CVE-2020-26198

Vulnerability

Dell EMC iDRAC9 versions prior to 4.32.10.00 and 4.40.00.00 contain a reflected cross-site scripting (XSS) vulnerability in the iDRAC9 web application. This flaw allows an attacker to inject malicious HTML or JavaScript into a page by crafting a specially formed URL. No special configuration is required beyond the affected software versions. [1]

Exploitation

A remote attacker can exploit this vulnerability by convincing a victim to click a specially crafted link, which causes the injected script to be reflected and executed in the victim's browser. The attacker does not need prior authentication, but the victim must interact with the crafted link (user interaction is required). The attack vector is network-based (AV:N), and no privileges are needed (PR:N). [1]

Impact

Successful exploitation results in limited confidentiality and integrity impact (CVSSv3 6.1 – C:L, I:L). The attacker can execute malicious scripts in the victim's browser within the context of the iDRAC9 web session, potentially performing actions on behalf of the victim or stealing session cookies. The scope is changed because the vulnerable application and the malicious content operate in different contexts. [1]

Mitigation

Dell Technologies has released fixed firmware versions: 4.32.10.00 and 4.40.00.00 for iDRAC9. These are available from the Dell Support site. Customers are advised to upgrade as soon as possible. The iDRAC should be isolated on a separate management network as a best practice to reduce exposure. [1]