CVE-2021-21547

Vulnerability

Dell EMC Unity, UnityVSA, and Unity XT versions prior to 5.0.7.0.5.008 contain a plain-text password storage vulnerability [1]. When the Dell Upgrade Readiness Utility is executed on the system, the credentials of the Unisphere Administrator are written to a file or log in plain text [1]. No special configuration beyond running the utility is required to trigger this exposure.

Exploitation

A local attacker with high privileges (e.g., root or administrator access) on the affected Dell Unity system can access the file containing the plain-text password [1]. The attacker does not need network access or user interaction; read access to the storage location is sufficient. The sequence involves locating the stored credential file after the Upgrade Readiness Utility has been run and extracting the administrator password.

Impact

Successful exploitation grants the attacker the privileges of the Unisphere Administrator, which include full administrative control over the Dell Unity storage system [1]. This results in a complete compromise of confidentiality, integrity, and availability of the storage platform (CVSS 6.4, vector AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H) [1].

Mitigation

Dell has fixed this vulnerability in Unity, UnityVSA, and Unity XT version 5.0.7.0.5.008 and later [1]. Organizations should upgrade to the patched release. No workaround or KEV listing has been published; the only mitigation is applying the update.