CVE-2021-36300

Vulnerability

iDRAC9 versions prior to 5.00.00.00 contain an improper input validation vulnerability in the web server component. An unauthenticated remote attacker can send a specially crafted malicious request to trigger the flaw. The affected versions are all iDRAC9 releases before the 5.00.00.00 firmware update [1].

Exploitation

An attacker with network access to the iDRAC9 management interface can exploit this vulnerability by sending a specially crafted HTTP request. No authentication is required, and the attack does not require any user interaction or elevated privileges. Successful exploitation depends on bypassing the input validation checks that fail to sanitize the malicious input [1].

Impact

A successful exploit can cause the iDRAC9 web server to become unresponsive (denial of service) or lead to information disclosure. The CVSS vector (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:L) indicates a high confidentiality impact due to possible data leakage and a low availability impact. The complexity is high, meaning the attacker may need to craft the request carefully [1].

Mitigation

Dell released firmware version 5.00.00.00 to address this vulnerability. Users should update iDRAC9 to version 5.00.00.00 or later. For systems that cannot be updated immediately, restrict network access to the iDRAC management interface to trusted IP addresses and ensure the interface is not exposed to the internet. No workaround is provided in the advisory [1].