CVE-2021-21576

Vulnerability

CVE-2021-21576 is a DOM-based cross-site scripting (XSS) vulnerability in the Dell EMC iDRAC9 web interface. All versions prior to firmware 4.40.40.00 are affected. The flaw resides in the handling of user-controlled input in the browser's DOM, allowing the injection of malicious scripts without proper server-side sanitization. No special configuration is required; the vulnerable code path is reachable through normal user interaction with the management console.

Exploitation

To exploit this vulnerability, an attacker must convince a victim to click a specially crafted link. The attacker does not require authentication or network access beyond the ability to deliver the link (e.g., via email, instant message, or a malicious website). Once the victim follows the link, the malicious HTML or JavaScript executes in the context of the iDRAC9 web interface in the victim's browser.

Impact

Successful exploitation allows the attacker to execute arbitrary HTML or JavaScript in the victim's browser within the iDRAC9 session. This can lead to data theft, session hijacking, defacement, or phishing of additional credentials. The CVSS score is 6.1 (Medium) with the vector AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N, indicating low confidentiality and integrity impact but a changed scope.

Mitigation

Dell has released iDRAC9 firmware version 4.40.40.00 which resolves this vulnerability. All users are advised to update to this version or later. No workaround is provided in the references. The vulnerability is not listed on the Cybersecurity and Infrastructure Security Agency (CISA) Known Exploited Vulnerabilities (KEV) catalog as of the publication date. [1]