Sign-up

ID

VAR-202108-0514


CVE

CVE-2021-21596


TITLE

Dell OpenManage Enterprise  and  Dell OpenManage Enterprise Modular  Information Disclosure Vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2021-009520

DESCRIPTION

Dell OpenManage Enterprise versions 3.4 through 3.6.1 and Dell OpenManage Enterprise Modular versions 1.20.00 through 1.30.00, contain a remote code execution vulnerability. A malicious attacker with access to the immediate subnet may potentially exploit this vulnerability leading to information disclosure and a possible elevation of privileges. Details - Remote Auth Bypass with 2 pre-auth RCEs in docker instances There is a chain of pre-auth vulnerabilities allowing to: get a shell on the redis container, as redis get a shell on the postgres container, as postgres get a full access to the postgres database bypass authentication on the web interface as admin Due to some requirements in the exploit chain, the attacker needs to be on the same subnet as the target (same LAN, without a gateway between the target and the attacker). The attack scenario is: attacker will own the redis running in a container inside the virtual machine running Dell OpenManage Enterprise and get a shell inside this container attacker will use the shell inside the redis container as a relay to get access to the remote postgresql server attacker will get a shell on the postgresql server attacker will redefine a new password for the web interface and will dump the entire postgresql server attacker will get an access on the web interface as admin The..

Trust: 1.8

sources: NVD: CVE-2021-21596 // JVNDB: JVNDB-2021-009520 // VULHUB: VHN-380000 // VULMON: CVE-2021-21596

AFFECTED PRODUCTS

vendor:dellmodel:openmanage enterprisescope:lteversion:3.6.1

Trust: 1.0

vendor:dellmodel:openmanage enterprise-modularscope:lteversion:1.30.00

Trust: 1.0

vendor:dellmodel:openmanage enterprisescope:gteversion:3.4

Trust: 1.0

vendor:dellmodel:openmanage enterprise-modularscope:gteversion:1.20.00

Trust: 1.0

vendor:デルmodel:dell openmanage enterprisescope:eqversion:3.4 to 3.6.1

Trust: 0.8

vendor:デルmodel:dell openmanage enterprise-modularscope:eqversion:1.20.00 to 1.30.00

Trust: 0.8

vendor:デルmodel:dell openmanage enterprisescope:eqversion:-modular 1.20.00 to 1.30.00

Trust: 0.8

sources: JVNDB: JVNDB-2021-009520 // NVD: CVE-2021-21596

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2021-21596
value: HIGH

Trust: 1.0

security_alert@emc.com: CVE-2021-21596
value: CRITICAL

Trust: 1.0

NVD: CVE-2021-21596
value: HIGH

Trust: 0.8

CNNVD: CNNVD-202107-1481
value: HIGH

Trust: 0.6

VULHUB: VHN-380000
value: MEDIUM

Trust: 0.1

VULMON: CVE-2021-21596
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2021-21596
severity: MEDIUM
baseScore: 5.8
vectorString: AV:A/AC:L/AU:N/C:P/I:P/A:P
accessVector: ADJACENT_NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 6.5
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.9

VULHUB: VHN-380000
severity: MEDIUM
baseScore: 5.8
vectorString: AV:A/AC:L/AU:N/C:P/I:P/A:P
accessVector: ADJACENT_NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 6.5
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2021-21596
baseSeverity: HIGH
baseScore: 8.8
vectorString: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector: ADJACENT
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 2.8
impactScore: 5.9
version: 3.1

Trust: 1.0

security_alert@emc.com: CVE-2021-21596
baseSeverity: CRITICAL
baseScore: 9.6
vectorString: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
attackVector: ADJACENT
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: CHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 2.8
impactScore: 6.0
version: 3.1

Trust: 1.0

NVD: CVE-2021-21596
baseSeverity: HIGH
baseScore: 8.8
vectorString: CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector: ADJACENT NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: VULHUB: VHN-380000 // VULMON: CVE-2021-21596 // JVNDB: JVNDB-2021-009520 // CNNVD: CNNVD-202107-1481 // NVD: CVE-2021-21596 // NVD: CVE-2021-21596

PROBLEMTYPE DATA

problemtype:CWE-200

Trust: 1.0

problemtype:NVD-CWE-noinfo

Trust: 1.0

problemtype:information leak (CWE-200) [NVD Evaluation ]

Trust: 0.8

problemtype: Improper authority management (CWE-269) [NVD Evaluation ]

Trust: 0.8

sources: JVNDB: JVNDB-2021-009520 // NVD: CVE-2021-21596

THREAT TYPE

remote or local

Trust: 0.6

sources: CNNVD: CNNVD-202107-1481

TYPE

other

Trust: 0.6

sources: CNNVD: CNNVD-202107-1481

PATCH

title:DSA-2021-113url:https://www.dell.com/support/kbdoc/000189673

Trust: 0.8

title:Dell OpenManage Enterprise Security vulnerabilitiesurl:http://123.124.177.30/web/xxk/bdxqById.tag?id=159151

Trust: 0.6

sources: JVNDB: JVNDB-2021-009520 // CNNVD: CNNVD-202107-1481

EXTERNAL IDS

db:NVDid:CVE-2021-21596

Trust: 3.4

db:JVNDBid:JVNDB-2021-009520

Trust: 0.8

db:CNNVDid:CNNVD-202107-1481

Trust: 0.6

db:SEEBUGid:SSVID-99310

Trust: 0.1

db:VULHUBid:VHN-380000

Trust: 0.1

db:VULMONid:CVE-2021-21596

Trust: 0.1

sources: VULHUB: VHN-380000 // VULMON: CVE-2021-21596 // JVNDB: JVNDB-2021-009520 // CNNVD: CNNVD-202107-1481 // NVD: CVE-2021-21596

REFERENCES

url:https://www.dell.com/support/kbdoc/000189673

Trust: 1.8

url:https://nvd.nist.gov/vuln/detail/cve-2021-21596

Trust: 0.8

url:https://vigilance.fr/vulnerability/dell-openmanage-enterprise-four-vulnerabilities-35926

Trust: 0.6

url:https://cwe.mitre.org/data/definitions/200.html

Trust: 0.1

url:https://cwe.mitre.org/data/definitions/269.html

Trust: 0.1

url:https://nvd.nist.gov

Trust: 0.1

sources: VULHUB: VHN-380000 // VULMON: CVE-2021-21596 // JVNDB: JVNDB-2021-009520 // CNNVD: CNNVD-202107-1481 // NVD: CVE-2021-21596

SOURCES

db:VULHUBid:VHN-380000
db:VULMONid:CVE-2021-21596
db:JVNDBid:JVNDB-2021-009520
db:CNNVDid:CNNVD-202107-1481
db:NVDid:CVE-2021-21596

LAST UPDATE DATE

2024-08-14T13:23:28.220000+00:00


SOURCES UPDATE DATE

db:VULHUBid:VHN-380000date:2022-10-24T00:00:00
db:VULMONid:CVE-2021-21596date:2021-08-13T00:00:00
db:JVNDBid:JVNDB-2021-009520date:2022-05-02T09:16:00
db:CNNVDid:CNNVD-202107-1481date:2022-10-25T00:00:00
db:NVDid:CVE-2021-21596date:2022-10-24T19:52:29.033

SOURCES RELEASE DATE

db:VULHUBid:VHN-380000date:2021-08-09T00:00:00
db:VULMONid:CVE-2021-21596date:2021-08-09T00:00:00
db:JVNDBid:JVNDB-2021-009520date:2022-05-02T00:00:00
db:CNNVDid:CNNVD-202107-1481date:2021-07-20T00:00:00
db:NVDid:CVE-2021-21596date:2021-08-09T21:15:07.980