Patches released this week by Dell for its OpenManage Enterprise product address multiple critical-severity vulnerabilities.
A systems management and monitoring application, Dell OpenManage Enterprise provides administrators with a comprehensive view of Dell EMC servers, network switches, and storage in their environment.
The most severe of these issues is CVE-2021-21564 (CVSS score of 9.8), an improper authentication vulnerability that could allow a remote attacker to “hijack an elevated session or perform unauthorized actions by sending malformed data.” Exploitation of the vulnerability does not require authentication.
Another critical vulnerability that Dell patched in OpenManage Enterprise is CVE-2021-21585 (CVSS score of 9.1), an OS command injection bug in RACADM and IPMI tools that could allow a remote, authenticated malicious user that already has high privileges to execute arbitrary OS commands.
A third critical flaw patched in Dell OpenManage Enterprise is CVE-2021-21596 (CVSS score of 9.6), a remote code execution issue that could allow a malicious attacker that has access to the immediate subnet to access sensitive information and potentially elevate privileges.
The vulnerability was identified by independent security researchers Pierre Kim and Alexandre Torres, who reported it to Dell along with more than 20 other issues in the infrastructure management console.
These include hardcoded ActiveMQ credentials, hardcoded keystore files, hardcoded JDBC passwords, hardcoded passwords for core_admin and replicator, an undocumented system account, multiple local privilege escalation issues, and Java deserialization flaws, among other security bugs.
The researchers said they discovered these vulnerabilities in July 2020, but reported them to Dell only this year. The company acknowledged only CVE-2021-21596 as having a real impact on OpenManage Enterprise, dismissing the other issues as not affecting the security of the application.
A few other vulnerabilities that Kim and Torres discovered in OpenManage Enterprise were silently patched over the past year, according to the researchers.
Related: Eclypsium: BIOSConnect Flaws Haunt Millions of Dell Computers
Related: High-Severity Dell Driver Vulnerabilities Impact Hundreds of Millions of Devices
Related: Critical Vulnerabilities Expose Dell Wyse Thin Client Devices to Attacks