CVE-2013-4785 - OpenCVE

The web interface on the Dell iDRAC6 with firmware before 1.95 allows remote attackers to modify the CLP interface for arbitrary users and possibly have other impact via a request to an unspecified form that is accessible from testurls.html. NOTE: the vendor disputes the significance of this issue, stating "DRAC's are intended to be on a separate management network; they are not designed nor intended to be placed on or connected to the Internet."

No CVSS v3.1

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Complete

Integrity Impact Complete

Availability Impact Complete

AV:N/AC:L/Au:N/C:C/I:C/A:C

Vendors & Products
CPE Configurations

Vendors	Products
Dell	Idrac6 Firmware

Configuration 1 [-]

cpe:2.3:o:dell:idrac6_firmware:1.7:*:*:*:*:*:*:*

References

Link	Resource
ftp://ftp.dell.com/Manuals/Common/integrated-dell-remote-access-cntrllr-6-for-monolithic-srvr-v1.95_FAQ2_en-us.pdf
http://en.community.dell.com/techcenter/systems-management/w/wiki/4929.how-to-check-if-ipmi-cipher-0-is-off.aspx
http://fish2.com/ipmi/dell/secret.html

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: mitre

Published: 2013-07-08T22:00:00

Updated: 2013-09-27T09:00:00

Reserved: 2013-07-08T00:00:00

Link: CVE-2013-4785

JSON object: View

NVD Information

Status : Modified

Published: 2013-07-08T22:55:01.187

Modified: 2013-09-27T03:47:07.527

Link: CVE-2013-4785

JSON object: View

Redhat Information

No data.

CWE

NVD-CWE-noinfo

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2013-01-23T00:00:00", "descriptions": [{"lang": "en", "value": "The web interface on the Dell iDRAC6 with firmware before 1.95 allows remote attackers to modify the CLP interface for arbitrary users and possibly have other impact via a request to an unspecified form that is accessible from testurls.html. NOTE: the vendor disputes the significance of this issue, stating \"DRAC's are intended to be on a separate management network; they are not designed nor intended to be placed on or connected to the Internet.\""}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2013-09-27T09:00:00", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "http://en.community.dell.com/techcenter/systems-management/w/wiki/4929.how-to-check-if-ipmi-cipher-0-is-off.aspx"}, {"tags": ["x_refsource_MISC"], "url": "http://fish2.com/ipmi/dell/secret.html"}, {"tags": ["x_refsource_MISC"], "url": "ftp://ftp.dell.com/Manuals/Common/integrated-dell-remote-access-cntrllr-6-for-monolithic-srvr-v1.95_FAQ2_en-us.pdf"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2013-4785", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "The web interface on the Dell iDRAC6 with firmware before 1.95 allows remote attackers to modify the CLP interface for arbitrary users and possibly have other impact via a request to an unspecified form that is accessible from testurls.html. NOTE: the vendor disputes the significance of this issue, stating \"DRAC's are intended to be on a separate management network; they are not designed nor intended to be placed on or connected to the Internet.\""}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "http://en.community.dell.com/techcenter/systems-management/w/wiki/4929.how-to-check-if-ipmi-cipher-0-is-off.aspx", "refsource": "MISC", "url": "http://en.community.dell.com/techcenter/systems-management/w/wiki/4929.how-to-check-if-ipmi-cipher-0-is-off.aspx"}, {"name": "http://fish2.com/ipmi/dell/secret.html", "refsource": "MISC", "url": "http://fish2.com/ipmi/dell/secret.html"}, {"name": "ftp://ftp.dell.com/Manuals/Common/integrated-dell-remote-access-cntrllr-6-for-monolithic-srvr-v1.95_FAQ2_en-us.pdf", "refsource": "MISC", "url": "ftp://ftp.dell.com/Manuals/Common/integrated-dell-remote-access-cntrllr-6-for-monolithic-srvr-v1.95_FAQ2_en-us.pdf"}]}}}}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2013-4785", "datePublished": "2013-07-08T22:00:00", "dateReserved": "2013-07-08T00:00:00", "dateUpdated": "2013-09-27T09:00:00", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:dell:idrac6_firmware:1.7:*:*:*:*:*:*:*", "matchCriteriaId": "09F3B0C2-F0DB-46E1-B06D-9AC1E9B65651", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "The web interface on the Dell iDRAC6 with firmware before 1.95 allows remote attackers to modify the CLP interface for arbitrary users and possibly have other impact via a request to an unspecified form that is accessible from testurls.html. NOTE: the vendor disputes the significance of this issue, stating \"DRAC's are intended to be on a separate management network; they are not designed nor intended to be placed on or connected to the Internet.\""}, {"lang": "es", "value": "La interfaz web en el iDRAC6 de Dell con versi\u00f3n de firmware anterior a 1.95, permite a los atacantes remotos modificar la interfaz CLP para usuarios arbitrarios y posiblemente tener otro impacto por medio de una petici\u00f3n a un formulario no especificado que es accesible desde el archivo testurls.html. NOTA: el proveedor cuestiona la importancia de este problema, declarando que \"Los DRAC est\u00e1n destinados a estar en una red de administraci\u00f3n separada; no est\u00e1n dise\u00f1ados ni destinados a ser conectados o conectados a Internet\"."}], "id": "CVE-2013-4785", "lastModified": "2013-09-27T03:47:07.527", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 10.0, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}]}, "published": "2013-07-08T22:55:01.187", "references": [{"source": "cve@mitre.org", "url": "ftp://ftp.dell.com/Manuals/Common/integrated-dell-remote-access-cntrllr-6-for-monolithic-srvr-v1.95_FAQ2_en-us.pdf"}, {"source": "cve@mitre.org", "url": "http://en.community.dell.com/techcenter/systems-management/w/wiki/4929.how-to-check-if-ipmi-cipher-0-is-off.aspx"}, {"source": "cve@mitre.org", "url": "http://fish2.com/ipmi/dell/secret.html"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}