Vulnerability in Dell Security Management Server - DSA-2021-130

A vulnerability was identified within the Dell Security Management Server, specifically with the PostgreSQL version that is leveraged within the Windows version of the Dell Security Management Server.

A Dell Security Advisory has been published at https://www.dell.com/support/kbdoc/en-us/000188560/.

What is the issue?

Dell Security Management Server 11.0.0.147 and earlier contain a version of PostgreSQL that contains multiple vulnerabilities that can lead to unprivileged code execution, along with sensitive information being in unprotected directories.

     NOTE: Dell Security Management Server Virtual 10.2.13 and later are unaffected by this issue.

What is being done?

Dell has released the Dell Security Management Server 11.0.1.152 on support.dell.com, which is an in-place upgrade for 11.0.0.147 and earlier builds. This version contains an upgrade to 11.12-2, which resolves all currently known vulnerabilities.

You can find this update here.

Technical Advisories are currently being updated, and will be able soon.

How can customers identify if they are affected?

On the Windows Server that hosts the Dell Security Management Server, the customer can look within Programs and Features, and inspect the “version” column for the installed server. This example shows a vulnerable version, 10.2.10:

The WebUI can also be leveraged to identify. Simply select the gear in the upper-right, and select About.

This will show the version of the DSMS:

Dell is working on publicizing this information to ensure customers are aware of this issue, and have access to the available updates.