Multiple vulnerabilities in Dell Terraform Provider for PowerStore

Published: 2024-06-13

Risk	Medium
Patch available	YES
Number of vulnerabilities	2
CVE-ID	CVE-2023-49569 CVE-2017-3204
CWE-ID	CWE-22 CWE-300
Exploitation vector	Network
Public exploit	N/A
Vulnerable software Subscribe	Terraform Provider for PowerStore Other software / Other software solutions
Vendor	Dell

Security Bulletin

This security bulletin contains information about 2 vulnerabilities.

1) Path traversal

EUVDB-ID: #VU85583

Risk: Medium

CVSSv3.1: 6.4 [CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-49569

CWE-ID: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform directory traversal attacks.

The vulnerability exists due to input validation error when processing directory traversal sequences. A remote attacker can overwrite arbitrary files on the system. Applications are only affected if they are using the ChrootOS, which is the default when using "Plain" versions of Open and Clone funcs (e.g. PlainClone).

Mitigation

Install update from vendor's website.

Vulnerable software versions

Terraform Provider for PowerStore: before 1.1.2

External links

http://www.dell.com/support/kbdoc/nl-nl/000224455/dsa-2024-188-security-update-for-dell-terraform-provider-for-powerstore-vulnerabilities

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Man-in-the-Middle (MitM) attack

EUVDB-ID: #VU69451