I appreciate your thoroughness in explaining the situation. I have forwarded an enhancement request to the PSIRT team to include model search abilities to https://www.dell.com/support/security/en-us/. With any enhancement, I can't guarantee it will move into production, but shows active interest by customers.
In the meantime, it seems you already discovered the stop-gap I would recommend. If you search ("model number" cve) in google, it tends to show up as the top-hit for several different devices with the correct articles. The one downside to this method is that it can take google metacrawlers some time to process or update an article for searchability. It's important to also include the model number in quotes as I found in my testing the links could go lower in the stack if typing without the quotes.
Let me know if you have any other questions or concerns I can assist you with.
Thanks for the quick response Brian. A couple follow up questions:
Do you know how where vulnerabilities are for rpm's from OMSA such as:
srvadmin-hapi-7.2.0-4.237.1.el6.x86_64.rpm
srvadmin-idrac-7.2.0-4.481.2.el6.x86_64.rpm
I've looked through the CSV that is published but I'm having trouble matching package names myself, and trying to do it programmatically would be even more challenging. Combing through I found the following in DSA-2019-028 but I'm having trouble confirming that those iDRAC packages are actually referring to my iDRAC packages : Affected products:
Dell EMC iDRAC6 versions prior to 2.92 (CVE-2019-3705)
Dell EMC iDRAC7/iDRAC8 versions prior to 2.61.60.60 (CVE-2019-3705)
Dell EMC iDRAC9 versions prior to 3.30.30.30, 3.20.21.20, 3.21.24.22, 3.21.26.22, 3.23.23.23, 3.24.24.24, 3.22.22.22, 3.21.25.22 (CVE-2019-3705, CVE-2019-3706, and CVE-2019-3707)
Disclaimer: My specialization is with the Dell Data Security Product Portfolio. I would suggest reaching out to ProSupport if the information below isn't sufficient.
According to HERE It also appears you can find this version of the DRAC model by:
"This information can be found by booting into the LifeCycle Controller (LCC) or within the iDRAC web interface using a supported browser and iDRAC IP address. Under server information, the iDRAC firmware version will be displayed."
Looking at the web interface it appears there is an About section you can look at it too.
After you have that information you should be able to compare against the CVE. I hope this answers your question.
I found this thread as I was looking for neary the same situation. I would like to know if there is the posibillty to download the fiel via api and is it possible to add the product to the output?
Brian Piatt
67 Posts
0
September 25th, 2019 08:00
@James Paul
I appreciate your thoroughness in explaining the situation. I have forwarded an enhancement request to the PSIRT team to include model search abilities to https://www.dell.com/support/security/en-us/. With any enhancement, I can't guarantee it will move into production, but shows active interest by customers.
In the meantime, it seems you already discovered the stop-gap I would recommend. If you search ("model number" cve) in google, it tends to show up as the top-hit for several different devices with the correct articles. The one downside to this method is that it can take google metacrawlers some time to process or update an article for searchability. It's important to also include the model number in quotes as I found in my testing the links could go lower in the stack if typing without the quotes.
Let me know if you have any other questions or concerns I can assist you with.
-Brian
L4 | Dell Data Security
#IWork4Dell
James Paul
2 Posts
0
September 25th, 2019 14:00
Thanks for the quick response Brian. A couple follow up questions:
Do you know how where vulnerabilities are for rpm's from OMSA such as:
srvadmin-hapi-7.2.0-4.237.1.el6.x86_64.rpm
srvadmin-idrac-7.2.0-4.481.2.el6.x86_64.rpm
I've looked through the CSV that is published but I'm having trouble matching package names myself, and trying to do it programmatically would be even more challenging. Combing through I found the following in DSA-2019-028 but I'm having trouble confirming that those iDRAC packages are actually referring to my iDRAC packages :
Affected products:
Brian Piatt
67 Posts
0
September 26th, 2019 13:00
@James Paul
Disclaimer: My specialization is with the Dell Data Security Product Portfolio. I would suggest reaching out to ProSupport if the information below isn't sufficient.
When looking at up some of the CVE you listed, it appears I can cross reference it with How to Identify the iDRAC Version for Your Dell PowerEdge Server. Here is a forum post on how you potentially can get this information via command: Determine DRAC version from RACADM
According to HERE It also appears you can find this version of the DRAC model by:
"This information can be found by booting into the LifeCycle Controller (LCC) or within the iDRAC web interface using a supported browser and iDRAC IP address. Under server information, the iDRAC firmware version will be displayed."
Looking at the web interface it appears there is an About section you can look at it too.
After you have that information you should be able to compare against the CVE. I hope this answers your question.
Let me know if I can be of any further help.
-Brian
L4 | Dell Data Security #IWork4Dell
cyberoner1
1 Message
0
September 1st, 2020 04:00
Good day,
I found this thread as I was looking for neary the same situation. I would like to know if there is the posibillty to download the fiel via api and is it possible to add the product to the output?