CVE-2021-21558 in NetWorkerinfo

Summary

by MITRE • 06/09/2021

Dell EMC NetWorker, 18.x, 19.1.x, 19.2.x 19.3.x, 19.4 and 19.4.0.1, contains an Information Disclosure vulnerability. A local administrator of the gstd system may potentially exploit this vulnerability to read LDAP credentials from local logs and use the stolen credentials to make changes to the network domain.

VulDB is the best source for vulnerability data and more expert information about this specific topic.

Analysis

by VulDB Data Team • 06/11/2021

The CVE-2021-21558 vulnerability affects Dell EMC NetWorker versions 18.x through 19.4.0.1 and represents a critical information disclosure flaw that compromises the security of enterprise backup and recovery systems. This vulnerability specifically targets the gstd system component where local administrators may exploit improper logging practices to extract sensitive Lightweight Directory Access Protocol credentials. The flaw stems from inadequate input validation and output sanitization mechanisms within the logging subsystem, allowing unauthorized access to authentication material that should remain protected. Such credentials typically include administrative LDAP account details that provide extensive privileges within the network domain infrastructure.

The technical exploitation of this vulnerability involves a local administrator leveraging their existing system access to examine log files where LDAP authentication information is improperly stored in plaintext format. This represents a classic case of insecure logging practices that violate fundamental security principles outlined in CWE-312 (CWE: Cleartext Storage of Sensitive Information) and CWE-532 (CWE: Information Exposure Through Log Files). The vulnerability enables an attacker with local administrative access to extract credentials that could then be used to impersonate legitimate users within the network domain, potentially leading to unauthorized modifications of critical network resources.

The operational impact of this vulnerability extends beyond simple credential theft, as it creates a persistent backdoor for attackers to maintain access and escalate privileges within the network infrastructure. Network administrators who possess local system access can use the stolen LDAP credentials to make unauthorized changes to network domain configurations, potentially compromising the integrity and availability of the entire backup and recovery ecosystem. This vulnerability directly impacts the principle of least privilege and violates security controls defined in the NIST Cybersecurity Framework, particularly within the Protect and Detect functions. The exploitation could lead to unauthorized data access, system modifications, and potential lateral movement within the network environment.

Organizations should implement immediate mitigations including disabling unnecessary logging of sensitive information, implementing proper log sanitization procedures, and establishing strict access controls for local administrative accounts. System administrators must ensure that LDAP credentials are never stored in plaintext within log files and that appropriate monitoring is implemented to detect unauthorized access to sensitive system components. The vulnerability highlights the importance of adhering to ATT&CK framework tactics such as T1078 (Valid Accounts) and T1566 (Phishing) where credential compromise leads to persistent access and privilege escalation. Regular security audits and privilege reviews should be conducted to minimize the attack surface and ensure compliance with security standards including ISO 27001 and CIS Controls.

Responsible

Dell

Reservation

01/04/2021

Disclosure

06/09/2021

Moderation

accepted

CPE

ready

EPSS

0.00250

KEV

no

Activities

very low

Sources

Do you need the next level of professionalism?

Upgrade your account now!