CVE-2021-36310

Vulnerability

Dell Networking OS10 versions 10.4.3.x, 10.5.0.x, 10.5.1.x, and 10.5.2.x contain an uncontrolled resource consumption flaw in its API service [1]. The vulnerability exists in the RESTCONF API, which is enabled by default in these versions. A high-privileged API user can trigger excessive resource consumption, leading to denial of service.

Exploitation

An attacker must have high-privileged access to the API service, meaning they need valid credentials with administrative privileges. The exploit does not require user interaction or specific network position beyond network access to the API endpoint. By sending crafted API requests that consume excessive system resources (e.g., memory or CPU), the attacker can exhaust available resources.

Impact

Successful exploitation results in denial of service (availability impact) on the affected OS10 system. The CVSS v3.1 base score is 4.9 (AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H) [1]. No impact to confidentiality or integrity is noted; the availability of the API service and potentially the entire system may be degraded or made unavailable.

Mitigation

Dell has released a security update (DSA-2021-189) that addresses this vulnerability [1]. Affected users should update to OS10 versions after October 2021, which contain the fix. No workaround has been published. The vulnerability is not listed on the CISA KEV as of this writing.