Denial of service in Dell iDRAC8 and Dell iDRAC9



Published: 2022-09-27
Risk Medium
Patch available YES
Number of vulnerabilities 1
CVE-ID CVE-2022-0778
CWE-ID CWE-835
Exploitation vector Network
Public exploit Public exploit code for vulnerability #1 is available.
Vulnerable software
Subscribe 		iDRAC9
Web applications / Remote management & hosting panels

iDRAC8
Web applications / Remote management & hosting panels

Vendor Dell

Security Bulletin

This security bulletin contains one medium risk vulnerability.

1) Infinite loop

EUVDB-ID: #VU61391

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2022-0778

CWE-ID: CWE-835 - Loop with Unreachable Exit Condition ('Infinite Loop')

Exploit availability: Yes

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to infinite loop within the BN_mod_sqrt() function when processing an ASN.1 certificate that contains elliptic curve public keys in compressed form or explicit elliptic curve parameters with a base point encoded in compressed form. A remote attacker can supply a specially crafted certificate to the TLS server or client, consume all available system resources and cause denial of service conditions.

Mitigation

Install update from vendor's website.

Vulnerable software versions

iDRAC9: before 5.10.30.00

iDRAC8: before 2.83.83.83

CPE2.3
External links

http://www.dell.com/support/kbdoc/nl-nl/000200644/dsa-2022-154-dell-idrac8-and-dell-idrac9-security-update-for-an-openssl-vulnerability

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?



###SIDEBAR###