Lucene search

CERTVU:920038

HistorySep 23, 2013 - 12:00 a.m.

Dell iDRAC 6 and iDRAC 7 are vulnerable to a cross-site scripting (XSS) attack

2013-09-2300:00:00

www.kb.cert.org

152

4.3 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

0.002 Low

EPSS

Percentile

59.3%

JSON

Overview

Dell iDRAC 6 version 1.41, Dell iDRAC 7 version 1.40.40 and possibly earlier versions contain a reflected cross-site scripting (XSS) (CWE-79) vulnerability.

Description

CWE-79: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)

Dell iDRAC 6 version 1.41 and Dell iDRAC 7 version 1.40.40’s administrative web interface login page can allow remote attackers to inject arbitrary script via the vulnerable query string parameter ErrorMsg.

Impact

A remote unauthenticated attacker may be able to execute arbitrary script in the context of the user’s browser.

Solution

We are currently unaware of a practical solution to this problem. Please consider the following workarounds.

Apply an Update

Firmware updates will be posted to the Dell support page when available. Users should download the appropriate update for the version of iDRAC they have installed:

* iDRAC6 “monolithic” (rack and towers) – FW version 1.96; targeted release date is Q4CY13.
* iDRAC7 all models – FW version 1.46.45; target release date is mid/late September 2013.
* NOTE: iDRAC6 “modular” (blades) are not affected; no updates are required.

Restrict access

As a general good security practice, only allow connections from trusted hosts and networks. Note that restricting access does not prevent XSS attacks since the attack comes as an HTTP request from a legitimate user’s host. Restricting access would prevent an attacker from accessing the Dell iDRAC web interface using stolen credentials from a blocked network location.

Vendor Information

920038

Filter by status: All Affected Not Affected Unknown

Filter by content: __ Additional information available

__ Sort by: Status Alphabetical

Expand all

Javascript is disabled. Click here to view vendors.

Dell Computer Corporation, Inc. __ Affected

Notified: July 01, 2013 Updated: September 23, 2013

Status

Affected

Vendor Statement

Dell response to Vulnerability Note VU#920038

Overview
This document addresses Vulnerability Note VU#920038.

Description
Administrative Web Interface in login page allows remote attackers to inject arbitrary web scripts or HTML via the vulnerable query string parameter .ErrorMsg

Affected Products

  * iDRAC6 “monolithic” (rack and towers)
  * iDRAC7 all models
  * NOTE: iDRAC6 “modular” (blades) are not affected

Solution Apply an Update

  * Firmware updates will be posted to www.dell.com/support when available

Users should download the appropriate update for the version of iDRAC they have installed.
* iDRAC6 “monolithic” (rack and towers) – FW version 1.96; target release Q4CY13
* iDRAC7 all models – FW version 1.46.45; target release date mid/late September 2013
* NOTE: iDRAC6 “modular” (blades) are not affected; no update required

Additional Information

  * DRAC’s are intended to be on a separate management network; they are not designed nor intended to be placed on or connected to the internet. Doing so could expose the connected system to security and other risks for which Dell is not responsible.
  * Along with locating DRACs on a separate management subnet, users should isolate the management subnet/vLAN with technologies such as firewalls, and limit access to the subnet/vLAN to authorized server administrators.

© 2013 Dell Inc. All rights reserved.
This response is for informational purposes only, and may contain typographical errors and technical inaccuracies. The content is provided as is, without express or implied warranties of any kind.