DSA-2021-189: Dell EMC SmartFabric OS10 Security Update for a Multiple Security Vulnerabilities
摘要: Dell EMC SmartFabric OS10 remediation is available for multiple security vulnerabilities that may be exploited by malicious users to compromise the affected system.
本文适用于
本文不适用于
本文并非针对某种特定的产品。
本文并非包含所有产品版本。
影响
High
详情
| Proprietary Code CVEs | Description | CVSS Base Score | CVSS Vector String |
| CVE-2021-36306 | Networking OS10, versions before October 2021 with RESTCONF API enabled, contain an authentication bypass vulnerability. A remote unauthenticated attacker may potentially exploit this vulnerability to gain access and perform actions on the affected system. | 8.1 | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H |
| CVE-2021-36307 | Networking OS10, versions before October 2021 with RESTCONF API enabled, contain a privilege escalation vulnerability. A malicious low privileged user with specific access to the API may potentially exploit this vulnerability to gain admin privileges on the affected system. | 8.8 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
| CVE-2021-36308 | Networking OS10, versions before October 2021 with Smart Fabric Services enabled, contain an authentication bypass vulnerability. A remote unauthenticated attacker may potentially exploit this vulnerability to gain access and perform actions on the affected system. | 5.9 | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H |
| CVE-2021-36310 | Dell Networking OS10, versions 10.4.3.x, 10.5.0.x, 10.5.1.x, and 10.5.2.x, contain an uncontrolled resource consumption flaw in its API service. A high-privileged API user may potentially exploit this vulnerability, leading to a denial of service. | 4.9 | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H |
| CVE-2021-36319 | Dell Networking OS10 versions 10.4.3.x, 10.5.0.x, and 10.5.1.x contain an information exposure vulnerability. A low privileged authenticated malicious user may potentially gain access to SNMP authentication failure messages. | 3.3 | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N |
| Third-Party Component | CVEs | More information |
| OpenSSL | CVE-2021-23840 | https://www.openssl.org/news/secadv/20210216.txt https://www.openssl.org/news/secadv/20210824.txt https://www.openssl.org/news/secadv/20220315.txt |
| CVE-2021-3711 | ||
| CVE-2021-3712 | ||
| CVE-2022-0778 |
| Proprietary Code CVEs | Description | CVSS Base Score | CVSS Vector String |
| CVE-2021-36306 | Networking OS10, versions before October 2021 with RESTCONF API enabled, contain an authentication bypass vulnerability. A remote unauthenticated attacker may potentially exploit this vulnerability to gain access and perform actions on the affected system. | 8.1 | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H |
| CVE-2021-36307 | Networking OS10, versions before October 2021 with RESTCONF API enabled, contain a privilege escalation vulnerability. A malicious low privileged user with specific access to the API may potentially exploit this vulnerability to gain admin privileges on the affected system. | 8.8 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
| CVE-2021-36308 | Networking OS10, versions before October 2021 with Smart Fabric Services enabled, contain an authentication bypass vulnerability. A remote unauthenticated attacker may potentially exploit this vulnerability to gain access and perform actions on the affected system. | 5.9 | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H |
| CVE-2021-36310 | Dell Networking OS10, versions 10.4.3.x, 10.5.0.x, 10.5.1.x, and 10.5.2.x, contain an uncontrolled resource consumption flaw in its API service. A high-privileged API user may potentially exploit this vulnerability, leading to a denial of service. | 4.9 | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H |
| CVE-2021-36319 | Dell Networking OS10 versions 10.4.3.x, 10.5.0.x, and 10.5.1.x contain an information exposure vulnerability. A low privileged authenticated malicious user may potentially gain access to SNMP authentication failure messages. | 3.3 | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N |
| Third-Party Component | CVEs | More information |
| OpenSSL | CVE-2021-23840 | https://www.openssl.org/news/secadv/20210216.txt https://www.openssl.org/news/secadv/20210824.txt https://www.openssl.org/news/secadv/20220315.txt |
| CVE-2021-3711 | ||
| CVE-2021-3712 | ||
| CVE-2022-0778 |
受影响的产品和补救措施
| Product | Affected Versions | Updated Versions | Link to Update |
| SmartFabric OS10 | Versions before 10.4.3.8 | 10.4.3.9 | Link to update |
| Versions before 10.5.0.10 | 10.5.0.10 | Link to update | |
| Versions before 10.5.1.11 | 10.5.1.11 | Link to update | |
| Versions before 10.5.2.11 | 10.5.2.11 | Link to update | |
| Versions before 10.5.3.5 | 10.5.3.5 | Link to update |
Note: The table above may not be a comprehensive list of all affected supported versions and may be updated as more information becomes available.
| Product | Affected Versions | Updated Versions | Link to Update |
| SmartFabric OS10 | Versions before 10.4.3.8 | 10.4.3.9 | Link to update |
| Versions before 10.5.0.10 | 10.5.0.10 | Link to update | |
| Versions before 10.5.1.11 | 10.5.1.11 | Link to update | |
| Versions before 10.5.2.11 | 10.5.2.11 | Link to update | |
| Versions before 10.5.3.5 | 10.5.3.5 | Link to update |
Note: The table above may not be a comprehensive list of all affected supported versions and may be updated as more information becomes available.
修订历史记录
| Revision | Date | Description |
| 1.0 | 2021-11-01 | Initial Release |
| 1.1 | 2022-01-13 | Updated CVE |
| 1.2 | 2022-09-01 | Version Update |
确认
Dell Technologies would like to thank James Hebden for reporting CVE-2021-36306, CVE-2021-36307, and CVE-2021-36308.
相关信息
法律免责声明
受影响的产品
Product Security Information, SmartFabric OS10 Software文章属性
文章编号: 000193076
文章类型: Dell Security Advisory
上次修改时间: 01 9月 2022
从其他戴尔用户那里查找问题的答案
支持服务
检查您的设备是否在支持服务涵盖的范围内。