search menu icon-carat-right cmu-wordmark
Carnegie Mellon University

Software Engineering Institute

CERT Coordination Center

Dell iDRAC 6 and iDRAC 7 are vulnerable to a cross-site scripting (XSS) attack

Vulnerability Note VU#920038

Original Release Date: 2013-09-23 | Last Revised: 2013-09-24

Overview

Dell iDRAC 6 version 1.41, Dell iDRAC 7 version 1.40.40 and possibly earlier versions contain a reflected cross-site scripting (XSS) (CWE-79) vulnerability.

Description

CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Dell iDRAC 6 version 1.41 and Dell iDRAC 7 version 1.40.40's administrative web interface login page can allow remote attackers to inject arbitrary script via the vulnerable query string parameter ErrorMsg.

Impact

A remote unauthenticated attacker may be able to execute arbitrary script in the context of the user's browser.

Solution

We are currently unaware of a practical solution to this problem. Please consider the following workarounds.

Apply an Update

Firmware updates will be posted to the Dell support page when available. Users should download the appropriate update for the version of iDRAC they have installed:

    • iDRAC6 “monolithic” (rack and towers) – FW version 1.96; targeted release date is Q4CY13.
    • iDRAC7 all models – FW version 1.46.45; target release date is mid/late September 2013.
    • NOTE: iDRAC6 “modular” (blades) are not affected; no updates are required.

Restrict access

As a general good security practice, only allow connections from trusted hosts and networks. Note that restricting access does not prevent XSS attacks since the attack comes as an HTTP request from a legitimate user's host. Restricting access would prevent an attacker from accessing the Dell iDRAC web interface using stolen credentials from a blocked network location.

Vendor Information

920038
 
Expand all

Dell Computer Corporation, Inc. Affected

Notified:  July 01, 2013 Updated: September 23, 2013

Status

Affected

Vendor Statement

Dell response to Vulnerability Note VU#920038

Overview
This document addresses Vulnerability Note VU#920038.

Description
Administrative Web Interface in login page allows remote attackers to inject arbitrary web scripts or HTML via the vulnerable query string parameter .ErrorMsg

Affected Products

      • iDRAC6 “monolithic” (rack and towers)
      • iDRAC7 all models
      • NOTE: iDRAC6 “modular” (blades) are not affected

Solution
Apply an Update
      • Firmware updates will be posted to www.dell.com/support when available
Users should download the appropriate update for the version of iDRAC they have installed.
      • iDRAC6 “monolithic” (rack and towers) – FW version 1.96; target release Q4CY13
      • iDRAC7 all models – FW version 1.46.45; target release date mid/late September 2013
      • NOTE: iDRAC6 “modular” (blades) are not affected; no update required

Additional Information
      • DRAC’s are intended to be on a separate management network; they are not designed nor intended to be placed on or connected to the internet. Doing so could expose the connected system to security and other risks for which Dell is not responsible.
      • Along with locating DRACs on a separate management subnet, users should isolate the management subnet/vLAN with technologies such as firewalls, and limit access to the subnet/vLAN to authorized server administrators.

© 2013 Dell Inc. All rights reserved.
This response is for informational purposes only, and may contain typographical errors and technical inaccuracies. The content is provided as is, without express or implied warranties of any kind.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References


CVSS Metrics

Group Score Vector
Base 8.5 AV:N/AC:L/Au:N/C:P/I:C/A:N
Temporal 7.7 E:F/RL:W/RC:ND
Environmental 1.9 CDP:ND/TD:L/CR:ND/IR:ND/AR:ND

References

Acknowledgements

Thanks to Tudor Enache of Help AG Middle East for reporting this vulnerability.

This document was written by Adam Rauf.

Other Information

CVE IDs: CVE-2013-3589
Date Public: 2013-09-23
Date First Published: 2013-09-23
Date Last Updated: 2013-09-24 19:28 UTC
Document Revision: 25

Sponsored by CISA.

Download PGP Key

Read CERT/CC Blog

Learn about Vulnerability Analysis