CVE-2021-21539

Vulnerability

Dell EMC iDRAC9 versions prior to 4.40.00.00 contain a Time-of-check Time-of-use (TOCTOU) race condition vulnerability in the web interface. The issue arises when a user with higher privileges simultaneously accesses iDRAC through the web interface, allowing an authenticated attacker to exploit the race window [1].

Exploitation

A remote authenticated attacker needs to be logged into iDRAC and trigger the race condition while a higher-privileged user (e.g., administrator) is also accessing the web interface. The attacker must have low privileges and user interaction is required (the higher-privileged user must be active). Exploitation complexity is high due to the precise timing needed [1].

Impact

Successful exploitation allows the attacker to gain elevated privileges, potentially leading to unauthorized access to sensitive information, modification of configuration, or limited availability impact. The CVSS v3.1 base score is 5.9 (AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:H/A:L) [1].

Mitigation

Dell released firmware version 4.40.00.00 to address this vulnerability. Users should update iDRAC9 to version 4.40.00.00 or later. No workarounds are mentioned; the fix is available from Dell support [1].