On September 27th, 2021, one of the venerable multinational global giants in computer technology, Dell, announced multiple software vulnerabilities affecting one of their industry-grade products. On Monday, Dell dumped a vast amount of release information for its EMC PowerProtect Data Manager product. The release report contains updates and fixes for a total of 78 security vulnerabilities affecting the product and its third-party components. Among the many vulnerabilities, the substantial list also includes some high-risk and critical risk level items. It is important to note that Dell confirmed the potential of malicious attacks in a system that is not updated to the latest official release.
Dell EMC PowerProtect Data Manager
Dell’s EMC PowerProtect Data Manager product is a microservices architecture industry-standard software that offers data protection and database protection in IT infrastructure. The software runs on hardware components, and can also be deployed to work with AWS (Amazon Web Services), Google Cloud, and Microsoft Azure to offer cloud protection. The software includes SaaS (Security-as-a-Service) monitoring solutions. Data Manager can protect databases such as; Kubernetes container, Windows NTFS, Linux, and VMware applications.
The Dell Software Vulnerability
On Dell’s Support Knowledge Base Security Advisory portal, a software vulnerability report named ‘DSA-2021-181: Dell EMC PowerProtect Data Manager Update for Multiple Security Vulnerabilities‘ was released on September 27th, 2021. Noted on the page is the following information; “Dell EMC PowerProtect Data Manager remediation is available for multiple security vulnerabilities that could be exploited by malicious users to compromise the affected systems.“
Technical Details
Below is a comprehensive list that includes the affected files (third-party components) as well as their respective CVE ID vulnerability codes;
| Third-Party Component | CVE ID Code |
|---|---|
| MyBatis 3.4.4 | CVE-2020-26945 |
| Spring Cloud Netflix Zuul2.2.6.RELEASE | CVE-2021-22113 |
| json-smart 2.3 | CVE-2021-27568 |
| AWS SDK for Node.js v2.596.0 | CVE-2020-28472 |
| css-whatv4.0.0/css-whatv3.4.2 | CVE-2021-33587 |
| einaros/ws 6.2.2 | CVE-2021-32640 |
| engine.io 3.5.0 | CVE-2020-36048 |
| glob-parent 3.1.0 | CVE-2020-28469 |
| normalize_url v4.5.0/ normalize_url3.3.0 | CVE-2021-33502 |
| path-parse 1.0.6 | CVE-2021-23343 |
| PostCSS 7.0.35 | CVE-2021-23382 |
| CVE-2021-23368 | |
| Socket.IO Parser 3.3.2 | CVE-2020-36049 |
| UAParser.js 0.7.21 | CVE-2021-27292 |
| CVE-2020-7793 | |
| CVE-2020-7733 | |
| Apache Commons Compress 1.20 | CVE-2021-36090 |
| CVE-2021-35517 | |
| CVE-2021-35516 | |
| CVE-2021-35515 | |
| Expression Language 3.03.0.3 | CVE-2021-28170 |
| HashiCorp Consul v1.1.0 | CVE-2020-7219 |
| GoLang 1.16 | CVE-2021-34558 |
| CVE-2021-33198 | |
| CVE-2021-33197 | |
| CVE-2021-33196 | |
| CVE-2021-33195 | |
| CVE-2021-33194 | |
| CVE-2021-31525 | |
| CVE-2021-27919 | |
| CVE-2021-27918 | |
| CVE-2021-3121 | |
| CVE-2020-29652 | |
| CVE-2020-29511 | |
| CVE-2020-29510 | |
| CVE-2020-29509 | |
| CVE-2020-28852 | |
| CVE-2020-28851 | |
| libgcrypt20=1.6.1-16.77.1 | CVE-2021-33560 |
| libsystemd0=228-157.30.1 libudev1=228-157.30.1 systemd-bash-completion=228-157.30.1 systemd-sysvinit=228-157.30.1 systemd=228-157.30.1 udev=228-157.30.1 |
CVE-2021-33910 |
| containerd=1.4.4-16.42.1 | CVE-2021-21334 |
| CVE-2021-32760 | |
| python3-urllib3=1.25.10-3.29.1 | CVE-2021-33503 |
| bind-utils=9.11.22-3.34.1 libbind9-161=9.11.22-3.34.1 libdns1110=9.11.22-3.34.1 libirs161=9.11.22-3.34.1 libisc1107=9.11.22-3.34.1 libisccc161=9.11.22-3.34.1 libisccfg163=9.11.22-3.34.1 liblwres161=9.11.22-3.34.1 python-bind=9.11.22-3.34.1 |
CVE-2021-25214 |
| CVE-2021-25215 | |
| CVE-2021-25216 | |
| dhcp-client=4.3.3-10.22.1 dhcp=4.3.3-10.22.1 |
CVE-2021-25217 |
| libX11-6=1.6.2-12.21.1 libX11-data=1.6.2-12.21.1 |
CVE-2021-31535 |
| kernel-default=4.12.14-122.83.1 | CVE-2020-0429 |
| CVE-2021-3659 | |
| libmspack0=0.4-15.10.1 | CVE-2018-14681 |
| glibc-i18ndata=2.22-114.12.1 glibc-locale=2.22-114.12.1 glibc=2.22-114.12.1 |
CVE-2016-10228 |
| CVE-2020-27618 | |
| CVE-2020-29562 | |
| CVE-2020-29573 | |
| CVE-2021-35942 | |
| libpython3_6m1_0=3.6.13-4.42.1 python36-base=3.6.13-4.42.1 python36=3.6.13-4.42.1 |
CVE-2021-3426 |
| ucode-intel=20210525-3.35.1 | CVE-2020-24489 |
| CVE-2020-24511 | |
| CVE-2020-24512 | |
| CVE-2020-24513 | |
| libpolkit0=0.113-5.21.1 polkit=0.113-5.21.1 |
CVE-2021-3560 |
| libxml2-2=2.9.4-46.46.1 libxml2-tools=2.9.4-46.46.1 |
CVE-2021-3541 |
| libhogweed2=2.7.1-13.6.1 libnettle4=2.7.1-13.6.1 |
CVE-2021-3580 |
| libjpeg8=8.1.2-31.25.1 | CVE-2020-17541 |
| python3-PyYAML=5.3.1-28.4.3 | CVE-2020-14343 |
| postgresql10-server=10.17-4.16.4 postgresql10=10.17-4.16.4 |
CVE-2021-32027 |
| CVE-2021-32028 | |
| dbus-1-x11=1.8.22-35.2 dbus-1=1.8.22-35.2 libdbus-1-3=1.8.22-35.2 |
CVE-2020-35512 |
| java-1_8_0-openjdk-headless=1.8.0.292-27.60.1 | CVE-2021-2163 |
| libpq5=13.3-3.9.3 | CVE-2021-32027 |
| CVE-2021-32028 | |
| CVE-2021-32029 | |
| curl=7.60.0-11.23.1 libcurl4=7.60.0-11.23.1 |
CVE-2021-22925 |
| cpio-lang=2.11-36.9.2 cpio=2.11-36.9.2 |
CVE-2021-38185 |
| libsolv-tools=0.6.37-2.33.1 | CVE-2019-20387 |
| CVE-2021-3200 | |
| sudo >= 1.8.27-4.15.1 | CVE-2021-3156 |
Vulnerable Software Versions
Dell EMC PowerProtect Data Manager 19.8 and prior are at risk from the software weaknesses.
Important User Information
Dell Support has officially stated that fixes and remediation measures are available for the vulnerable versions of Dell EMC PowerProtect Data Manager. Users should upgrade as soon as possible to the secure version that is Dell EMC PowerProtect Manager 19.9. To update, Dell states that users must contact customer support.
