CVE-2021-21601
📋 TL;DR
Dell EMC Data Protection Search and IDPA contain an information exposure vulnerability where sensitive user credentials are logged in plain text. A local low-privileged attacker could read these logs to obtain credentials and potentially access the application with compromised account privileges. This affects Dell EMC Data Protection Search versions 19.4 and prior, and IDPA versions 2.6.1 and prior.
💻 Affected Systems
- Dell EMC Data Protection Search
- Dell EMC Integrated Data Protection Appliance (IDPA)
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
An attacker gains administrative credentials from logs, leading to complete compromise of the Data Protection Search/IDPA system, potential data exfiltration, and lateral movement within the environment.
Likely Case
A local low-privileged user extracts credentials for other users, elevates privileges within the application, and accesses sensitive backup/search data they shouldn't have permission to view.
If Mitigated
With proper log file permissions and monitoring, unauthorized access to logs is prevented, limiting exposure to authorized administrators only.
🎯 Exploit Status
Exploitation requires local access to read log files. No special tools or complex techniques needed - just file read access to the vulnerable log location.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Data Protection Search: 19.5 or later; IDPA: 2.7 or later
Vendor Advisory: https://www.dell.com/support/kbdoc/000189555
Restart Required: Yes
Instructions:
1. Download the appropriate update from Dell Support. 2. Backup current configuration. 3. Apply the patch following Dell's update procedures. 4. Restart the affected services or appliance as required.
🔧 Temporary Workarounds
Restrict log file permissions
linuxSet strict file permissions on log directories to prevent unauthorized users from reading sensitive log files
chmod 600 /path/to/vulnerable/logs/*
chown root:root /path/to/vulnerable/logs/*
Enable log file encryption
allConfigure log file encryption if supported by the application to protect sensitive data at rest
🧯 If You Can't Patch
- Implement strict access controls on log directories - only allow authorized administrators to read log files
- Regularly monitor and audit access to log files for unauthorized access attempts
🔍 How to Verify
Check if Vulnerable:
Check version: For Data Protection Search, verify version is 19.4 or earlier. For IDPA, verify version is 2.6.1 or earlier. Also check if sensitive credentials appear in plain text in CIS component logs.Check Version:
Check application web interface or administrative console for version information, or consult Dell documentation for version checking commands specific to each product.Verify Fix Applied:
Verify installation of Data Protection Search 19.5+ or IDPA 2.7+. Check that credentials no longer appear in plain text in log files after patch application.📡 Detection & Monitoring
Log Indicators:
- Unauthorized access attempts to log directories
- Multiple failed login attempts followed by successful login with previously unused credentials
- User account activity from unexpected locations or times
Network Indicators:
- Unusual data exfiltration patterns from the Data Protection Search/IDPA system
SIEM Query:
source="dell-dps-logs" AND (event_type="file_access" AND file_path="*log*" AND user!="authorized_admin") OR (authentication.success AND user="previously_compromised_account")