CVE-2021-43589

Vulnerability

An operating system (OS) command injection vulnerability exists in Dell EMC Unity, Dell EMC UnityVSA, and Dell EMC Unity XT versions prior to 5.1.2.0.5.007 [1]. The flaw allows a locally authenticated user with high privileges to inject arbitrary OS commands into the underlying operating system of affected storage systems [1].

Exploitation

The attacker must have local access to the system and be authenticated with high privileges (e.g., an administrative role) [1]. No user interaction is required beyond authentication. The attacker can exploit the command injection by sending crafted input to the vulnerable application, which is executed with the privileges of that application [1].

Impact

Successful exploitation leads to the execution of arbitrary OS commands with the privileges of the vulnerable application [1]. This can result in an elevation of privilege, allowing the attacker to gain higher-level access or perform unauthorized actions on the underlying OS [1]. Confidentiality is not directly impacted, but integrity and availability can be compromised [1].

Mitigation

Dell has released fixed software version 5.1.2.0.5.007 to address this vulnerability [1]. All customers running affected versions (prior to 5.1.2.0.5.007) should update to the patched version as soon as possible. No workarounds are mentioned in the available reference [1].