Details of VAR-201803-1412

ID

VAR-201803-1412

CVE

CVE-2018-1207

TITLE

Dell EMC iDRAC7 and iDRAC8 Injection vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2018-003351

DESCRIPTION

Dell EMC iDRAC7/iDRAC8, versions prior to 2.52.52.52, contain CGI injection vulnerability which could be used to execute remote code. A remote unauthenticated attacker may potentially be able to use CGI variables to execute remote code. Dell EMC iDRAC7 and iDRAC8 Contains an injection vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Dell iDRAC7 and iDRAC8 devices are prone to a code-injection vulnerability. An attacker can exploit this issue to inject arbitrary code in the context of the affected device. This may facilitate a compromise of the application and the underlying system; other attacks are also possible. Dell iDRAC7 and iDRAC8 devices running firmware versions prior to 2.52.52.52 are vulnerable. Dell EMC iDRAC7 and iDRAC8 are both hardware and software system management solutions from Dell. This solution provides functions such as remote management, crash recovery and power control for Dell PowerEdge systems

Trust: 2.07

sources: NVD: CVE-2018-1207 // JVNDB: JVNDB-2018-003351 // BID: 103694 // VULHUB: VHN-121992 // VULMON: CVE-2018-1207

AFFECTED PRODUCTS

vendor:	dell	model:	emc idrac7	scope:	lt	version:	2.52.52.52	Trust: 1.8
vendor:	dell	model:	emc idrac8	scope:	lt	version:	2.52.52.52	Trust: 1.8
vendor:	dell	model:	idrac8	scope:	eq	version:	2.40.40.40	Trust: 0.3
vendor:	dell	model:	idrac8	scope:	eq	version:	2.30.30.30	Trust: 0.3
vendor:	dell	model:	idrac8	scope:	eq	version:	2.30	Trust: 0.3
vendor:	dell	model:	idrac8	scope:	eq	version:	2.21.21.21	Trust: 0.3
vendor:	dell	model:	idrac7	scope:	eq	version:	2.40.40.40	Trust: 0.3
vendor:	dell	model:	idrac7	scope:	eq	version:	2.30.30.30	Trust: 0.3
vendor:	dell	model:	idrac7	scope:	eq	version:	2.30	Trust: 0.3
vendor:	dell	model:	idrac7	scope:	eq	version:	2.21.21.21	Trust: 0.3
vendor:	dell	model:	idrac8	scope:	ne	version:	2.52.52.5	Trust: 0.3
vendor:	dell	model:	idrac7	scope:	ne	version:	2.52.52.5	Trust: 0.3

sources: BID: 103694 // JVNDB: JVNDB-2018-003351 // NVD: CVE-2018-1207

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2018-1207
value:	CRITICAL
Trust: 1.0
NVD:	CVE-2018-1207
value:	CRITICAL
Trust: 0.8
CNNVD:	CNNVD-201803-909
value:	CRITICAL
Trust: 0.6
VULHUB:	VHN-121992
value:	HIGH
Trust: 0.1
VULMON:	CVE-2018-1207
value:	HIGH
Trust: 0.1

nvd@nist.gov:	CVE-2018-1207
severity:	HIGH
baseScore:	7.5
vectorString:	AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	10.0
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.9
VULHUB:	VHN-121992
severity:	HIGH
baseScore:	7.5
vectorString:	AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	10.0
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2018-1207
baseSeverity:	CRITICAL
baseScore:	9.8
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	3.9
impactScore:	5.9
version:	3.0
Trust: 1.8

sources: VULHUB: VHN-121992 // VULMON: CVE-2018-1207 // JVNDB: JVNDB-2018-003351 // CNNVD: CNNVD-201803-909 // NVD: CVE-2018-1207

PROBLEMTYPE DATA

problemtype:	CWE-94	Trust: 1.1
problemtype:	CWE-74	Trust: 0.9

sources: VULHUB: VHN-121992 // JVNDB: JVNDB-2018-003351 // NVD: CVE-2018-1207

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201803-909

TYPE

code injection

Trust: 0.6

sources: CNNVD: CNNVD-201803-909

CONFIGURATIONS

sources: JVNDB: JVNDB-2018-003351

PATCH

title:	Dell EMC iDRAC Response to Common Vulnerabilities and Exposures CVE-2018-1207, CVE-2018-1211, and CVE-2018-1000116 [20 March 2018]	url:	http://en.community.dell.com/techcenter/extras/m/white_papers/20485410	Trust: 0.8
title:	Dell EMC iDRAC7 and iDRAC8 Security vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=79406	Trust: 0.6
title:	kenzer-templates	url:	https://github.com/Elsfa7-110/kenzer-templates	Trust: 0.1
title:	kenzer-templates	url:	https://github.com/ARPSyndicate/kenzer-templates	Trust: 0.1
title:	Exp101tsArchiv30thers	url:	https://github.com/nu11secur1ty/Exp101tsArchiv30thers	Trust: 0.1
title:	awesome-cve-poc_qazbnm456	url:	https://github.com/xbl3/awesome-cve-poc_qazbnm456	Trust: 0.1

sources: VULMON: CVE-2018-1207 // JVNDB: JVNDB-2018-003351 // CNNVD: CNNVD-201803-909

EXTERNAL IDS

db:	NVD	id:	CVE-2018-1207	Trust: 2.9
db:	BID	id:	103694	Trust: 2.1
db:	JVNDB	id:	JVNDB-2018-003351	Trust: 0.8
db:	CNNVD	id:	CNNVD-201803-909	Trust: 0.6
db:	VULHUB	id:	VHN-121992	Trust: 0.1
db:	VULMON	id:	CVE-2018-1207	Trust: 0.1

sources: VULHUB: VHN-121992 // VULMON: CVE-2018-1207 // BID: 103694 // JVNDB: JVNDB-2018-003351 // CNNVD: CNNVD-201803-909 // NVD: CVE-2018-1207

REFERENCES

url:	http://en.community.dell.com/techcenter/extras/m/white_papers/20485410	Trust: 2.1
url:	http://www.securityfocus.com/bid/103694	Trust: 1.8
url:	https://twitter.com/nicowaisman/status/977279766792466432	Trust: 1.8
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-1207	Trust: 0.8
url:	https://nvd.nist.gov/vuln/detail/cve-2018-1207	Trust: 0.8
url:	http://dell.com	Trust: 0.3
url:	https://cwe.mitre.org/data/definitions/94.html	Trust: 0.1
url:	https://nvd.nist.gov	Trust: 0.1
url:	https://github.com/elsfa7-110/kenzer-templates	Trust: 0.1

sources: VULHUB: VHN-121992 // VULMON: CVE-2018-1207 // BID: 103694 // JVNDB: JVNDB-2018-003351 // CNNVD: CNNVD-201803-909 // NVD: CVE-2018-1207

CREDITS

Immunity Team

Trust: 0.3

sources: BID: 103694

SOURCES

db:	VULHUB	id:	VHN-121992
db:	VULMON	id:	CVE-2018-1207
db:	BID	id:	103694
db:	JVNDB	id:	JVNDB-2018-003351
db:	CNNVD	id:	CNNVD-201803-909
db:	NVD	id:	CVE-2018-1207

LAST UPDATE DATE

2024-11-23T22:22:11.797000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-121992	date:	2020-08-24T00:00:00
db:	VULMON	id:	CVE-2018-1207	date:	2020-08-24T00:00:00
db:	BID	id:	103694	date:	2018-03-23T00:00:00
db:	JVNDB	id:	JVNDB-2018-003351	date:	2018-05-22T00:00:00
db:	CNNVD	id:	CNNVD-201803-909	date:	2020-10-22T00:00:00
db:	NVD	id:	CVE-2018-1207	date:	2024-11-21T03:59:23.730

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-121992	date:	2018-03-23T00:00:00
db:	VULMON	id:	CVE-2018-1207	date:	2018-03-23T00:00:00
db:	BID	id:	103694	date:	2018-03-23T00:00:00
db:	JVNDB	id:	JVNDB-2018-003351	date:	2018-05-22T00:00:00
db:	CNNVD	id:	CNNVD-201803-909	date:	2018-03-26T00:00:00
db:	NVD	id:	CVE-2018-1207	date:	2018-03-23T14:29:00.277