Vulnerabilities > CVE-2021-36289 - Information Exposure Through Log Files vulnerability in Dell EMC Unity Operating Environment

CVSS 4.6 - MEDIUM

Attack vector

LOCAL

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

PARTIAL

Integrity impact

PARTIAL

Availability impact

PARTIAL

local

low complexity

dell

CWE-532

NVD

Published: 2022-01-25

Updated: 2022-01-31

Summary

Dell VNX2 OE for File versions 8.1.21.266 and earlier, contain a sensitive information disclosure vulnerability. A local malicious user may exploit this vulnerability to read sensitive information and use it.

Vulnerable Configurations

Part	Description	Count
Application	Dell Dell EMC Unity Operating Environment - Dell EMC Unity Operating Environment 4.0.0.7329527 Dell EMC Unity Operating Environment 4.0.1.8194551 Dell EMC Unity Operating Environment 4.0.1.8320161 Dell EMC Unity Operating Environment 4.0.1.8404134 Dell EMC Unity Operating Environment 4.0.2.8627717 Dell EMC Unity Operating Environment 4.1.0.8940590 Dell EMC Unity Operating Environment 4.1.0.8959731 Dell EMC Unity Operating Environment 4.1.0.9058043 Dell EMC Unity Operating Environment 4.1.1.9138882 Dell EMC Unity Operating Environment 4.1.2.9257522 Dell EMC Unity Operating Environment 4.2.0.9392909 Dell EMC Unity Operating Environment 4.2.0.9476662 Dell EMC Unity Operating Environment 4.2.1.9535982 Dell EMC Unity Operating Environment 4.2.2.9632250 Dell EMC Unity Operating Environment 4.2.3.9670635 Dell EMC Unity Operating Environment 4.3.0.1522077968 Dell EMC Unity Operating Environment 4.3.1.1525703027 Dell EMC Unity Operating Environment 4.4.0.1534750794 Dell EMC Unity Operating Environment 4.4.1.1539309879 Dell EMC Unity Operating Environment 5.0.0.0.5.116 Dell EMC Unity Operating Environment 5.0.2.0.5.009 Dell EMC Unity Operating Environment 5.0.4.0.5.012 Dell EMC Unity Operating Environment 5.1.0.0.5.394 Dell EMC Unity Operating Environment 5.1.2.0.5.007	25
Hardware	Dell Dell Vnx5200 - Dell Vnx5400 - Dell Vnx5600 - Dell Vnx5800 - Dell Vnx7600 - Dell Vnx8000 - Dell VNX Vg10 - Dell VNX Vg50 -	8

Common Weakness Enumeration (CWE)

CWE-532 - Information Exposure Through Log Files

Common Attack Pattern Enumeration and Classification (CAPEC)

Fuzzing and observing application log data/errors for application mapping
An attacker sends random, malformed, or otherwise unexpected messages to a target application and observes the application's log or error messages returned. Fuzzing techniques involve sending random or malformed messages to a target and monitoring the target's response. The attacker does not initially know how a target will respond to individual messages but by attempting a large number of message variants they may find a variant that trigger's desired behavior. In this attack, the purpose of the fuzzing is to observe the application's log and error messages, although fuzzing a target can also sometimes cause the target to enter an unstable state, causing a crash. By observing logs and error messages, the attacker can learn details about the configuration of the target application and might be able to cause the target to disclose sensitive information.

References

https://www.dell.com/support/kbdoc/en-us/000191155/dsa-2021-164-dell-vnx2-control-station-security-update-for-multiple-vulnerabilities