 - 3.1x Series, iDRAC9 - 3.2x Series, iDRAC9 - 3.3x Series, iDRAC9 - 3.4x Series, iDRAC9 - 4.xx Series, iDRAC9 - 5.xx Series, Product Security InformationPropriétés de l’article
Numéro d’article: 000191229
Type d’article: Dell Security Advisory
Dernière modification: 01 mai 2023
Obtenez des réponses à vos questions auprès d’autre utilisateurs de Dell
Services de soutien
Vérifiez si votre appareil est couvert par les services de soutien.