iDRAC9 versions prior to 3.21.21.21 did not enforce the use of TLS/SSL for a connection to iDRAC web server for certain URLs
CVE-2018-1249

6.5MEDIUM

Key Information:

Vendor: Dell
Status: Idrac9
Vendor: CVE Published:; 2 July 2018

Summary

Dell EMC iDRAC9 versions prior to 3.21.21.21 did not enforce the use of TLS/SSL for a connection to iDRAC web server for certain URLs. A man-in-the-middle attacker could use this vulnerability to strip the SSL/TLS protection from a connection between a client and a server.

Affected Version(s)

iDRAC9 < 3.21.21.21

References

http://en.community.dell.com/techcenter/extras/m/white_pa...

x_refsource_CONFIRM

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

High

Integrity:

Low

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Jul 2, 2018
Vulnerability Reserved
Dec 6, 2017