SB2022092303 - Multiple vulnerabilities in Dell DataIQ

Security Bulletin ID SB2022092303

Severity

Medium

Patch available

YES

Number of vulnerabilities 2

Exploitation vector Remote access

Highest impact Denial of service

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 2 secuirty vulnerabilities.

1) Infinite loop (CVE-ID: CVE-2022-0778)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to infinite loop within the BN_mod_sqrt() function when processing an ASN.1 certificate that contains elliptic curve public keys in compressed form or explicit elliptic curve parameters with a base point encoded in compressed form. A remote attacker can supply a specially crafted certificate to the TLS server or client, consume all available system resources and cause denial of service conditions.

2) Access control error (CVE-ID: CVE-2016-6329)

The vulnerability allows attackers to gain access to potentially sensitive information.

The vulnerability exists due to capturing of long duration Blowfish CBC mode encrypted TLS session. Repeated sending of communication protocol with parts of the plaintext helps attackers to reconstruct the secret information.

Successful exploitation of this vulnerability may allow a remote attacker to access potentially sensitive data.

Remediation

Install update from vendor's website.

References

https://www.dell.com/support/kbdoc/nl-nl/000203431/dsa-2022-237-dell-dataiq-security-update-for-multiple-security-vulnerabilities