DSA-2021-133: Dell iDRAC Security Update for Multiple Security Vulnerabilities

Samenvatting: Dell iDRAC remediation is available for multiple security vulnerabilities that may be exploited by malicious users to compromise the affected system.

Dit artikel is van toepassing op Dit artikel is niet van toepassing op Dit artikel is niet gebonden aan een specifiek product. Niet alle productversies worden in dit artikel vermeld.
Bekijk andere hulpbronnen

Impact

Medium

Gegevens

Proprietary Code CVEs Description CVSS Base Score CVSS Vector String
CVE-2021-21581 Dell EMC iDRAC9 versions before 5.00.00.00 contain a cross-site scripting vulnerability. A remote attacker may potentially exploit this vulnerability to run malicious HTML or JavaScript in a victim’s browser by tricking a victim to following a specially crafted link. 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
CVE-2021-21580 Dell EMC iDRAC8 versions before 2.80.80.80 and Dell EMC iDRAC9 versions before 5.00.00.00 contain a Content spoofing or Text injection, where a malicious URL can inject text to present a customized message on the application that can phish users into believing that the message is legitimate. 4.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
CVE-2021-21579
 		 Dell EMC iDRAC9 versions before 4.40.40.00 contain an open redirect vulnerability. A remote unauthenticated attacker may exploit this vulnerability to redirect users to arbitrary web URLs by tricking the victim users to click maliciously crafted links. 6.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CVE-2021-21578 Dell EMC iDRAC9 versions before 4.40.40.00 contain an open redirect vulnerability. A remote unauthenticated attacker may exploit this vulnerability to redirect users to arbitrary web URLs by tricking the victim users to click maliciously crafted links. 6.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CVE-2021-21577 Dell EMC iDRAC9 versions before 4.40.40.00 contain a DOM-based cross-site scripting vulnerability. A remote attacker may potentially exploit this vulnerability to run malicious HTML or JavaScript in a victim’s browser by tricking a victim in to following a specially crafted link. 6.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CVE-2021-21576 Dell EMC iDRAC9 versions before 4.40.40.00 contain a DOM-based cross-site scripting vulnerability. A remote attacker may potentially exploit this vulnerability to run malicious HTML or JavaScript in a victim’s browser by tricking a victim in to following a specially crafted link. 6.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Proprietary Code CVEs Description CVSS Base Score CVSS Vector String
CVE-2021-21581 Dell EMC iDRAC9 versions before 5.00.00.00 contain a cross-site scripting vulnerability. A remote attacker may potentially exploit this vulnerability to run malicious HTML or JavaScript in a victim’s browser by tricking a victim to following a specially crafted link. 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
CVE-2021-21580 Dell EMC iDRAC8 versions before 2.80.80.80 and Dell EMC iDRAC9 versions before 5.00.00.00 contain a Content spoofing or Text injection, where a malicious URL can inject text to present a customized message on the application that can phish users into believing that the message is legitimate. 4.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
CVE-2021-21579
 		 Dell EMC iDRAC9 versions before 4.40.40.00 contain an open redirect vulnerability. A remote unauthenticated attacker may exploit this vulnerability to redirect users to arbitrary web URLs by tricking the victim users to click maliciously crafted links. 6.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CVE-2021-21578 Dell EMC iDRAC9 versions before 4.40.40.00 contain an open redirect vulnerability. A remote unauthenticated attacker may exploit this vulnerability to redirect users to arbitrary web URLs by tricking the victim users to click maliciously crafted links. 6.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CVE-2021-21577 Dell EMC iDRAC9 versions before 4.40.40.00 contain a DOM-based cross-site scripting vulnerability. A remote attacker may potentially exploit this vulnerability to run malicious HTML or JavaScript in a victim’s browser by tricking a victim in to following a specially crafted link. 6.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CVE-2021-21576 Dell EMC iDRAC9 versions before 4.40.40.00 contain a DOM-based cross-site scripting vulnerability. A remote attacker may potentially exploit this vulnerability to run malicious HTML or JavaScript in a victim’s browser by tricking a victim in to following a specially crafted link. 6.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Dell Technologies raadt aan dat alle klanten rekening houden met zowel de basisscore van CVSS als alle relevante tijdelijke en omgevingsscores die gevolgen kunnen hebben voor de mogelijke ernst van de specifieke beveiligingsproblemen.

Getroffen producten en herstel

CVEs Addressed  Product Affected Versions Updated Versions Link to Update
CVE-2021-21576 Dell EMC iDRAC9 Versions before 4.40.40.00 4.40.40.00 4.40.40.00
CVE-2021-21579
CVE-2021-21578
 
CVE-2021-21577
 
CVE-2021-21581 Dell EMC iDRAC9 Versions before 5.00.00.00 5.00.00.00 5.00.00.00
CVE-2021-21580 Dell EMC iDRAC8 and Dell EMC iDRAC9
 		 Versions before 2.80.80.80 & 5.00.00.00 2.80.80.80 and 5.00.00.00 2.80.80.80
5.00.00.00

Note: The table above may not be a comprehensive list of all affected supported versions and may be updated as more information becomes available.
CVEs Addressed  Product Affected Versions Updated Versions Link to Update
CVE-2021-21576 Dell EMC iDRAC9 Versions before 4.40.40.00 4.40.40.00 4.40.40.00
CVE-2021-21579
CVE-2021-21578
 
CVE-2021-21577
 
CVE-2021-21581 Dell EMC iDRAC9 Versions before 5.00.00.00 5.00.00.00 5.00.00.00
CVE-2021-21580 Dell EMC iDRAC8 and Dell EMC iDRAC9
 		 Versions before 2.80.80.80 & 5.00.00.00 2.80.80.80 and 5.00.00.00 2.80.80.80
5.00.00.00

Note: The table above may not be a comprehensive list of all affected supported versions and may be updated as more information becomes available.

Revisiegeschiedenis

RevisionDateDescription
1.02021-06-30Initial Release

Bevestigingen

CVE-2021-21580: Dell Technologies would like to thank Jameel Nabbo for reporting this issue.

CVE-2021-21576, CVE-2021-21577, CVE-2021-21578, and CVE-2021-21579: Dell Technologies would like to thank Kajetan Rostojek for reporting these issues.

Verwante informatie

Dell Security Advisories and Notices
Dell Vulnerability Response Policy
CVSS Scoring Guide

Juridische verklaring van afstand

Getroffen producten

iDRAC8, iDRAC9, iDRAC7/8 with Lifecycle Controller Version 2.50.50.50, iDRAC7/8 with Lifecycle Controller Version 2.52.52.52, iDRAC7/8 with Lifecycle Controller Version 2.60.60.60, iDRAC7/8 with Lifecycle Controller Version 2.61.60.60 , iDRAC7/8 with Lifecycle Controller Version 2.62.60.60, iDRAC7/8 with Lifecycle Controller Version 2.63.60.61, iDRAC8 with Lifecycle Controller Version 2.12.12.12, iDRAC8 with Lifecycle Controller Version 2.14.14.12, iDRAC8 with Lifecycle Controller Version 2.17.17.13, iDRAC8 with Lifecycle Controller Version 2.18.17.13, iDRAC8 with Lifecycle Controller Version 2.30.119.30, iDRAC8 with Lifecycle Controller Version 2.35.35.35, iDRAC8 with Lifecycle Controller Version 2.42.110.40, iDRAC8 with Lifecycle Controller Version 2.45.45.40, iDRAC8 with Lifecycle Controller Version 2.55.55.50, iDRAC8 with Lifecycle Controller version 2.70.70.70, iDRAC8 with Lifecycle Controller version 2.75.75.75, iDRAC8 with Lifecycle Controller Version 2.04.02.01, iDRAC8 with Lifecycle Controller Version 2.05.05.05, iDRAC8 with Lifecycle Controller Version 2.23.23.21, iDRAC9 - 3.0x Series, iDRAC9 - 3.1x Series, iDRAC9 - 3.2x Series, iDRAC9 - 3.3x Series, iDRAC9 - 3.4x Series, iDRAC9 - 4.xx Series, iDRAC8 with Lifecycle Controller Version 2.00.00.00, iDRAC8 with Lifecycle Controller Version 2.02.01.01, Product Security Information ...
Artikeleigenschappen
Artikelnummer: 000189193
Artikeltype: Dell Security Advisory
Laatst aangepast: 30 jun. 2021
Vind antwoorden op uw vragen via andere Dell gebruikers
Support Services
Controleer of uw apparaat wordt gedekt door Support Services.