CVE-2021-21533

Vulnerability

Wyse Management Suite versions up to 3.2 contain a vulnerability in the job status retrieval page. An authenticated user can send a malicious request that triggers a denial of service condition, preventing other users who would normally have access to the same subset of job details from retrieving job status information. The issue is present in the proprietary code of the product, as described in the Dell security advisory DSA-2021-070 [1].

Exploitation

An attacker must have a valid authenticated session on a Wyse Management Suite instance running version 3.2 or earlier. No special privileges beyond normal user credentials are required, as the vulnerability is triggered from the job status retrieval page. The attacker sends a crafted request to the server that causes the page to become unresponsive or crash, thereby denying service to other legitimate users trying to access the same job details [1].

Impact

Successful exploitation results in a denial of service (loss of availability) affecting the job status retrieval functionality. The CVSS v3.1 base score is 4.3 (medium) with the vector CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L. The impact is limited to availability, with no effect on confidentiality or integrity [1]. Multiple users who need to view job status are prevented from doing so while the attack is sustained.

Mitigation

Dell has released a fix in Wyse Management Suite version 3.2 or later? The advisory DSA-2021-070 was published on 2021-04-02 and recommends upgrading to the latest version. Specifically, customers should apply the security update that addresses this vulnerability. No workarounds are mentioned in the advisory. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities (KEV) catalog at the time of writing [1].