CVE-2021-36336

Vulnerability

A deserialization vulnerability exists in Dell Wyse Management Suite versions 3.3.1 and below. The flaw resides in the way the software deserializes untrusted data, which can be triggered without authentication when the target system accepts specially crafted serialized objects over the network. No special configuration is required for the vulnerable code path to be reachable. [1]

Exploitation

An unauthenticated attacker can exploit this vulnerability by sending a malicious serialized object to the affected service. The attacker does not require any prior access or user interaction. The network position must allow reaching the exposed service. Successful deserialization of the crafted object triggers arbitrary code execution. [1]

Impact

Successful exploitation allows an unauthenticated attacker to execute arbitrary code on the affected system with high privileges. This leads to a complete compromise of confidentiality, integrity, and availability (CIA) as the CVSS vector indicates: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, with a base score of 9.8 (Critical). [1]

Mitigation

Dell recommends upgrading to the latest version of Wyse Management Suite, which addresses this issue as detailed in the security advisory DSA-2021-224 [1]. Specific fixed version numbers and release dates should be confirmed from the vendor advisory. No workarounds are documented, and the vulnerability is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog as of the advisory date.