Article Number: 000221129
DSA-2024-018: Security Update for Dell iDRAC Service Module for Weak Folder Permission Vulnerabilities
Summary: Dell iDRAC Service Module remediation is available for iSM for Windows versions 5.3.0.0, 5.2.0.0 and 5.1.0.0 , which could be exploited by malicious users to compromise the affected system. ...
Article Content
Impact
High
Additional Details
This remediation is only applicable if Dell iDRAC Service Module (iSM) for Windows is installed in a custom location other than C:\Program Files\Dell\SysMgt.
Details
| Proprietary Code CVEs | Description | CVSS Base Score | CVSS Vector String |
|---|---|---|---|
| CVE-2024-22428 | Dell iDRAC Service Module, versions 5.2.0.0 and prior, contain an Incorrect Default Permissions vulnerability.It may allow a local unprivileged user to escalate privileges and execute arbitrary code on the affected system. Dell recommends customers upgrade at the earliest opportunity. | 7.0 | CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H  |
| Proprietary Code CVEs | Description | CVSS Base Score | CVSS Vector String |
|---|---|---|---|
| CVE-2024-22428 | Dell iDRAC Service Module, versions 5.2.0.0 and prior, contain an Incorrect Default Permissions vulnerability.It may allow a local unprivileged user to escalate privileges and execute arbitrary code on the affected system. Dell recommends customers upgrade at the earliest opportunity. | 7.0 | CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H |
Affected Products and Remediation
| CVEs Addressed | Product | Software/Firmware | Affected Versions | Remediated Versions | Link |
|---|---|---|---|---|---|
| CVE-2024-22428 | iDRAC Service Module | iSM 5.2.0.0 and prior | iSM 5.2.0.0 and prior | iSM 5.3.0.0, A00 | iDRAC Service Module Release Build for Windows, v5.3.0.0 |
| CVE-2024-22428 | iDRAC Service Module | iSM 5.2.0.0 and prior | iSM 5.2.0.0 and prior | iSM 5.2.0.0, A00 | iDRAC Service Module Release build for windows, v5.2.0.0 |
| CVE-2024-22428 | iDRAC Service Module | iSM 5.2.0.0 and prior | iSM 5.2.0.0 and prior | iSM 5.1.0.0, A00 | iDRAC Service Module Release build for windows, v5.1.0.0 |
| CVEs Addressed | Product | Software/Firmware | Affected Versions | Remediated Versions | Link |
|---|---|---|---|---|---|
| CVE-2024-22428 | iDRAC Service Module | iSM 5.2.0.0 and prior | iSM 5.2.0.0 and prior | iSM 5.3.0.0, A00 | iDRAC Service Module Release Build for Windows, v5.3.0.0 |
| CVE-2024-22428 | iDRAC Service Module | iSM 5.2.0.0 and prior | iSM 5.2.0.0 and prior | iSM 5.2.0.0, A00 | iDRAC Service Module Release build for windows, v5.2.0.0 |
| CVE-2024-22428 | iDRAC Service Module | iSM 5.2.0.0 and prior | iSM 5.2.0.0 and prior | iSM 5.1.0.0, A00 | iDRAC Service Module Release build for windows, v5.1.0.0 |
NOTE: In addition to the below wording pointing specifically at a Windows-based tree structure. Dell confirms the issue discussed in this Security Advisory:
- does not impact the Linux version of the iDRAC Service Module,
- does not impact the iDRAC Service Module ViB for ESXi.
- does not impact the Linux version of the iDRAC Service Module,
- does not impact the iDRAC Service Module ViB for ESXi.
The hotfix is only applicable to hosts running Microsoft Windows Server and Client operating systems.
This patch is only applicable if Dell iDRAC Service Module (iSM) is installed in a custom location other than the default path: “C:\Program Files\Dell\SysMgt\”
Workarounds and Mitigations
| CVE ID | Workaround and Mitigation |
|---|---|
| CVE-2024-22428 | Install iSM at default location |
Revision History
| Revision | Date | Description |
|---|---|---|
| 1.0 | 2024-01-15 | Initial Release. |
| 2.0 | 2024-01-16 | Changes to formatting without content changes. |
| 3.0 | 2024-01-18 | Updated the "Affected Versions" to read 5.2.0.0. |
| 4.0 | 2024-01-30 | Updated the additional info field to highlight this only applies to specific OSes. |
| 5.0 | 2024-02-07 | added specific links to hotfix and full download for Windows. |
| 6.0 | 2024-02-12 | minor formatting changes and URL link spelling update. |
| 7.0 | 2024-02-13 | formating update without content changes. |
| 8.0 | 2024-02-16 | Added specific language targeted at Linux-based and ESXi versions of iSM |
| 9.0 | 2024-02-16 | formatting changes without content changes |
| 10.0 | 2024-03-07 | Multiple content updates: Summary, additional details, remediation table |
Related Information
Legal Information
Article Properties
Affected Product
iDRAC Service Module, iDRAC Service Module 5.x, 7920 XL Rack, Poweredge C4140, PowerEdge C6420, PowerEdge C6520, PowerEdge C6525, PowerEdge C6600, PowerEdge C6615, PowerEdge C6620, PowerEdge FC640, PowerEdge HS5610, PowerEdge HS5620, PowerEdge M640
, PowerEdge M640 (for PE VRTX), PowerEdge MX740C, PowerEdge MX750c, PowerEdge MX760c, PowerEdge MX840C, PowerEdge R240, PowerEdge R250, PowerEdge R340, PowerEdge R350, PowerEdge R360, PowerEdge R440, PowerEdge R450, PowerEdge R540, PowerEdge R550, PowerEdge R6415, PowerEdge R650, PowerEdge R650xs, PowerEdge R6515, PowerEdge R6525, PowerEdge R660, PowerEdge R660xs, PowerEdge R6615, PowerEdge R6625, PowerEdge R740, PowerEdge R740XD, PowerEdge R740XD2, PowerEdge R7415, PowerEdge R7425, PowerEdge R750, PowerEdge R750XA, PowerEdge R750xs, PowerEdge R7515, PowerEdge R7525, PowerEdge R760, PowerEdge R760XA, PowerEdge R760xd2, PowerEdge R760xs, PowerEdge R7615, PowerEdge R7625, PowerEdge R840, PowerEdge R860, PowerEdge R940, PowerEdge R940xa, PowerEdge R960, PowerEdge T140, PowerEdge T150, PowerEdge T340, PowerEdge T350, PowerEdge T360, PowerEdge T440, PowerEdge T550, PowerEdge T560, PowerEdge T640, PowerEdge XE2420, PowerEdge XE7420, PowerEdge XE7440, PowerEdge XE8545, PowerEdge XE8640, PowerEdge XE9640, PowerEdge XE9680, PowerEdge XR11, PowerEdge XR12, PowerEdge XR4510c, PowerEdge XR4520c, PowerEdge XR5610, PowerEdge XR7620, PowerEdge XR8000r, PowerEdge XR8610t, PowerEdge XR8620t, Precision 7960 Rack
...
Last Published Date
07 Mar 2024
Version
9
Article Type
Dell Security Advisory