SB2022111726 - Multiple vulnerabilities in Dell EMC VxRail Appliance
Published: November 17, 2022
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 17 secuirty vulnerabilities.
1) Resource exhaustion (CVE-ID: CVE-2021-0008)
The vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to application does not properly control consumption of internal resources. A local administrator can trigger resource exhaustion and perform a denial of service (DoS) attack.
2) Out-of-bounds read (CVE-ID: CVE-2020-24506)
The vulnerability allows a local user to gain access to potentially sensitive information.
The vulnerability exists due to a boundary condition in a subsystem. A local administrator can trigger out-of-bounds read error and read contents of memory on the system.
3) Buffer overflow (CVE-ID: CVE-2020-8703)
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to a boundary error in a subsystem. A local administrator can trigger memory corruption and gain elevated privileges on the target system.
4) Information disclosure (CVE-ID: CVE-2020-24507)
The vulnerability allows a local user to gain access to potentially sensitive information.
The vulnerability exists due to improper initialization in a subsystem. A local administrator can gain unauthorized access to sensitive information on the system.
5) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2020-24509)
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to insufficient control flow management in subsystem, which leads to security restrictions bypass and privilege escalation.
6) Improper Initialization (CVE-ID: CVE-2021-0095)
The vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to improper initialization in the firmware. A local administrator can run a specially crafted application to cause a denial of service contiion on the target system.
7) Race condition (CVE-ID: CVE-2020-8670)
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to a race condition in the firmware . A local administrator can exploit the race and gain unauthorized access to sensitive information and escalate privileges on the system.
8) Observable discrepancy (CVE-ID: CVE-2020-24512)
The vulnerability allows a local user to gain access to potentially sensitive information.
The vulnerability exists due to observable timing discrepancy. A local user can gain unauthorized access to sensitive information on the system.
9) Out-of-bounds read (CVE-ID: CVE-2021-0009)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a boundary condition. A remote attacker on the local network can trigger out-of-bounds read error and cause a denial of service condition on the system.
10) Uncaught Exception (CVE-ID: CVE-2021-0007)
The vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to uncaught exception. A local administrator can cause a denial of service condition on the target system.
11) Improper Check for Unusual or Exceptional Conditions (CVE-ID: CVE-2021-0006)
The vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to improper conditions check in firmware. A local administrator can cause a denial of service condition on the target system.
12) Uncaught Exception (CVE-ID: CVE-2021-0005)
The vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to uncaught exception. A local administrator can cause a denial of service condition on the target system.
13) Buffer overflow (CVE-ID: CVE-2021-0004)
The vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to a boundary error. A local administrator can trigger memory corruption and cause a denial of service condition on the target system.
14) SQL injection (CVE-ID: CVE-2021-36299)
The vulnerability allows a remote user to execute arbitrary SQL queries in database.
The vulnerability exists due to insufficient sanitization of user-supplied data. A remote user can send a specially crafted request to the affected application and execute arbitrary SQL commands within the application database.
Successful exploitation of this vulnerability may allow a remote attacker to read, delete, modify data in database and gain complete control over the affected application.
15) Input validation error (CVE-ID: CVE-2021-36300)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to insufficient validation of user-supplied input. A remote attacker can pass specially crafted input to the application and perform a denial of service (DoS) attack or cause information disclosure.
16) Improper Neutralization of Special Elements in Output Used by a Downstream Component (CVE-ID: CVE-2021-21580)
The vulnerability allows a remote attacker to compromise the target system.
The vulnerability exists due to a Content spoofing / Text injection. A remote attacker can inject text to present a customized message on the application and phish users into believing that the message is legitimate.
17) Cross-site scripting (CVE-ID: CVE-2021-21581)
The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
Remediation
Install update from vendor's website.