CVE-2021-21505

Dell EMC Integrated System for Microsoft Azure Stack Hub, versions 1906 – 2011, contain an undocumented default iDRAC account. A remote unauthenticated attacker, with the knowledge of the default credentials, could potentially exploit this to log in to the system to gain root privileges.

CVSS v3 9.8 CRITICAL
CVSS v2.0 10.0 HIGH

9.8^/10

CVSS v3 : CRITICAL

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

10.0^/10

CVSS v2.0 : HIGH

Vector : AV:N/AC:L/Au:N/C:C/I:C/A:C

Exploitability : 10.0 / Impact : 10.0

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact COMPLETE

Integrity Impact COMPLETE

Availability Impact COMPLETE

References

Link	Resource
https://www.dell.com/support/kbdoc/en-us/000186008/dsa-2021-020-dell-emc-integrated-system-for-microsoft-azure-stack-hub-security-update-for-an-idrac-undocumented-account-vulnerability	Vendor Advisory

Configurations

Configuration 1 (hide)

AND

cpe:2.3:h:dell:emc_integrated_system_for_microsoft_azure_stack_hub:-:*:*:*:*:*:*:*

cpe:2.3:o:dell:emc_integrated_system_for_microsoft_azure_stack_hub_firmware:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2021-05-06 13:15

Updated : 2022-10-24 20:36

NVD link : CVE-2021-21505

Mitre link : CVE-2021-21505

CVE.ORG link : CVE-2021-21505

JSON object : View

Products Affected

dell

emc_integrated_system_for_microsoft_azure_stack_hub_firmware
emc_integrated_system_for_microsoft_azure_stack_hub

CWE

CWE-1188

Initialization of a Resource with an Insecure Default

CWE-255

Credentials Management Errors

{"id": "CVE-2021-21505", "cveTags": [], "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 10.0, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "authentication": "NONE", "integrityImpact": "COMPLETE", "accessComplexity": "LOW", "availabilityImpact": "COMPLETE", "confidentialityImpact": "COMPLETE"}, "acInsufInfo": false, "impactScore": 10.0, "baseSeverity": "HIGH", "obtainAllPrivilege": false, "exploitabilityScore": 10.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}, {"type": "Secondary", "source": "security_alert@emc.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.0, "attackVector": "ADJACENT_NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 2.1}]}, "published": "2021-05-06T13:15:11.200", "references": [{"url": "https://www.dell.com/support/kbdoc/en-us/000186008/dsa-2021-020-dell-emc-integrated-system-for-microsoft-azure-stack-hub-security-update-for-an-idrac-undocumented-account-vulnerability", "tags": ["Vendor Advisory"], "source": "security_alert@emc.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-1188"}]}, {"type": "Secondary", "source": "security_alert@emc.com", "description": [{"lang": "en", "value": "CWE-255"}]}], "descriptions": [{"lang": "en", "value": "Dell EMC Integrated System for Microsoft Azure Stack Hub, versions 1906 \u2013 2011, contain an undocumented default iDRAC account. A remote unauthenticated attacker, with the knowledge of the default credentials, could potentially exploit this to log in to the system to gain root privileges."}, {"lang": "es", "value": "Dell EMC Integrated System for Microsoft Azure Stack Hub, versiones 1906-2011, contiene una cuenta iDRAC predeterminada sin documentar. Un atacante remoto no autenticado, con el conocimiento de las credenciales predeterminadas, podr\u00eda potencialmente explotar esto para iniciar sesi\u00f3n en el sistema y obtener privilegios de root"}], "lastModified": "2022-10-24T20:36:11.843", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:dell:emc_integrated_system_for_microsoft_azure_stack_hub:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "A31CF53E-FFEF-4AF2-BFE0-A6B52F5DFCBC"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:dell:emc_integrated_system_for_microsoft_azure_stack_hub_firmware:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "2E4929FE-C6B2-4281-860C-C7CB1F44D37C", "versionEndIncluding": "2011", "versionStartIncluding": "1906"}], "operator": "OR"}], "operator": "AND"}], "sourceIdentifier": "security_alert@emc.com"}