CVE-2021-21517
📋 TL;DR
CVE-2021-21517 is an XML External Entity Injection (XXE) vulnerability in Dell EMC SRS Policy Manager 6.X that allows remote unauthenticated attackers to read system files as a non-root user and potentially disrupt the ESRS service. This affects organizations using vulnerable versions of SRS Policy Manager for remote support management.
💻 Affected Systems
- Dell EMC SRS Policy Manager
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
An attacker could read sensitive system files, potentially obtaining credentials or configuration data, and cause temporary service disruption of the ESRS (Enhanced Secure Remote Services) functionality.
Likely Case
Attackers reading accessible system files and causing intermittent service interruptions to the ESRS service.
If Mitigated
Limited impact with proper network segmentation and XML input validation controls in place.
🎯 Exploit Status
XXE vulnerabilities typically have low exploitation complexity when the vulnerable endpoint is exposed.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Update to latest version as specified in DSA-2021-045
Vendor Advisory: https://www.dell.com/support/kbdoc/en-us/000183576/dsa-2021-045-dell-emc-srs-policy-manager-security-update-for-external-entity-injection-vulnerability
Restart Required: Yes
Instructions:
1. Download the security update from Dell support portal. 2. Apply the patch following Dell's installation instructions. 3. Restart the SRS Policy Manager service.
🔧 Temporary Workarounds
Disable DTD Processing
allConfigure the XML parser to disable DTD processing and external entity resolution
Specific configuration depends on XML parser implementation. Consult Dell documentation for SRS Policy Manager XML parser configuration.
Network Segmentation
allRestrict network access to SRS Policy Manager to trusted sources only
firewall rules to limit access to SRS Policy Manager ports
🧯 If You Can't Patch
- Implement strict input validation for all XML input to SRS Policy Manager
- Deploy network-based XML validation proxy to sanitize requests before reaching vulnerable system
🔍 How to Verify
Check if Vulnerable:
Check SRS Policy Manager version against affected 6.X range and review XML parser configurationCheck Version:
Check SRS Policy Manager version through administrative interface or configuration filesVerify Fix Applied:
Verify version is updated beyond vulnerable range and test XXE payloads are rejected📡 Detection & Monitoring
Log Indicators:
- Unusual XML parsing errors
- Multiple failed XML processing attempts
- System file access attempts via XML parsing
Network Indicators:
- XML payloads containing external entity references
- Unusual outbound connections from SRS Policy Manager to external systems
SIEM Query:
Search for XML parsing errors in SRS Policy Manager logs combined with external entity references in request payloads🔗 References
- https://www.dell.com/support/kbdoc/en-us/000183576/dsa-2021-045-dell-emc-srs-policy-manager-security-update-for-external-entity-injection-vulnerability
- https://www.dell.com/support/kbdoc/en-us/000183576/dsa-2021-045-dell-emc-srs-policy-manager-security-update-for-external-entity-injection-vulnerability
