cbcvebase.
CVE-2018-1207
published 2018-03-23

CVE-2018-1207: Dell EMC iDRAC7/iDRAC8, versions prior to 2.52.52.52, contain CGI injection vulnerability which could be used to execute remote code. A remote unauthenticated…

PriorityP191critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
90.79%
99.8th percentile
Dell EMC iDRAC7/iDRAC8, versions prior to 2.52.52.52, contain CGI injection vulnerability which could be used to execute remote code. A remote unauthenticated attacker may potentially be able to use CGI variables to execute remote code.

Affected

2 ranges
VendorProductVersion rangeFixed in
dellemc_idrac7< 2.52.52.522.52.52.52
dellemc_idrac8< 2.52.52.522.52.52.52

Detection & IOCsextracted from sources · hover to see the quote

url/cgi-bin/login?LD_DEBUG=files
commandcurl -ik "http://192.168.1.100//cgi-bin/login?LD_DEBUG=files"
path/cgi-bin/login
  • Send a GET request to /cgi-bin/login?LD_DEBUG=files on the target iDRAC7/8 interface. If the response body contains the string 'calling init: /lib/', the target is vulnerable to CVE-2018-1207.
  • The vulnerability is exploitable by an unauthenticated remote attacker via CGI variable injection (LD_DEBUG/LD_PRELOAD-style environment variable manipulation) on the iDRAC web interface.
  • The built-in exploit payload configures USER ID 13 with username 'user' and password 'Passw0rd' as an iDRAC webadmin. Monitor for unexpected iDRAC user creation at slot 13.
  • After exploitation, attackers may use racadm over TCP/443 for command-line access. Monitor for racadm connections to iDRAC on port 443.
  • ·The vulnerability affects Dell EMC iDRAC7/iDRAC8 versions PRIOR to 2.52.52.52 only. Devices running 2.52.52.52 or later are patched.
  • ·The exploit payload is precompiled for ARM (ELF 32-bit ARM architecture based on the binary header). It will only execute on the iDRAC's embedded ARM processor and is not portable to x86 targets.
  • ·Exploitation overwrites iDRAC USER ID 13 unconditionally; any existing user at that slot is unrecoverable.

CVSS provenance

nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.