Overview
Dell iDRAC 6 version 1.41, Dell iDRAC 7 version 1.40.40 and possibly earlier versions contain a reflected cross-site scripting (XSS) (CWE-79) vulnerability.
Description
CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Dell iDRAC 6 version 1.41 and Dell iDRAC 7 version 1.40.40's administrative web interface login page can allow remote attackers to inject arbitrary script via the vulnerable query string parameter ErrorMsg. |
Impact
A remote unauthenticated attacker may be able to execute arbitrary script in the context of the user's browser. |
Solution
We are currently unaware of a practical solution to this problem. Please consider the following workarounds. |
Apply an Update
Restrict access As a general good security practice, only allow connections from trusted hosts and networks. Note that restricting access does not prevent XSS attacks since the attack comes as an HTTP request from a legitimate user's host. Restricting access would prevent an attacker from accessing the Dell iDRAC web interface using stolen credentials from a blocked network location. |
Vendor Information
CVSS Metrics
| Group | Score | Vector |
|---|---|---|
| Base | 8.5 | AV:N/AC:L/Au:N/C:P/I:C/A:N |
| Temporal | 7.7 | E:F/RL:W/RC:ND |
| Environmental | 1.9 | CDP:ND/TD:L/CR:ND/IR:ND/AR:ND |
References
Acknowledgements
Thanks to Tudor Enache of Help AG Middle East for reporting this vulnerability.
This document was written by Adam Rauf.
Other Information
| CVE IDs: | CVE-2013-3589 |
| Date Public: | 2013-09-23 |
| Date First Published: | 2013-09-23 |
| Date Last Updated: | 2013-09-24 19:28 UTC |
| Document Revision: | 25 |