Vulnerabilities were identified that could 'compromise administrative sessions'
Dell has patched vulnerabilities in the Wyse Management Suite (WMS) that could open up databases to abuse and put administrative sessions at risk.
On July 6, NCC Group security researcher Stephen Tomkinson released a technical advisory exploring CVE-2021-21586 (CVSS 8.1) and CVE-2021-21587 (CVSS 5.3), two vulnerabilities in WMS privately reported to Dell in early May.
Hub and spoke
WMS is management software provided by Dell to act as a central hub for endpoints including Dell Hybrid Client, Wyse thin, and Zero client hardware. The technology can be used to monitor up to 10,000 endpoints as well as manage users and configuration.
However, according to Tomkinson, WMS also requires a level of exposure to edge network connections, even when it is used in otherwise secure environments.
On versions of the software prior to 3.3, the pair of vulnerabilities, described as an absolute path traversal and a full path disclosure issue, collectively permit attackers to “retrieve arbitrary files from the server, including database credentials and database files containing the session data of administrative users”.
NCC Group found that an endpoint /ccm-web/image/os accepted parameters which would allow files to be retrieved from anywhere on an exposed system.
A second vulnerable endpoint, also discovered by the research team, allowed further exploitation as it exposed the pathway and location of where the product was installed through an error message.
According to the team, CVE-2021-21587 can be exploited if a local attacker has physical access to a thin client and its network connection.
It may also be possible for remote attackers to trigger CVE-2021-21586 by authenticating to a vulnerable endpoint at the start of an attack chain through the launch of a manipulator-in-the-middle attack (MiTM).
Once a request is made to the installation path of the software, an attacker can retrieve session tokens contained in a MySQL database table. Cookie values extracted from this table allowed session hijacking to take place, and it was also possible to obtain hashed WMS administrative user password credentials.
Keys to the kingdom
The vulnerabilities could allow attackers to obtain access to an entire estate and its management interface – allowing them to perform actions including resetting BIOS passwords, remotely observing terminals via virtual network computing (VNC) software, and compromising administrator sessions, among other exploits.
After NCC Group notified Dell, the vendor requested more information before confirming the vulnerability on May 20. A patch was issued on June 18.
Dell has since issued a security advisory, published on July 6.
“Dell has remediated multiple vulnerabilities in Wyse Management Suite (WMS) and assigned CVEs CVE-2021-21586 and CVE-2021-21587,” the vendor told The Daily Swig.
“Customers can review the Dell Security Advisory for the affected products, versions, and additional information. Thanks to Stephen Tomkinson and David Cash of NCC Group for reporting this issue.”