Vulnerability-Lookup

CNVD-2021-36017

Vulnerability from cnvd - Published: 2021-05-20

Title

Dell SRM和SMR代码问题漏洞

Description

Dell EMC Storage Resource Manager是美国戴尔（Dell）公司的一个应用软件。一种全面的监视和报告解决方案，可帮助IT可视化，分析和优化当今的存储基础架构，同时提供支持软件定义存储投资的管理框架。 Dell SRM 4.5.0.1版本之前和Dell SMR 4.5.0.1版本之前存在代码问题漏洞，攻击者可利用该漏洞在应用程序上执行任意特权代码。

Severity

高

Patch Name

Dell SRM和SMR代码问题漏洞的补丁

Patch Description

Formal description

厂商已发布了漏洞修复程序，请及时关注更新： https://www.dell.com/support/kbdoc/en-us/000184753/dsa-2021-054-dell-emc-srm-and-dell-emc-storage-monitoring-and-reporting-smr-security-update-for-multiple-vulnerabilities

Reference

https://nvd.nist.gov/vuln/detail/CVE-2021-21524

Impacted products

Name
['Dell SRM <4.5.0.1', 'Dell SMR <4.5.0.1']

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2021-21524"
    }
  },
  "description": "Dell EMC Storage Resource Manager\u662f\u7f8e\u56fd\u6234\u5c14\uff08Dell\uff09\u516c\u53f8\u7684\u4e00\u4e2a\u5e94\u7528\u8f6f\u4ef6\u3002\u4e00\u79cd\u5168\u9762\u7684\u76d1\u89c6\u548c\u62a5\u544a\u89e3\u51b3\u65b9\u6848\uff0c\u53ef\u5e2e\u52a9IT\u53ef\u89c6\u5316\uff0c\u5206\u6790\u548c\u4f18\u5316\u5f53\u4eca\u7684\u5b58\u50a8\u57fa\u7840\u67b6\u6784\uff0c\u540c\u65f6\u63d0\u4f9b\u652f\u6301\u8f6f\u4ef6\u5b9a\u4e49\u5b58\u50a8\u6295\u8d44\u7684\u7ba1\u7406\u6846\u67b6\u3002\n\nDell SRM 4.5.0.1\u7248\u672c\u4e4b\u524d\u548cDell SMR 4.5.0.1\u7248\u672c\u4e4b\u524d\u5b58\u5728\u4ee3\u7801\u95ee\u9898\u6f0f\u6d1e\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u5728\u5e94\u7528\u7a0b\u5e8f\u4e0a\u6267\u884c\u4efb\u610f\u7279\u6743\u4ee3\u7801\u3002",
  "formalWay": "\u5382\u5546\u5df2\u53d1\u5e03\u4e86\u6f0f\u6d1e\u4fee\u590d\u7a0b\u5e8f\uff0c\u8bf7\u53ca\u65f6\u5173\u6ce8\u66f4\u65b0\uff1a\r\nhttps://www.dell.com/support/kbdoc/en-us/000184753/dsa-2021-054-dell-emc-srm-and-dell-emc-storage-monitoring-and-reporting-smr-security-update-for-multiple-vulnerabilities",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2021-36017",
  "openTime": "2021-05-20",
  "patchDescription": "Dell EMC Storage Resource Manager\u662f\u7f8e\u56fd\u6234\u5c14\uff08Dell\uff09\u516c\u53f8\u7684\u4e00\u4e2a\u5e94\u7528\u8f6f\u4ef6\u3002\u4e00\u79cd\u5168\u9762\u7684\u76d1\u89c6\u548c\u62a5\u544a\u89e3\u51b3\u65b9\u6848\uff0c\u53ef\u5e2e\u52a9IT\u53ef\u89c6\u5316\uff0c\u5206\u6790\u548c\u4f18\u5316\u5f53\u4eca\u7684\u5b58\u50a8\u57fa\u7840\u67b6\u6784\uff0c\u540c\u65f6\u63d0\u4f9b\u652f\u6301\u8f6f\u4ef6\u5b9a\u4e49\u5b58\u50a8\u6295\u8d44\u7684\u7ba1\u7406\u6846\u67b6\u3002\r\n\r\nDell SRM 4.5.0.1\u7248\u672c\u4e4b\u524d\u548cDell SMR 4.5.0.1\u7248\u672c\u4e4b\u524d\u5b58\u5728\u4ee3\u7801\u95ee\u9898\u6f0f\u6d1e\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u5728\u5e94\u7528\u7a0b\u5e8f\u4e0a\u6267\u884c\u4efb\u610f\u7279\u6743\u4ee3\u7801\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Dell SRM\u548cSMR\u4ee3\u7801\u95ee\u9898\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": [
      "Dell SRM \u003c4.5.0.1",
      "Dell SMR \u003c4.5.0.1"
    ]
  },
  "referenceLink": "https://nvd.nist.gov/vuln/detail/CVE-2021-21524",
  "serverity": "\u9ad8",
  "submitTime": "2021-04-13",
  "title": "Dell SRM\u548cSMR\u4ee3\u7801\u95ee\u9898\u6f0f\u6d1e"
}

CVE-2021-21524 (GCVE-0-2021-21524)

Vulnerability from cvelistv5 – Published: 2021-04-12 19:50 – Updated: 2024-09-16 16:52

Summary

Dell SRM versions prior to 4.5.0.1 and Dell SMR versions prior to 4.5.0.1 contain an Untrusted Deserialization Vulnerability. A remote unauthenticated attacker may potentially exploit this vulnerability, leading to arbitrary privileged code execution on the vulnerable application. The severity is Critical as this may lead to system compromise by unauthenticated attackers.

Severity ?

9.8 (Critical)


                        
                          CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE

CWE-502 - Deserialization of Untrusted Data

Assigner

dell

References

URL

Tags

https://www.dell.com/support/kbdoc/en-us/00018475…

x_refsource_MISC

Impacted products

	Vendor	Product	Version
	Dell	Dell EMC Storage Monitoring and Reporting	Affected: unspecified , < 4.5.0.1 (custom)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T18:16:23.039Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.dell.com/support/kbdoc/en-us/000184753/dsa-2021-054-dell-emc-srm-and-dell-emc-storage-monitoring-and-reporting-smr-security-update-for-multiple-vulnerabilities"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Dell EMC Storage Monitoring and Reporting",
          "vendor": "Dell",
          "versions": [
            {
              "lessThan": "4.5.0.1",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            }
          ]
        }
      ],
      "datePublic": "2021-03-30T00:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "Dell SRM versions prior to 4.5.0.1 and Dell SMR versions prior to 4.5.0.1 contain an Untrusted Deserialization Vulnerability. A remote unauthenticated attacker may potentially exploit this vulnerability, leading to arbitrary privileged code execution on the vulnerable application. The severity is Critical as this may lead to system compromise by unauthenticated attackers."
        }
      ],
      "metrics": [
        {
          "cvssV3_0": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 9.8,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.0"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-502",
              "description": "CWE-502: Deserialization of Untrusted Data",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2021-04-12T19:50:16.000Z",
        "orgId": "c550e75a-17ff-4988-97f0-544cde3820fe",
        "shortName": "dell"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.dell.com/support/kbdoc/en-us/000184753/dsa-2021-054-dell-emc-srm-and-dell-emc-storage-monitoring-and-reporting-smr-security-update-for-multiple-vulnerabilities"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "secure@dell.com",
          "DATE_PUBLIC": "2021-03-30",
          "ID": "CVE-2021-21524",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Dell EMC Storage Monitoring and Reporting",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "\u003c",
                            "version_value": "4.5.0.1"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Dell"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Dell SRM versions prior to 4.5.0.1 and Dell SMR versions prior to 4.5.0.1 contain an Untrusted Deserialization Vulnerability. A remote unauthenticated attacker may potentially exploit this vulnerability, leading to arbitrary privileged code execution on the vulnerable application. The severity is Critical as this may lead to system compromise by unauthenticated attackers."
            }
          ]
        },
        "impact": {
          "cvss": {
            "baseScore": 9.8,
            "baseSeverity": "Critical",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.0"
          }
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-502: Deserialization of Untrusted Data"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://www.dell.com/support/kbdoc/en-us/000184753/dsa-2021-054-dell-emc-srm-and-dell-emc-storage-monitoring-and-reporting-smr-security-update-for-multiple-vulnerabilities",
              "refsource": "MISC",
              "url": "https://www.dell.com/support/kbdoc/en-us/000184753/dsa-2021-054-dell-emc-srm-and-dell-emc-storage-monitoring-and-reporting-smr-security-update-for-multiple-vulnerabilities"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "c550e75a-17ff-4988-97f0-544cde3820fe",
    "assignerShortName": "dell",
    "cveId": "CVE-2021-21524",
    "datePublished": "2021-04-12T19:50:16.680Z",
    "dateReserved": "2021-01-04T00:00:00.000Z",
    "dateUpdated": "2024-09-16T16:52:52.472Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CNVD-2021-36017

CVE-2021-21524 (GCVE-0-2021-21524)

Tags

Sightings

Nomenclature