CVE-2021-36348

Vulnerability

Dell EMC iDRAC9 versions prior to 5.00.20.00 contain an input injection vulnerability. The flaw resides in the iDRAC9 web interface or management subsystem that processes user-supplied data. A remote authenticated attacker with low privileges can exploit this by sending specially crafted input data to the iDRAC service [1].

Exploitation

An attacker must be authenticated to the iDRAC9 web interface or management API. The attack is performed over the network, requires low privileges (i.e., a standard user account), and does not require user interaction beyond the initial authentication. By supplying maliciously crafted input data to a vulnerable input field or parameter, the attacker can inject content that the iDRAC processes unsafely [1].

Impact

Successful exploitation can lead to information disclosure (confidentiality breach) or denial of service (availability impact). The CVSS vector indicates a high confidentiality impact and low availability impact, with no integrity impact. The attacker gains access to sensitive data or causes the service to become unavailable, but does not achieve code execution or privilege escalation [1].

Mitigation

Dell EMC released a fixed version 5.00.20.00 for iDRAC9 to remediate this vulnerability. Users should upgrade to this version or later. Dell's security advisory DSA-2021-259 provides the update details [1]. No workarounds have been published; the only mitigation is applying the firmware update.