Headline
CVE-2022-34436: DSA-2022-265: Dell iDRAC8 and Dell iDRAC9 Security Update for a RACADM Vulnerability
Dell iDRAC8 version 2.83.83.83 and prior contain an improper input validation vulnerability in Racadm when the firmware lock-down configuration is set. A remote high privileged attacker could exploit this vulnerability to bypass the firmware lock-down configuration and perform a firmware update.
Vaikutus
Low
Tiedot
Proprietary Code CVEs
Description
CVSS Base Score
CVSS Vector String
CVE-2022-34435
Dell iDRAC9 version 6.00.02.00 and prior contain an improper input validation vulnerability in Racadm when the firmware lock-down configuration is set. A remote high privileged attacker may potentially exploit this vulnerability to bypass the firmware lock-down configuration and perform a firmware update.
2.7
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N
CVE-2022-34436
Dell iDRAC8 version 2.83.83.83 and prior contain an improper input validation vulnerability in Racadm when the firmware lock-down configuration is set. A remote high privileged attacker may potentially exploit this vulnerability to bypass the firmware lock-down configuration and perform a firmware update.
2.7
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N
Proprietary Code CVEs
Description
CVSS Base Score
CVSS Vector String
CVE-2022-34435
Dell iDRAC9 version 6.00.02.00 and prior contain an improper input validation vulnerability in Racadm when the firmware lock-down configuration is set. A remote high privileged attacker may potentially exploit this vulnerability to bypass the firmware lock-down configuration and perform a firmware update.
2.7
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N
CVE-2022-34436
Dell iDRAC8 version 2.83.83.83 and prior contain an improper input validation vulnerability in Racadm when the firmware lock-down configuration is set. A remote high privileged attacker may potentially exploit this vulnerability to bypass the firmware lock-down configuration and perform a firmware update.
2.7
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N
Dell Technologies suosittelee, että kaikki asiakkaat ottavat huomioon sekä CVSS-peruspistemäärän että kaikki asiaankuuluvat väliaikaiset ja ympäristöön liittyvät pisteet, jotka voivat vaikuttaa tietyn tietoturvahaavoittuvuuden mahdolliseen vakavuuteen.
Tuotteet, joihin asia vaikuttaa ja tilanteen korjaaminen
CVEs Addressed
Product
Affected Versions
Updated Versions
Link to Update
CVE-2022-34435
Dell iDRAC9
Versions before 6.00.30.00
6.00.30.00
https://www.dell.com/support/home/en-us/drivers/driversdetails?driverId=D92HF
CVE-2022-34436
Dell iDRAC8
Versions before 2.84.84.84
2.84.84.84
iDRAC8 firmware is planned to be available March 2023.
CVEs Addressed
Product
Affected Versions
Updated Versions
Link to Update
CVE-2022-34435
Dell iDRAC9
Versions before 6.00.30.00
6.00.30.00
https://www.dell.com/support/home/en-us/drivers/driversdetails?driverId=D92HF
CVE-2022-34436
Dell iDRAC8
Versions before 2.84.84.84
2.84.84.84
iDRAC8 firmware is planned to be available March 2023.
Kiitokset
Dell Technologies would like to thank the Cloud Compute Security Team from Google for reporting this issue.
Versiohistoria
Revision
Date
Description
1.0
2022-11-14
Initial release
Asiaan liittyvät tiedot
Dell Security Advisories and Notices
Dell Vulnerability Response Policy
CVSS Scoring Guide
iDRAC8, iDRAC9, iDRAC9 - 3.0x Series, iDRAC9 - 3.1x Series, iDRAC9 - 3.2x Series, iDRAC9 - 3.3x Series, iDRAC9 - 3.4x Series, iDRAC9 - 4.xx Series, iDRAC9 - 5.xx Series, iDRAC9 - 6.xx Series
14 marrask. 2022
Related news
Dell VxRail versions earlier than 7.0.450, contain(s) an OS command injection vulnerability in VxRail Manager. A local authenticated attacker could potentially exploit this vulnerability, leading to the execution of arbitrary OS commands on the application's underlying OS, with the privileges of the vulnerable application. Exploitation may lead to a system take over by an attacker.
Dell VxRail, versions prior to 7.0.410, contain a Container Escape Vulnerability. A local high-privileged attacker could potentially exploit this vulnerability, leading to the execution of arbitrary OS commands on the container's underlying OS. Exploitation may lead to a system take over by an attacker.
Dell iDRAC9 version 6.00.02.00 and prior contain an improper input validation vulnerability in Racadm when the firmware lock-down configuration is set. A remote high privileged attacker could exploit this vulnerability to bypass the firmware lock-down configuration and perform a firmware update.