CVE-2021-36320

Vulnerability

A session ID forgery vulnerability exists in Dell Networking X-Series firmware versions before 3.0.1.9 and Dell PowerEdge VRTX Switch Module firmware versions before 2.0.0.83 [1]. The webserver fails to properly validate the authenticity of session identifiers, allowing an attacker to bypass authentication by supplying a crafted session ID [1]. No special configuration or privilege is required to reach the vulnerable code path.

Exploitation

An unauthenticated remote attacker can exploit this flaw by intercepting or guessing a valid session ID, or by forging a session ID that the webserver accepts without validation [1]. The attacker must be able to send HTTP requests to the webserver. No user interaction is required beyond the victim having an active session, and the attacker may leverage network access to inject the forged session ID [1].

Impact

Successful exploitation results in session hijacking, giving the attacker unauthorized access to the webserver with the privileges of the hijacked session [1]. This can lead to full compromise of the affected device, including disclosure of sensitive information, modification of configuration, or disruption of operations. The CVSSv3.1 score is 7.5 (High) with a vector of AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H, indicating high confidentiality, integrity, and availability impact [1].

Mitigation

Dell has released firmware version 3.0.1.9 for Networking X-Series and version 2.0.0.83 for PowerEdge VRTX Switch Module to address this vulnerability [1]. Users should upgrade to the fixed versions. No workaround is mentioned in the available references [1]. The CVE is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog at the time of publication.