CVE-2018-1243

moderate-risk
Published 2018-07-02

Dell EMC iDRAC6, versions prior to 2.91, iDRAC7/iDRAC8, versions prior to 2.60.60.60 and iDRAC9, versions prior to 3.21.21.21, contain a weak CGI session ID vulnerability. The sessions invoked via CGI binaries use 96-bit numeric-only session ID values, which makes it easier for remote attackers to perform bruteforce session guessing attacks.

Do I need to act?

-
0.59% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
7
CVSS 7.5/10 High
NETWORK / HIGH complexity

Affected Products (4)

Idrac6 Firmware
Idrac7 Firmware
Idrac8 Firmware

Affected Vendors

Dell

References (2)

Vendor Advisory http://en.community.dell.com/techcenter/extras/m/white_papers/20487494
Vendor Advisory http://en.community.dell.com/techcenter/extras/m/white_papers/20487494
34
/ 100
moderate-risk
Severity 22/34 · High
Exploitability 2/34 · Minimal
Exposure 10/34 · Low