Details of VAR-201806-1075

ID

VAR-201806-1075

CVE

CVE-2018-11053

TITLE

Dell EMC iDRAC Service Module Vulnerabilities related to authorization, permissions, and access control

Trust: 0.8

sources: JVNDB: JVNDB-2018-007638

DESCRIPTION

Dell EMC iDRAC Service Module for all supported Linux and XenServer versions v3.0.1, v3.0.2, v3.1.0, v3.2.0, when started, changes the default file permission of the hosts file of the host operating system (/etc/hosts) to world writable. A malicious low privileged operating system user or process could modify the host file and potentially redirect traffic from the intended destination to sites hosting malicious or unwanted content. Dell EMC iDRAC Service Module Contains vulnerabilities related to authorization, permissions, and access control.Information may be tampered with. Attackers can exploit this issue to bypass certain security restrictions to perform unauthorized actions. This may aid in further attacks. EMC iDRAC Service Module 3.0.1, 3.0.2, 3.1.0, and 3.2.0 are vulnerable. The software extends the integrated Dell EMC Remote Access Controller (iDRAC) to the host operating system

Trust: 2.07

sources: NVD: CVE-2018-11053 // JVNDB: JVNDB-2018-007638 // BID: 104567 // VULHUB: VHN-120874 // VULMON: CVE-2018-11053

AFFECTED PRODUCTS

vendor:	dell	model:	emc idrac service module	scope:	eq	version:	3.2.0	Trust: 2.7
vendor:	dell	model:	emc idrac service module	scope:	eq	version:	3.1.0	Trust: 2.7
vendor:	dell	model:	emc idrac service module	scope:	eq	version:	3.0.2	Trust: 2.7
vendor:	dell	model:	emc idrac service module	scope:	eq	version:	3.0.1	Trust: 2.7
vendor:	dell	model:	emc idrac service module	scope:	ne	version:	3.2.0.1	Trust: 0.3
vendor:	dell	model:	emc idrac service module	scope:	ne	version:	3.1.0.1	Trust: 0.3

sources: BID: 104567 // JVNDB: JVNDB-2018-007638 // CNNVD: CNNVD-201806-1212 // NVD: CVE-2018-11053

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2018-11053
value:	MEDIUM
Trust: 1.0
security_alert@emc.com:	CVE-2018-11053
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2018-11053
value:	MEDIUM
Trust: 0.8
CNNVD:	CNNVD-201806-1212
value:	MEDIUM
Trust: 0.6
VULHUB:	VHN-120874
value:	MEDIUM
Trust: 0.1
VULMON:	CVE-2018-11053
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2018-11053
severity:	MEDIUM
baseScore:	4.0
vectorString:	AV:N/AC:L/AU:S/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	8.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.9
VULHUB:	VHN-120874
severity:	MEDIUM
baseScore:	4.0
vectorString:	AV:N/AC:L/AU:S/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	8.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2018-11053
baseSeverity:	MEDIUM
baseScore:	6.5
vectorString:	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	NONE
integrityImpact:	HIGH
availabilityImpact:	NONE
exploitabilityScore:	2.8
impactScore:	3.6
version:	3.1
Trust: 1.0
security_alert@emc.com:	CVE-2018-11053
baseSeverity:	MEDIUM
baseScore:	6.6
vectorString:	CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:H
attackVector:	LOCAL
attackComplexity:	HIGH
privilegesRequired:	LOW
userInteraction:	REQUIRED
scope:	CHANGED
confidentialityImpact:	LOW
integrityImpact:	LOW
availabilityImpact:	HIGH
exploitabilityScore:	0.8
impactScore:	5.3
version:	3.0
Trust: 1.0
NVD:	CVE-2018-11053
baseSeverity:	MEDIUM
baseScore:	6.5
vectorString:	CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	NONE
integrityImpact:	HIGH
availabilityImpact:	NONE
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: VULHUB: VHN-120874 // VULMON: CVE-2018-11053 // JVNDB: JVNDB-2018-007638 // CNNVD: CNNVD-201806-1212 // NVD: CVE-2018-11053 // NVD: CVE-2018-11053

PROBLEMTYPE DATA

problemtype:	CWE-732	Trust: 1.1
problemtype:	CWE-264	Trust: 0.9

sources: VULHUB: VHN-120874 // JVNDB: JVNDB-2018-007638 // NVD: CVE-2018-11053

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201806-1212

TYPE

permissions and access control issues

Trust: 0.6

sources: CNNVD: CNNVD-201806-1212

CONFIGURATIONS

sources: JVNDB: JVNDB-2018-007638

PATCH

title:	iSM: Dell EMC iDRAC Service Module Improper File Permission Vulnerability	url:	https://www.dell.com/support/article/jp/ja/jpbsd1/sln310281/ism-dell-emc-idrac-service-module-improper-file-permission-vulnerability?lang=en	Trust: 0.8
title:	Dell EMC iDRAC Service Module Linux and XenServer Security vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=81495	Trust: 0.6
title:	-	url:	https://github.com/chnzzh/iDRAC-CVE-lib	Trust: 0.1

sources: VULMON: CVE-2018-11053 // JVNDB: JVNDB-2018-007638 // CNNVD: CNNVD-201806-1212

EXTERNAL IDS

db:	NVD	id:	CVE-2018-11053	Trust: 2.9
db:	BID	id:	104567	Trust: 2.9
db:	JVNDB	id:	JVNDB-2018-007638	Trust: 0.8
db:	CNNVD	id:	CNNVD-201806-1212	Trust: 0.7
db:	VULHUB	id:	VHN-120874	Trust: 0.1
db:	VULMON	id:	CVE-2018-11053	Trust: 0.1

sources: VULHUB: VHN-120874 // VULMON: CVE-2018-11053 // BID: 104567 // JVNDB: JVNDB-2018-007638 // CNNVD: CNNVD-201806-1212 // NVD: CVE-2018-11053

REFERENCES

url:	http://www.securityfocus.com/bid/104567	Trust: 2.7
url:	http://www.dell.com/support/article/us/en/19/sln310281/ism-dell-emc-idrac-service-module-improper-file-permission-vulnerability?lang=en	Trust: 1.8
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-11053	Trust: 0.8
url:	https://nvd.nist.gov/vuln/detail/cve-2018-11053	Trust: 0.8
url:	http://dell.com	Trust: 0.3
url:	https://www.dell.com/support/article/in/en/indhs1/sln310281/ism-dell-emc-idrac-service-module-improper-file-permission-vulnerability?lang=en	Trust: 0.3
url:	https://cwe.mitre.org/data/definitions/732.html	Trust: 0.1
url:	https://nvd.nist.gov	Trust: 0.1
url:	https://github.com/chnzzh/idrac-cve-lib	Trust: 0.1

sources: VULHUB: VHN-120874 // VULMON: CVE-2018-11053 // BID: 104567 // JVNDB: JVNDB-2018-007638 // CNNVD: CNNVD-201806-1212 // NVD: CVE-2018-11053

CREDITS

The vendor reported this issue.

Trust: 0.3

sources: BID: 104567

SOURCES

db:	VULHUB	id:	VHN-120874
db:	VULMON	id:	CVE-2018-11053
db:	BID	id:	104567
db:	JVNDB	id:	JVNDB-2018-007638
db:	CNNVD	id:	CNNVD-201806-1212
db:	NVD	id:	CVE-2018-11053

LAST UPDATE DATE

2024-11-23T22:55:51.837000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-120874	date:	2019-10-09T00:00:00
db:	VULMON	id:	CVE-2018-11053	date:	2021-06-10T00:00:00
db:	BID	id:	104567	date:	2018-06-26T00:00:00
db:	JVNDB	id:	JVNDB-2018-007638	date:	2018-09-20T00:00:00
db:	CNNVD	id:	CNNVD-201806-1212	date:	2019-10-17T00:00:00
db:	NVD	id:	CVE-2018-11053	date:	2024-11-21T03:42:34.380

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-120874	date:	2018-06-26T00:00:00
db:	VULMON	id:	CVE-2018-11053	date:	2018-06-26T00:00:00
db:	BID	id:	104567	date:	2018-06-26T00:00:00
db:	JVNDB	id:	JVNDB-2018-007638	date:	2018-09-20T00:00:00
db:	CNNVD	id:	CNNVD-201806-1212	date:	2018-06-26T00:00:00
db:	NVD	id:	CVE-2018-11053	date:	2018-06-26T22:29:00.210