CVE-2021-21513 – CVE-2021-21513 is an authentication bypass vuln... (How to Fix)

Q: What is the severity of CVE-2021-21513?

CVE-2021-21513 has a CVSS score of 8.6 (HIGH). CVE-2021-21513 is an authentication bypass vulnerability in Dell EMC OpenManage Server Administrator (OMSA) that allows remote unauthenticated attackers to gain administrative access to affected systems. This affects Windows installations with Distributed Web Server (DWS) enabled. Organizations using OMSA for server management are at risk of complete system compromise.

📋 TL;DR

CVE-2021-21513 is an authentication bypass vulnerability in Dell EMC OpenManage Server Administrator (OMSA) that allows remote unauthenticated attackers to gain administrative access to affected systems. This affects Windows installations with Distributed Web Server (DWS) enabled. Organizations using OMSA for server management are at risk of complete system compromise.

💻 Affected Systems

Products:

Dell EMC OpenManage Server Administrator (OMSA)

Versions: Version 9.5

Operating Systems: Microsoft Windows

Default Config Vulnerable: ✅ No

Notes: Only affects installations with Distributed Web Server (DWS) enabled. Standard OMSA installations without DWS are not vulnerable.

📦 What is this software?

Openmanage Server Administrator by Dell

View all CVEs affecting Openmanage Server Administrator →

Openmanage Server Administrator by Dell

View all CVEs affecting Openmanage Server Administrator →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote attacker gains full administrative control over the server, enabling data theft, ransomware deployment, lateral movement, and complete system compromise.

🟠

Likely Case

Attackers exploit the vulnerability to gain administrative access, install malware, exfiltrate sensitive data, and use the system as a foothold for further attacks.

🟢

If Mitigated

With proper network segmentation and access controls, impact is limited to the management interface, though administrative access still poses significant risk.

🌐 Internet-Facing: HIGH - Remote unauthenticated exploitation makes internet-facing systems extremely vulnerable to immediate compromise.

🏢 Internal Only: HIGH - Even internally, unauthenticated attackers on the network can gain administrative access to critical management systems.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Public proof-of-concept code exists, making exploitation straightforward for attackers with network access to vulnerable systems.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: OMSA 9.5.0.0 or later with security updates

Vendor Advisory: https://www.dell.com/support/kbdoc/en-us/000183670/dsa-2021-040-dell-emc-openmanage-server-administrator-omsa-security-update-for-multiple-vulnerabilities

Restart Required: Yes

Instructions:

1. Download the latest OMSA update from Dell Support. 2. Apply the security update (DSA-2021-040). 3. Restart the system to complete installation. 4. Verify the update was successful.

🔧 Temporary Workarounds

Disable Distributed Web Server (DWS)

windows

Disable the vulnerable DWS component if not required for operations

Open OMSA Configuration → Web Server → Disable Distributed Web Server

Network Access Control

all

Restrict network access to OMSA management interface

Use firewall rules to block external access to OMSA ports (typically 1311, 1312)

🧯 If You Can't Patch

Disable Distributed Web Server (DWS) component immediately
Implement strict network segmentation and firewall rules to isolate OMSA management interfaces

🔍 How to Verify

Check if Vulnerable:

Check if OMSA version is 9.5 with DWS enabled. Review OMSA configuration for DWS status.

Check Version:

Open OMSA → Help → About to check version

Verify Fix Applied:

Verify OMSA version is 9.5.0.0 or later and confirm DWS is either disabled or patched.

📡 Detection & Monitoring

Log Indicators:

Unauthenticated access attempts to OMSA web interface
Unusual administrative actions from unexpected IPs
Authentication bypass patterns in web server logs

Network Indicators:

Unusual traffic to OMSA ports (1311, 1312) from external sources
Administrative API calls without authentication

SIEM Query:

source="omsa_logs" AND (event="authentication_bypass" OR status="401" followed by admin_access)

📊 Metadata

CVE ID: CVE-2021-21513

CVSS v3 Score: 8.6 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L

CWE: CWE-287

Published: March 2, 2021

Last Updated: November 21, 2024

🔗 References

https://www.dell.com/support/kbdoc/en-us/000183670/dsa-2021-040-dell-emc-openmanage-server-administrator-omsa-security-update-for-multiple-vulnerabilities Vendor Advisory
https://www.tenable.com/security/research/tra-2021-07 Exploit,Third Party Advisory
https://www.dell.com/support/kbdoc/en-us/000183670/dsa-2021-040-dell-emc-openmanage-server-administrator-omsa-security-update-for-multiple-vulnerabilities Vendor Advisory
https://www.tenable.com/security/research/tra-2021-07 Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-21513, you might also want to check these: