Article Number: 000189673

DSA-2021-113: Dell OpenManage Enterprise and Dell OpenManage Enterprise-Modular Security Update for Multiple Vulnerabilities

Summary: Dell OpenManage Enterprise and Dell OpenManage Enterprise-Modular remediation is available for multiple security vulnerabilities that may be exploited by malicious users to compromise the affected system. ...

Article Content

Impact

Critical

Details

Proprietary Code CVEs	Description	CVSS Base Score	CVSS Vector String
CVE-2021-21564	Dell OpenManage Enterprise versions prior to 3.6.1 contain an improper authentication vulnerability. A remote unauthenticated attacker may potentially exploit this vulnerability to hijack an elevated session or perform unauthorized actions by sending malformed data.	9.8	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVE-2021-21584	Dell OpenManage Enterprise version 3.5 and OpenManage Enterprise-Modular version 1.30.00 contain an information disclosure vulnerability. An authenticated low privileged attacker may potentially exploit this vulnerability leading to disclosure of the OIDC server credentials.	7.7	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
CVE-2021-21585	Dell OpenManage Enterprise versions prior to 3.6.1 contain an OS command injection vulnerability in RACADM and IPMI tools. A remote authenticated malicious user with high privileges may potentially exploit this vulnerability to execute arbitrary OS commands.	9.1	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
CVE-2021-21596	Dell OpenManage Enterprise versions 3.4 through 3.6.1 and Dell OpenManage Enterprise Modular versions 1.20.00 through 1.30.00, contain a remote code execution vulnerability. A malicious attacker with access to the immediate subnet may potentially exploit this vulnerability leading to information disclosure and a possible elevation of privileges.	9.6	CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Proprietary Code CVEs	Description	CVSS Base Score	CVSS Vector String
CVE-2021-21564	Dell OpenManage Enterprise versions prior to 3.6.1 contain an improper authentication vulnerability. A remote unauthenticated attacker may potentially exploit this vulnerability to hijack an elevated session or perform unauthorized actions by sending malformed data.	9.8	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVE-2021-21584	Dell OpenManage Enterprise version 3.5 and OpenManage Enterprise-Modular version 1.30.00 contain an information disclosure vulnerability. An authenticated low privileged attacker may potentially exploit this vulnerability leading to disclosure of the OIDC server credentials.	7.7	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
CVE-2021-21585	Dell OpenManage Enterprise versions prior to 3.6.1 contain an OS command injection vulnerability in RACADM and IPMI tools. A remote authenticated malicious user with high privileges may potentially exploit this vulnerability to execute arbitrary OS commands.	9.1	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
CVE-2021-21596	Dell OpenManage Enterprise versions 3.4 through 3.6.1 and Dell OpenManage Enterprise Modular versions 1.20.00 through 1.30.00, contain a remote code execution vulnerability. A malicious attacker with access to the immediate subnet may potentially exploit this vulnerability leading to information disclosure and a possible elevation of privileges.	9.6	CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Dell Technologies recommends all customers consider both the CVSS base score and any relevant temporal and environmental scores that may impact the potential severity associated with a particular security vulnerability.

Affected Products and Remediation

CVEs Addressed	Product	Affected Versions	Updated Versions	Link to Update
CVE-2021-21564	Dell OpenManage Enterprise	Versions prior to 3.6.1	3.6.1	KB article 175879 :Support for Dell EMC OpenManage Enterprise
CVE-2021-21584	Dell OpenManage Enterprise	Version 3.5 only	3.6.1	KB article 175879: Support for Dell EMC OpenManage Enterprise
CVE-2021-21584	Dell OpenManage Enterprise-Modular	Version 1.30.00	1.30.10	OpenManage Enterprise Modular v1.30.10 \| Driver Details \| Dell US
CVE-2021-21585	Dell OpenManage Enterprise	Versions prior to 3.6.1	3.6.1	KB article 175879: Support for Dell EMC OpenManage Enterprise
CVE-2021-21596	Dell OpenManage Enterprise	Versions 3.4 through 3.6.1	3.6.2	https://dl.dell.com/openmanage_enterprise/3.6.2/
CVE-2021-21596	Dell OpenManage Enterprise-Modular	Versions 1.20.00 through 1.30.00	1.30.10	OpenManage Enterprise Modular v1.30.10 \| Driver Details \| Dell US

Note: The table above may not be a comprehensive list of all affected supported versions and may be updated as more information becomes available. Dell Technologies recommends updating to the latest versions at the earliest opportunity.

CVEs Addressed	Product	Affected Versions	Updated Versions	Link to Update
CVE-2021-21564	Dell OpenManage Enterprise	Versions prior to 3.6.1	3.6.1	KB article 175879 :Support for Dell EMC OpenManage Enterprise
CVE-2021-21584	Dell OpenManage Enterprise	Version 3.5 only	3.6.1	KB article 175879: Support for Dell EMC OpenManage Enterprise
CVE-2021-21584	Dell OpenManage Enterprise-Modular	Version 1.30.00	1.30.10	OpenManage Enterprise Modular v1.30.10 \| Driver Details \| Dell US
CVE-2021-21585	Dell OpenManage Enterprise	Versions prior to 3.6.1	3.6.1	KB article 175879: Support for Dell EMC OpenManage Enterprise
CVE-2021-21596	Dell OpenManage Enterprise	Versions 3.4 through 3.6.1	3.6.2	https://dl.dell.com/openmanage_enterprise/3.6.2/
CVE-2021-21596	Dell OpenManage Enterprise-Modular	Versions 1.20.00 through 1.30.00	1.30.10	OpenManage Enterprise Modular v1.30.10 \| Driver Details \| Dell US

Acknowledgements

CVE-2021-21596: Dell Technologies would like to thank Pierre Kim and Alexandre Torres for reporting this issue.

Revision History

Revision	Date	Description
1.0	2021-07-19	Initial release

Related Information

Legal Information

Article Properties

Affected Product

Dell EMC OpenManage Enterprise, Dell OpenManage Enterprise-Modular, Product Security Information

Last Published Date

19 Jul 2021

Article Type

Dell Security Advisory

Welcome

Welcome to Dell