Multiple vulnerabilities in Dell Storage Monitoring and Reporting (SMR)



Published: 2022-10-19
Risk High
Patch available YES
Number of vulnerabilities 38
CVE-ID CVE-2021-3449
CVE-2021-2171
CVE-2021-2174
CVE-2021-2179
CVE-2021-2180
CVE-2021-2194
CVE-2021-2226
CVE-2021-2307
CVE-2021-23841
CVE-2021-2166
CVE-2021-25122
CVE-2021-25329
CVE-2021-2161
CVE-2021-2163
CVE-2020-27223
CVE-2021-28163
CVE-2021-28164
CVE-2021-28165
CVE-2021-2169
CVE-2021-2162
CVE-2020-25647
CVE-2016-1544
CVE-2018-16395
CVE-2019-17571
CVE-2020-8625
CVE-2020-12321
CVE-2020-14372
CVE-2020-25632
CVE-2020-27749
CVE-2021-2154
CVE-2020-27779
CVE-2020-36221
CVE-2021-20225
CVE-2021-20233
CVE-2021-21300
CVE-2021-23840
CVE-2021-27218
CVE-2021-2146
CWE-ID CWE-476
CWE-20
CWE-399
CWE-502
CWE-94
CWE-200
CWE-400
CWE-787
CWE-119
CWE-264
CWE-416
CWE-121
CWE-285
CWE-191
CWE-681
Exploitation vector Network
Public exploit Public exploit code for vulnerability #1 is available.
Public exploit code for vulnerability #15 is available.
Public exploit code for vulnerability #17 is available.
Public exploit code for vulnerability #27 is available.
Public exploit code for vulnerability #28 is available.
Public exploit code for vulnerability #34 is available.
Public exploit code for vulnerability #35 is available.
Vulnerable software
Subscribe
Dell EMC Storage Monitoring and Reporting (SMR)
Server applications / SCADA systems

Vendor Dell

Security Bulletin

This security bulletin contains information about 38 vulnerabilities.

1) NULL pointer dereference

EUVDB-ID: #VU51733

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2021-3449

CWE-ID: CWE-476 - NULL Pointer Dereference

Exploit availability: Yes

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a NULL pointer dereference error when processing TLSv1.2 renegotiations. A remote attacker can send a maliciously crafted renegotiation ClientHello message, which omits the signature_algorithms extension but includes a signature_algorithms_cert extension, trigger a NULL pointer dereference error and crash the server.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Dell EMC Storage Monitoring and Reporting (SMR): before 4.6.0.0


CPE2.3
External links

http://www.dell.com/support/kbdoc/en-us/000189667/dell-emc-srm-and-dell-emc-storage-monitoring-and-reporting-smr-security-update-for-multiple-third-party-component-vulnerabilities

Q & A

Can this vulnerability be exploited remotely?

How the attacker can exploit this vulnerability?

Is there known malware, which exploits this vulnerability?

2) Improper input validation

EUVDB-ID: #VU52420

Risk: Low

CVSSv3.1:

CVE-ID: CVE-2021-2171

CWE-ID: CWE-20 - Improper Input Validation

Exploit availability: No

Description

The vulnerability allows a remote privileged user to perform a denial of service (DoS) attack.

The vulnerability exists due to improper input validation within the Server: Replication component in MySQL Server. A remote privileged user can exploit this vulnerability to perform a denial of service (DoS) attack.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Dell EMC Storage Monitoring and Reporting (SMR): before 4.6.0.0


CPE2.3
External links

http://www.dell.com/support/kbdoc/en-us/000189667/dell-emc-srm-and-dell-emc-storage-monitoring-and-reporting-smr-security-update-for-multiple-third-party-component-vulnerabilities

Q & A

Can this vulnerability be exploited remotely?

How the attacker can exploit this vulnerability?

Is there known malware, which exploits this vulnerability?

3) Improper input validation

EUVDB-ID: #VU52419

Risk: Low

CVSSv3.1:

CVE-ID: CVE-2021-2174

CWE-ID: CWE-20 - Improper Input Validation

Exploit availability: No

Description

The vulnerability allows a remote privileged user to perform a denial of service (DoS) attack.

The vulnerability exists due to improper input validation within the InnoDB component in MySQL Server. A remote privileged user can exploit this vulnerability to perform a denial of service (DoS) attack.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Dell EMC Storage Monitoring and Reporting (SMR): before 4.6.0.0


CPE2.3
External links

http://www.dell.com/support/kbdoc/en-us/000189667/dell-emc-srm-and-dell-emc-storage-monitoring-and-reporting-smr-security-update-for-multiple-third-party-component-vulnerabilities

Q & A

Can this vulnerability be exploited remotely?

How the attacker can exploit this vulnerability?

Is there known malware, which exploits this vulnerability?

4) Improper input validation

EUVDB-ID: #VU52400

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2021-2179

CWE-ID: CWE-20 - Improper Input Validation

Exploit availability: No

Description

The vulnerability allows a remote privileged user to perform a denial of service (DoS) attack.

The vulnerability exists due to improper input validation within the Server: Group Replication Plugin component in MySQL Server. A remote privileged user can exploit this vulnerability to perform a denial of service (DoS) attack.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Dell EMC Storage Monitoring and Reporting (SMR): before 4.6.0.0


CPE2.3
External links

http://www.dell.com/support/kbdoc/en-us/000189667/dell-emc-srm-and-dell-emc-storage-monitoring-and-reporting-smr-security-update-for-multiple-third-party-component-vulnerabilities

Q & A

Can this vulnerability be exploited remotely?

How the attacker can exploit this vulnerability?

Is there known malware, which exploits this vulnerability?

5) Improper input validation

EUVDB-ID: #VU52393

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2021-2180

CWE-ID: CWE-20 - Improper Input Validation

Exploit availability: No

Description

The vulnerability allows a remote privileged user to perform a denial of service (DoS) attack.

The vulnerability exists due to improper input validation within the InnoDB component in MySQL Server. A remote privileged user can exploit this vulnerability to perform a denial of service (DoS) attack.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Dell EMC Storage Monitoring and Reporting (SMR): before 4.6.0.0


CPE2.3
External links

http://www.dell.com/support/kbdoc/en-us/000189667/dell-emc-srm-and-dell-emc-storage-monitoring-and-reporting-smr-security-update-for-multiple-third-party-component-vulnerabilities

Q & A

Can this vulnerability be exploited remotely?

How the attacker can exploit this vulnerability?

Is there known malware, which exploits this vulnerability?

6) Improper input validation

EUVDB-ID: #VU52394

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2021-2194

CWE-ID: CWE-20 - Improper Input Validation

Exploit availability: No

Description

The vulnerability allows a remote privileged user to perform a denial of service (DoS) attack.

The vulnerability exists due to improper input validation within the InnoDB component in MySQL Server. A remote privileged user can exploit this vulnerability to perform a denial of service (DoS) attack.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Dell EMC Storage Monitoring and Reporting (SMR): before 4.6.0.0


CPE2.3
External links

http://www.dell.com/support/kbdoc/en-us/000189667/dell-emc-srm-and-dell-emc-storage-monitoring-and-reporting-smr-security-update-for-multiple-third-party-component-vulnerabilities

Q & A

Can this vulnerability be exploited remotely?

How the attacker can exploit this vulnerability?

Is there known malware, which exploits this vulnerability?

7) Improper input validation

EUVDB-ID: #VU52401

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2021-2226

CWE-ID: CWE-20 - Improper Input Validation

Exploit availability: No

Description

The vulnerability allows a remote privileged user to gain access to sensitive information.

The vulnerability exists due to improper input validation within the Server: Information Schema component in MySQL Server. A remote privileged user can exploit this vulnerability to gain access to sensitive information.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Dell EMC Storage Monitoring and Reporting (SMR): before 4.6.0.0


CPE2.3
External links

http://www.dell.com/support/kbdoc/en-us/000189667/dell-emc-srm-and-dell-emc-storage-monitoring-and-reporting-smr-security-update-for-multiple-third-party-component-vulnerabilities

Q & A

Can this vulnerability be exploited remotely?

How the attacker can exploit this vulnerability?

Is there known malware, which exploits this vulnerability?

8) Improper input validation

EUVDB-ID: #VU52391

Risk: Low

CVSSv3.1:

CVE-ID: CVE-2021-2307

CWE-ID: CWE-20 - Improper Input Validation

Exploit availability: No

Description

The vulnerability allows a local non-authenticated attacker to read and manipulate data.

The vulnerability exists due to improper input validation within the Server: Packaging component in MySQL Server. A local non-authenticated attacker can exploit this vulnerability to read and manipulate data.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Dell EMC Storage Monitoring and Reporting (SMR): before 4.6.0.0


CPE2.3
External links

http://www.dell.com/support/kbdoc/en-us/000189667/dell-emc-srm-and-dell-emc-storage-monitoring-and-reporting-smr-security-update-for-multiple-third-party-component-vulnerabilities

Q & A

Can this vulnerability be exploited remotely?

How the attacker can exploit this vulnerability?

Is there known malware, which exploits this vulnerability?

9) NULL pointer dereference

EUVDB-ID: #VU50740

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2021-23841

CWE-ID: CWE-476 - NULL Pointer Dereference

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a NULL pointer dereference error within the X509_issuer_and_serial_hash() function when parsing the issuer field in the X509 certificate. A remote attacker can supply a specially crafted certificate, trigger a NULL pointer dereference error and perform a denial of service (DoS) attack.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Dell EMC Storage Monitoring and Reporting (SMR): before 4.6.0.0


CPE2.3
External links

http://www.dell.com/support/kbdoc/en-us/000189667/dell-emc-srm-and-dell-emc-storage-monitoring-and-reporting-smr-security-update-for-multiple-third-party-component-vulnerabilities

Q & A

Can this vulnerability be exploited remotely?

How the attacker can exploit this vulnerability?

Is there known malware, which exploits this vulnerability?

10) Improper input validation

EUVDB-ID: #VU52396

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2021-2166

CWE-ID: CWE-20 - Improper Input Validation

Exploit availability: No

Description

The vulnerability allows a remote privileged user to perform a denial of service (DoS) attack.

The vulnerability exists due to improper input validation within the Server: DML component in MySQL Server. A remote privileged user can exploit this vulnerability to perform a denial of service (DoS) attack.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Dell EMC Storage Monitoring and Reporting (SMR): before 4.6.0.0


CPE2.3
External links

http://www.dell.com/support/kbdoc/en-us/000189667/dell-emc-srm-and-dell-emc-storage-monitoring-and-reporting-smr-security-update-for-multiple-third-party-component-vulnerabilities

Q & A

Can this vulnerability be exploited remotely?

How the attacker can exploit this vulnerability?

Is there known malware, which exploits this vulnerability?

11) Resource management error

EUVDB-ID: #VU51014

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2021-25122

CWE-ID: CWE-399 - Resource Management Errors

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain access to sensitive information.

The vulnerability exists due to improper management of internal resources within the application when processing new h2c connection requests. A remote attacker can send specially crafted requests to the server and obtain contents of HTTP responses, served to other users.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Dell EMC Storage Monitoring and Reporting (SMR): before 4.6.0.0


CPE2.3
External links

http://www.dell.com/support/kbdoc/en-us/000189667/dell-emc-srm-and-dell-emc-storage-monitoring-and-reporting-smr-security-update-for-multiple-third-party-component-vulnerabilities

Q & A

Can this vulnerability be exploited remotely?

How the attacker can exploit this vulnerability?

Is there known malware, which exploits this vulnerability?

12) Deserialization of Untrusted Data

EUVDB-ID: #VU51012

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2021-25329

CWE-ID: CWE-502 - Deserialization of Untrusted Data

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to insecure input validation when processing serialized data. A remote attacker can pass specially crafted data to the application and execute arbitrary code on the target system.

Note, the vulnerability exists due to incomplete fix for #VU28158 and requires a certain specific configuration.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Dell EMC Storage Monitoring and Reporting (SMR): before 4.6.0.0


CPE2.3
External links

http://www.dell.com/support/kbdoc/en-us/000189667/dell-emc-srm-and-dell-emc-storage-monitoring-and-reporting-smr-security-update-for-multiple-third-party-component-vulnerabilities

Q & A

Can this vulnerability be exploited remotely?

How the attacker can exploit this vulnerability?

Is there known malware, which exploits this vulnerability?

13) Code Injection

EUVDB-ID: #VU52448

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2021-2161

CWE-ID: CWE-94 - Improper Control of Generation of Code ('Code Injection')

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to improper input validation in the java.lang.ProcessBuilder API on the Windows platform. A remote attacker can manipulate the Process command line and execute arbitrary code on the target system.


Mitigation

Install update from vendor's website.

Vulnerable software versions

Dell EMC Storage Monitoring and Reporting (SMR): before 4.6.0.0


CPE2.3
External links

http://www.dell.com/support/kbdoc/en-us/000189667/dell-emc-srm-and-dell-emc-storage-monitoring-and-reporting-smr-security-update-for-multiple-third-party-component-vulnerabilities

Q & A

Can this vulnerability be exploited remotely?

How the attacker can exploit this vulnerability?

Is there known malware, which exploits this vulnerability?

14) Improper input validation

EUVDB-ID: #VU52449

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2021-2163

CWE-ID: CWE-20 - Improper Input Validation

Exploit availability: No

Description

The vulnerability allows a remote non-authenticated attacker to manipulate data.

The vulnerability exists due to improper input validation within the Libraries component in Oracle GraalVM Enterprise Edition. A remote non-authenticated attacker can exploit this vulnerability to manipulate data.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Dell EMC Storage Monitoring and Reporting (SMR): before 4.6.0.0


CPE2.3
External links

http://www.dell.com/support/kbdoc/en-us/000189667/dell-emc-srm-and-dell-emc-storage-monitoring-and-reporting-smr-security-update-for-multiple-third-party-component-vulnerabilities

Q & A

Can this vulnerability be exploited remotely?

How the attacker can exploit this vulnerability?

Is there known malware, which exploits this vulnerability?

15) Improper input validation

EUVDB-ID: #VU52385

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2020-27223

CWE-ID: CWE-20 - Improper Input Validation

Exploit availability: Yes

Description

The vulnerability allows a remote non-authenticated attacker to perform service disruption.

The vulnerability exists due to improper input validation within the General (Eclipse Jetty) component in Oracle REST Data Services. A remote non-authenticated attacker can exploit this vulnerability to perform service disruption.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Dell EMC Storage Monitoring and Reporting (SMR): before 4.6.0.0


CPE2.3
External links

http://www.dell.com/support/kbdoc/en-us/000189667/dell-emc-srm-and-dell-emc-storage-monitoring-and-reporting-smr-security-update-for-multiple-third-party-component-vulnerabilities

Q & A

Can this vulnerability be exploited remotely?

How the attacker can exploit this vulnerability?

Is there known malware, which exploits this vulnerability?

16) Information disclosure

EUVDB-ID: #VU51878

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2021-28163

CWE-ID: CWE-200 - Information Exposure

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to excessive data output by the application. If the ${jetty.base} directory or the ${jetty.base}/webapps directory is a symlink, the contents of the ${jetty.base}/webapps directory may be deployed as a static web application, exposing the content of the directory for download.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Dell EMC Storage Monitoring and Reporting (SMR): before 4.6.0.0


CPE2.3
External links

http://www.dell.com/support/kbdoc/en-us/000189667/dell-emc-srm-and-dell-emc-storage-monitoring-and-reporting-smr-security-update-for-multiple-third-party-component-vulnerabilities

Q & A

Can this vulnerability be exploited remotely?

How the attacker can exploit this vulnerability?

Is there known malware, which exploits this vulnerability?

17) Input validation error

EUVDB-ID: #VU51877

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2021-28164

CWE-ID: CWE-20 - Improper Input Validation

Exploit availability: Yes

Description

The vulnerability allows a remote attacker to gain access to sensitive informatoin.

The vulnerability exists due to insufficient validation of user-supplied input when processing special characters, passed via URI. A remote attacker can use %2e or %2e%2e segments to access protected resources within the WEB-INF directory.

Example:

http://[host]/context/%2e/WEB-INF/web.xml

Mitigation

Install update from vendor's website.

Vulnerable software versions

Dell EMC Storage Monitoring and Reporting (SMR): before 4.6.0.0


CPE2.3
External links

http://www.dell.com/support/kbdoc/en-us/000189667/dell-emc-srm-and-dell-emc-storage-monitoring-and-reporting-smr-security-update-for-multiple-third-party-component-vulnerabilities

Q & A

Can this vulnerability be exploited remotely?

How the attacker can exploit this vulnerability?

Is there known malware, which exploits this vulnerability?

18) Resource exhaustion

EUVDB-ID: #VU51876

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2021-28165

CWE-ID: CWE-400 - Resource exhaustion

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to application does not properly control consumption of internal resources when processing large TLS frames. A remote attacker can send specially crafted data to the server, trigger CPU high load and perform a denial of service (DoS) attack.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Dell EMC Storage Monitoring and Reporting (SMR): before 4.6.0.0


CPE2.3
External links

http://www.dell.com/support/kbdoc/en-us/000189667/dell-emc-srm-and-dell-emc-storage-monitoring-and-reporting-smr-security-update-for-multiple-third-party-component-vulnerabilities

Q & A

Can this vulnerability be exploited remotely?

How the attacker can exploit this vulnerability?

Is there known malware, which exploits this vulnerability?

19) Improper input validation

EUVDB-ID: #VU52404

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2021-2169

CWE-ID: CWE-20 - Improper Input Validation

Exploit availability: No

Description

The vulnerability allows a remote privileged user to perform a denial of service (DoS) attack.

The vulnerability exists due to improper input validation within the Server: Optimizer component in MySQL Server. A remote privileged user can exploit this vulnerability to perform a denial of service (DoS) attack.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Dell EMC Storage Monitoring and Reporting (SMR): before 4.6.0.0


CPE2.3
External links

http://www.dell.com/support/kbdoc/en-us/000189667/dell-emc-srm-and-dell-emc-storage-monitoring-and-reporting-smr-security-update-for-multiple-third-party-component-vulnerabilities

Q & A

Can this vulnerability be exploited remotely?

How the attacker can exploit this vulnerability?

Is there known malware, which exploits this vulnerability?

20) Improper input validation

EUVDB-ID: #VU52421

Risk: Low

CVSSv3.1:

CVE-ID: CVE-2021-2162

CWE-ID: CWE-20 - Improper Input Validation

Exploit availability: No

Description

The vulnerability allows a remote authenticated user to manipulate data.

The vulnerability exists due to improper input validation within the Server: Audit Plug-in component in MySQL Server. A remote authenticated user can exploit this vulnerability to manipulate data.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Dell EMC Storage Monitoring and Reporting (SMR): before 4.6.0.0


CPE2.3
External links

http://www.dell.com/support/kbdoc/en-us/000189667/dell-emc-srm-and-dell-emc-storage-monitoring-and-reporting-smr-security-update-for-multiple-third-party-component-vulnerabilities

Q & A

Can this vulnerability be exploited remotely?

How the attacker can exploit this vulnerability?

Is there known malware, which exploits this vulnerability?

21) Out-of-bounds write

EUVDB-ID: #VU51189

Risk: Low

CVSSv3.1:

CVE-ID: CVE-2020-25647

CWE-ID: CWE-787 - Out-of-bounds write

Exploit availability: No

Description

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to a boundary error when processing untrusted input from USB device in grub_usb_device_initialize(). An attacker with physical access to the system can trigger an out-of-bounds write error with a malicious USB drive, bypass Secure Boot protection and execute arbitrary code on the system with elevated privileges.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Dell EMC Storage Monitoring and Reporting (SMR): before 4.6.0.0


CPE2.3
External links

http://www.dell.com/support/kbdoc/en-us/000189667/dell-emc-srm-and-dell-emc-storage-monitoring-and-reporting-smr-security-update-for-multiple-third-party-component-vulnerabilities

Q & A

Can this vulnerability be exploited remotely?

How the attacker can exploit this vulnerability?

Is there known malware, which exploits this vulnerability?

22) Resource exhaustion

EUVDB-ID: #VU30377

Risk: Low

CVSSv3.1:

CVE-ID: CVE-2016-1544

CWE-ID: CWE-400 - Resource exhaustion

Exploit availability: No

Description

The vulnerability allows a local authenticated user to perform service disruption.

nghttp2 before 1.7.1 allows remote attackers to cause a denial of service (memory exhaustion).

Mitigation

Install update from vendor's website.

Vulnerable software versions

Dell EMC Storage Monitoring and Reporting (SMR): before 4.6.0.0


CPE2.3
External links

http://www.dell.com/support/kbdoc/en-us/000189667/dell-emc-srm-and-dell-emc-storage-monitoring-and-reporting-smr-security-update-for-multiple-third-party-component-vulnerabilities

Q & A

Can this vulnerability be exploited remotely?

How the attacker can exploit this vulnerability?

Is there known malware, which exploits this vulnerability?

23) Security restrictions bypass

EUVDB-ID: #VU15724

Risk: Low

CVSSv3.1:

CVE-ID: CVE-2018-16395

CWE-ID: CWE-20 - Improper Input Validation

Exploit availability: No

Description

The vulnerability allows a remote attacker to bypass security restrictions on the target system.

The weakness exists in OpenSSL::X509::Name due to the equality check is not correct if the value of an entity of the argument (right-hand side) starts with the value of the receiver (left-hand side). A remote attacker can supply malicious X.509 certificate to be passed and bypass security restrictions to conduct further attacks.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Dell EMC Storage Monitoring and Reporting (SMR): before 4.6.0.0


CPE2.3
External links

http://www.dell.com/support/kbdoc/en-us/000189667/dell-emc-srm-and-dell-emc-storage-monitoring-and-reporting-smr-security-update-for-multiple-third-party-component-vulnerabilities

Q & A

Can this vulnerability be exploited remotely?

How the attacker can exploit this vulnerability?

Is there known malware, which exploits this vulnerability?

24) Deserialization of Untrusted Data

EUVDB-ID: #VU27960

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2019-17571

CWE-ID: CWE-502 - Deserialization of Untrusted Data

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to insecure input validation when processing serialized data within the SocketServer class in Log4j. A remote attacker can pass specially crafted data to the application and execute arbitrary code on the target system,  if these is a deserialization gadget listening to untrusted network traffic for log data.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Dell EMC Storage Monitoring and Reporting (SMR): before 4.6.0.0


CPE2.3
External links

http://www.dell.com/support/kbdoc/en-us/000189667/dell-emc-srm-and-dell-emc-storage-monitoring-and-reporting-smr-security-update-for-multiple-third-party-component-vulnerabilities

Q & A

Can this vulnerability be exploited remotely?

How the attacker can exploit this vulnerability?

Is there known malware, which exploits this vulnerability?

25) Buffer overflow

EUVDB-ID: #VU50780

Risk: High

CVSSv3.1:

CVE-ID: CVE-2020-8625

CWE-ID: CWE-119 - Memory corruption

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error within the SPNEGO implementation in the GSS-TSIG extension. A remote attacker can send a specially crafted DNS request to the server, trigger memory corruption and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Dell EMC Storage Monitoring and Reporting (SMR): before 4.6.0.0


CPE2.3
External links

http://www.dell.com/support/kbdoc/en-us/000189667/dell-emc-srm-and-dell-emc-storage-monitoring-and-reporting-smr-security-update-for-multiple-third-party-component-vulnerabilities

Q & A

Can this vulnerability be exploited remotely?

How the attacker can exploit this vulnerability?

Is there known malware, which exploits this vulnerability?

26) Buffer overflow

EUVDB-ID: #VU48422

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2020-12321

CWE-ID: CWE-119 - Memory corruption

Exploit availability: No

Description

The vulnerability allows a remote attacker to escalate privileges on the system.

The vulnerability exists due to a boundary error. A remote attacker on the local network can trigger memory corruption and execute arbitrary code on the target system with elevated privileges.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Dell EMC Storage Monitoring and Reporting (SMR): before 4.6.0.0


CPE2.3
External links

http://www.dell.com/support/kbdoc/en-us/000189667/dell-emc-srm-and-dell-emc-storage-monitoring-and-reporting-smr-security-update-for-multiple-third-party-component-vulnerabilities

Q & A

Can this vulnerability be exploited remotely?

How the attacker can exploit this vulnerability?

Is there known malware, which exploits this vulnerability?

27) Security restrictions bypass

EUVDB-ID: #VU51187

Risk: Low

CVSSv3.1:

CVE-ID: CVE-2020-14372

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Exploit availability: Yes

Description

The vulnerability allows a local privileged user to bypass implemented security restrictions.

The vulnerability exists due to GRUB enables usage of the acpi command even when Secure Boot is enabled by firmware. A local user with root privileges can put a small SSDT into /boot/efi folder and modify the grub.cfg file to load that SSDT during kernel boot. The SSDT then gets run by the kernel and it overwrites the kernel lock down configuration enabling the attacker to load unsigned kernel modules and kexec unsigned code.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Dell EMC Storage Monitoring and Reporting (SMR): before 4.6.0.0


CPE2.3
External links

http://www.dell.com/support/kbdoc/en-us/000189667/dell-emc-srm-and-dell-emc-storage-monitoring-and-reporting-smr-security-update-for-multiple-third-party-component-vulnerabilities

Q & A

Can this vulnerability be exploited remotely?

How the attacker can exploit this vulnerability?

Is there known malware, which exploits this vulnerability?

28) Use-after-free

EUVDB-ID: #VU51188

Risk: Low

CVSSv3.1:

CVE-ID: CVE-2020-25632

CWE-ID: CWE-416 - Use After Free

Exploit availability: Yes

Description

The vulnerability allows a local user to bypass implemented security restrictions.

The vulnerability exists due to a use-after-free error when handling module unloads. A local privileged user can unload a kernel module, trigger a use-after-free error and bypass Secure Boot protection mechanism.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Dell EMC Storage Monitoring and Reporting (SMR): before 4.6.0.0


CPE2.3
External links

http://www.dell.com/support/kbdoc/en-us/000189667/dell-emc-srm-and-dell-emc-storage-monitoring-and-reporting-smr-security-update-for-multiple-third-party-component-vulnerabilities

Q & A

Can this vulnerability be exploited remotely?

How the attacker can exploit this vulnerability?

Is there known malware, which exploits this vulnerability?

29) Stack-based buffer overflow

EUVDB-ID: #VU51193

Risk: Low

CVSSv3.1:

CVE-ID: CVE-2020-27749

CWE-ID: CWE-121 - Stack-based buffer overflow

Exploit availability: No

Description

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to a boundary error within the grub_parser_split_cmdline() function while expanding variable names present in the supplied command line in to their corresponding variable contents. A local privileged user can run a specially crafted program to trigger the stack-based buffer overflow and bypass Secure Boot protection.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Dell EMC Storage Monitoring and Reporting (SMR): before 4.6.0.0


CPE2.3
External links

http://www.dell.com/support/kbdoc/en-us/000189667/dell-emc-srm-and-dell-emc-storage-monitoring-and-reporting-smr-security-update-for-multiple-third-party-component-vulnerabilities

Q & A

Can this vulnerability be exploited remotely?

How the attacker can exploit this vulnerability?

Is there known malware, which exploits this vulnerability?

30) Improper input validation

EUVDB-ID: #VU52395

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2021-2154

CWE-ID: CWE-20 - Improper Input Validation

Exploit availability: No

Description

The vulnerability allows a remote privileged user to perform a denial of service (DoS) attack.

The vulnerability exists due to improper input validation within the Server: DML component in MySQL Server. A remote privileged user can exploit this vulnerability to perform a denial of service (DoS) attack.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Dell EMC Storage Monitoring and Reporting (SMR): before 4.6.0.0


CPE2.3
External links

http://www.dell.com/support/kbdoc/en-us/000189667/dell-emc-srm-and-dell-emc-storage-monitoring-and-reporting-smr-security-update-for-multiple-third-party-component-vulnerabilities

Q & A

Can this vulnerability be exploited remotely?

How the attacker can exploit this vulnerability?

Is there known malware, which exploits this vulnerability?

31) Improper Authorization

EUVDB-ID: #VU51194

Risk: Low

CVSSv3.1:

CVE-ID: CVE-2020-27779

CWE-ID: CWE-285 - Improper Authorization

Exploit availability: No

Description

The vulnerability allows a local user to bypass authorization checks.

The vulnerability exists within the cutmem command, which does not honor the Secure Boot locking. A local privileged user can remove address ranges from memory creating an opportunity to circumvent Secure Boot protections after proper triage about grub's memory layout.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Dell EMC Storage Monitoring and Reporting (SMR): before 4.6.0.0


CPE2.3
External links

http://www.dell.com/support/kbdoc/en-us/000189667/dell-emc-srm-and-dell-emc-storage-monitoring-and-reporting-smr-security-update-for-multiple-third-party-component-vulnerabilities

Q & A

Can this vulnerability be exploited remotely?

How the attacker can exploit this vulnerability?

Is there known malware, which exploits this vulnerability?

32) Integer underflow

EUVDB-ID: #VU50389

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2020-36221

CWE-ID: CWE-191 - Integer underflow

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to integer underflow within the serialNumberAndIssuerCheck() function in schema_init.c. A remote attacker can send a specially crafted request to the affected application, trigger an integer underflow and crash the slapd.


Mitigation

Install update from vendor's website.

Vulnerable software versions

Dell EMC Storage Monitoring and Reporting (SMR): before 4.6.0.0


CPE2.3
External links

http://www.dell.com/support/kbdoc/en-us/000189667/dell-emc-srm-and-dell-emc-storage-monitoring-and-reporting-smr-security-update-for-multiple-third-party-component-vulnerabilities

Q & A

Can this vulnerability be exploited remotely?

How the attacker can exploit this vulnerability?

Is there known malware, which exploits this vulnerability?

33) Out-of-bounds write

EUVDB-ID: #VU51197

Risk: Low

CVSSv3.1:

CVE-ID: CVE-2021-20225

CWE-ID: CWE-787 - Out-of-bounds write

Exploit availability: No

Description

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to a boundary error within the option parser. A local privileged user can write past the end of a heap-allocated buffer by calling certain commands with a large number of specific short forms of options and execute arbitrary code with elevated privileges.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Dell EMC Storage Monitoring and Reporting (SMR): before 4.6.0.0


CPE2.3
External links

http://www.dell.com/support/kbdoc/en-us/000189667/dell-emc-srm-and-dell-emc-storage-monitoring-and-reporting-smr-security-update-for-multiple-third-party-component-vulnerabilities

Q & A

Can this vulnerability be exploited remotely?

How the attacker can exploit this vulnerability?

Is there known malware, which exploits this vulnerability?

34) Out-of-bounds write

EUVDB-ID: #VU51198

Risk: Low

CVSSv3.1:

CVE-ID: CVE-2021-20233

CWE-ID: CWE-787 - Out-of-bounds write

Exploit availability: Yes

Description

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to a boundary error within the setparam_prefix() function in menu rendering code. A local privileged user can run a specially crafted program to trigger out-of-bounds write and escalate privileges on the system.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Dell EMC Storage Monitoring and Reporting (SMR): before 4.6.0.0


CPE2.3
External links

http://www.dell.com/support/kbdoc/en-us/000189667/dell-emc-srm-and-dell-emc-storage-monitoring-and-reporting-smr-security-update-for-multiple-third-party-component-vulnerabilities

Q & A

Can this vulnerability be exploited remotely?

How the attacker can exploit this vulnerability?

Is there known malware, which exploits this vulnerability?

35) Code Injection

EUVDB-ID: #VU51337

Risk: High

CVSSv3.1:

CVE-ID: CVE-2021-21300

CWE-ID: CWE-94 - Improper Control of Generation of Code ('Code Injection')

Exploit availability: Yes

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to improper input validation in Git for Visual Studio. A remote attacker can send a specially crafted request and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Dell EMC Storage Monitoring and Reporting (SMR): before 4.6.0.0


CPE2.3
External links

http://www.dell.com/support/kbdoc/en-us/000189667/dell-emc-srm-and-dell-emc-storage-monitoring-and-reporting-smr-security-update-for-multiple-third-party-component-vulnerabilities

Q & A

Can this vulnerability be exploited remotely?

How the attacker can exploit this vulnerability?

Is there known malware, which exploits this vulnerability?

36) Input validation error

EUVDB-ID: #VU50745

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2021-23840

CWE-ID: CWE-20 - Improper Input Validation

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient validation of user-supplied input during EVP_CipherUpdate, EVP_EncryptUpdate and EVP_DecryptUpdate calls. A remote attacker can pass specially crafted input to the application and perform a denial of service (DoS) attack.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Dell EMC Storage Monitoring and Reporting (SMR): before 4.6.0.0


CPE2.3
External links

http://www.dell.com/support/kbdoc/en-us/000189667/dell-emc-srm-and-dell-emc-storage-monitoring-and-reporting-smr-security-update-for-multiple-third-party-component-vulnerabilities

Q & A

Can this vulnerability be exploited remotely?

How the attacker can exploit this vulnerability?

Is there known malware, which exploits this vulnerability?

37) Incorrect Conversion between Numeric Types

EUVDB-ID: #VU51455

Risk: Low

CVSSv3.1:

CVE-ID: CVE-2021-27218

CWE-ID: CWE-681 - Incorrect Conversion between Numeric Types

Exploit availability: No

Description

The vulnerability allows a local user to bypass implemented security restrictions.

The vulnerability exists due to incorrect conversion between numeric types in Gnome Glib. If g_byte_array_new_take() was called with a buffer of 4GB or more on a 64-bit platform, the length would be truncated modulo 2**32, causing unintended length truncation.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Dell EMC Storage Monitoring and Reporting (SMR): before 4.6.0.0


CPE2.3
External links

http://www.dell.com/support/kbdoc/en-us/000189667/dell-emc-srm-and-dell-emc-storage-monitoring-and-reporting-smr-security-update-for-multiple-third-party-component-vulnerabilities

Q & A

Can this vulnerability be exploited remotely?

How the attacker can exploit this vulnerability?

Is there known malware, which exploits this vulnerability?

38) Improper input validation

EUVDB-ID: #VU52413

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2021-2146

CWE-ID: CWE-20 - Improper Input Validation

Exploit availability: No

Description

The vulnerability allows a remote privileged user to perform a denial of service (DoS) attack.

The vulnerability exists due to improper input validation within the Server: Options component in MySQL Server. A remote privileged user can exploit this vulnerability to perform a denial of service (DoS) attack.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Dell EMC Storage Monitoring and Reporting (SMR): before 4.6.0.0


CPE2.3
External links

http://www.dell.com/support/kbdoc/en-us/000189667/dell-emc-srm-and-dell-emc-storage-monitoring-and-reporting-smr-security-update-for-multiple-third-party-component-vulnerabilities

Q & A

Can this vulnerability be exploited remotely?

How the attacker can exploit this vulnerability?

Is there known malware, which exploits this vulnerability?



###SIDEBAR###