CVE-2018-15774 (GCVE-0-2018-15774)
Vulnerability from cvelistv5
Published
2018-12-13 22:00
Modified
2024-09-17 01:36
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- Privilege escalation vulnerability.
Summary
Dell EMC iDRAC7/iDRAC8 versions prior to 2.61.60.60 and iDRAC9 versions prior to 3.20.21.20, 3.21.24.22, 3.21.26.22, and 3.23.23.23 contain a privilege escalation vulnerability. An authenticated malicious iDRAC user with operator privileges could potentially exploit a permissions check flaw in the Redfish interface to gain administrator access.
References
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T10:01:54.579Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://www.dell.com/support/article/us/en/19/sln315190/dell-emc-idrac-multiple-vulnerabilities-cve-2018-15774-and-cve-2018-15776-?lang=en"
},
{
"name": "106233",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/106233"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "iDRAC",
"vendor": "Dell EMC",
"versions": [
{
"lessThan": "2.61.60.60",
"status": "affected",
"version": "iDRAC7",
"versionType": "custom"
},
{
"lessThan": "2.61.60.60",
"status": "affected",
"version": "iDRAC8",
"versionType": "custom"
},
{
"changes": [
{
"at": "3.21.24.22",
"status": "unaffected"
},
{
"at": "3.21.26.22",
"status": "unaffected"
}
],
"lessThan": "3.20.21.20",
"status": "affected",
"version": "iDRAC9",
"versionType": "custom"
},
{
"lessThan": "3.23.23.23",
"status": "affected",
"version": "iDRAC9",
"versionType": "custom"
}
]
}
],
"datePublic": "2018-12-11T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Dell EMC iDRAC7/iDRAC8 versions prior to 2.61.60.60 and iDRAC9 versions prior to 3.20.21.20, 3.21.24.22, 3.21.26.22, and 3.23.23.23 contain a privilege escalation vulnerability. An authenticated malicious iDRAC user with operator privileges could potentially exploit a permissions check flaw in the Redfish interface to gain administrator access."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.8,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Privilege escalation vulnerability.",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-12-19T10:57:01",
"orgId": "c550e75a-17ff-4988-97f0-544cde3820fe",
"shortName": "dell"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.dell.com/support/article/us/en/19/sln315190/dell-emc-idrac-multiple-vulnerabilities-cve-2018-15774-and-cve-2018-15776-?lang=en"
},
{
"name": "106233",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/106233"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "iDRAC7/iDRAC8/iDRAC9 - Privilege Escalation Vulnerability",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security_alert@emc.com",
"DATE_PUBLIC": "2018-12-11T06:00:00.000Z",
"ID": "CVE-2018-15774",
"STATE": "PUBLIC",
"TITLE": "iDRAC7/iDRAC8/iDRAC9 - Privilege Escalation Vulnerability"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "iDRAC",
"version": {
"version_data": [
{
"affected": "\u003c",
"version_affected": "\u003c",
"version_name": "iDRAC7",
"version_value": "2.61.60.60"
},
{
"affected": "\u003c",
"version_affected": "\u003c",
"version_name": "iDRAC8",
"version_value": "2.61.60.60"
},
{
"affected": "\u003c",
"version_affected": "\u003c",
"version_name": "iDRAC9",
"version_value": "3.20.21.20"
},
{
"affected": "\u003c",
"version_affected": "\u003c",
"version_name": "iDRAC9",
"version_value": "3.21.24.22"
},
{
"affected": "\u003c",
"version_affected": "\u003c",
"version_name": "iDRAC9",
"version_value": "3.21.26.22"
},
{
"affected": "\u003c",
"version_affected": "\u003c",
"version_name": "iDRAC9",
"version_value": "3.23.23.23"
}
]
}
}
]
},
"vendor_name": "Dell EMC"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Dell EMC iDRAC7/iDRAC8 versions prior to 2.61.60.60 and iDRAC9 versions prior to 3.20.21.20, 3.21.24.22, 3.21.26.22, and 3.23.23.23 contain a privilege escalation vulnerability. An authenticated malicious iDRAC user with operator privileges could potentially exploit a permissions check flaw in the Redfish interface to gain administrator access."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.8,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Privilege escalation vulnerability."
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.dell.com/support/article/us/en/19/sln315190/dell-emc-idrac-multiple-vulnerabilities-cve-2018-15774-and-cve-2018-15776-?lang=en",
"refsource": "CONFIRM",
"url": "https://www.dell.com/support/article/us/en/19/sln315190/dell-emc-idrac-multiple-vulnerabilities-cve-2018-15774-and-cve-2018-15776-?lang=en"
},
{
"name": "106233",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/106233"
}
]
},
"source": {
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "c550e75a-17ff-4988-97f0-544cde3820fe",
"assignerShortName": "dell",
"cveId": "CVE-2018-15774",
"datePublished": "2018-12-13T22:00:00Z",
"dateReserved": "2018-08-23T00:00:00",
"dateUpdated": "2024-09-17T01:36:18.120Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2018-15774\",\"sourceIdentifier\":\"security_alert@emc.com\",\"published\":\"2018-12-13T22:29:00.327\",\"lastModified\":\"2024-11-21T03:51:26.783\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Dell EMC iDRAC7/iDRAC8 versions prior to 2.61.60.60 and iDRAC9 versions prior to 3.20.21.20, 3.21.24.22, 3.21.26.22, and 3.23.23.23 contain a privilege escalation vulnerability. An authenticated malicious iDRAC user with operator privileges could potentially exploit a permissions check flaw in the Redfish interface to gain administrator access.\"},{\"lang\":\"es\",\"value\":\"Dell EMC iDRAC7/iDRAC8, en versiones anteriores a la 2.61.60.60, y iDRAC9 en versiones anteriores a la 3.20.21.20, 3.21.24.22, 3.21.26.22 y 3.23.23.23, contienen una vulnerabilidad de escalado de privilegios. Un usuario iDRAC malicioso autenticado con privilegios de operador podr\u00eda explotar un error de comprobaci\u00f3n de permisos en la interfaz Redfish para obtener acceso de administrador.\"}],\"metrics\":{\"cvssMetricV30\":[{\"source\":\"security_alert@emc.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.0\",\"vectorString\":\"CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N\",\"baseScore\":3.8,\"baseSeverity\":\"LOW\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"HIGH\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":1.2,\"impactScore\":2.5},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.0\",\"vectorString\":\"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":8.8,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":2.8,\"impactScore\":5.9}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:L/Au:S/C:P/I:P/A:P\",\"baseScore\":6.5,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"LOW\",\"authentication\":\"SINGLE\",\"confidentialityImpact\":\"PARTIAL\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"PARTIAL\"},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":8.0,\"impactScore\":6.4,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-863\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:dell:idrac7_firmware:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"2.61.60.60\",\"matchCriteriaId\":\"ACBCB009-3BF0-48D8-9F79-7466D3337F72\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:dell:idrac8_firmware:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"2.61.60.60\",\"matchCriteriaId\":\"B452829A-3012-44C8-B0EB-176CD61DEE07\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:dell:idrac9_firmware:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"3.20.21.20\",\"matchCriteriaId\":\"1BCE2274-B3B1-4BA6-B01A-869258936FA0\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:dell:idrac9_firmware:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"3.21.21.21\",\"versionEndExcluding\":\"3.21.24.22\",\"matchCriteriaId\":\"B97B609B-9A8C-4421-BAE8-555D339BB2E3\"}]}]}],\"references\":[{\"url\":\"http://www.securityfocus.com/bid/106233\",\"source\":\"security_alert@emc.com\",\"tags\":[\"Third Party Advisory\",\"VDB Entry\"]},{\"url\":\"https://www.dell.com/support/article/us/en/19/sln315190/dell-emc-idrac-multiple-vulnerabilities-cve-2018-15774-and-cve-2018-15776-?lang=en\",\"source\":\"security_alert@emc.com\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"http://www.securityfocus.com/bid/106233\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\",\"VDB Entry\"]},{\"url\":\"https://www.dell.com/support/article/us/en/19/sln315190/dell-emc-idrac-multiple-vulnerabilities-cve-2018-15774-and-cve-2018-15776-?lang=en\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]}]}}"
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.
Loading…
Loading…