Multiple vulnerabilities in Dell PowerScale OneFS

Published: 2024-06-21

Risk	Medium
Patch available	YES
Number of vulnerabilities	3
CVE-ID	CVE-2023-42465 CVE-2023-23931 CVE-2024-29170
CWE-ID	CWE-287 CWE-388 CWE-798
Exploitation vector	Local network
Public exploit	N/A
Vulnerable software Subscribe	PowerScale OneFS Hardware solutions / Firmware
Vendor	Dell

Security Bulletin

This security bulletin contains information about 3 vulnerabilities.

1) Improper Authentication

EUVDB-ID: #VU85764

Risk: Low

CVSSv3.1: 7.7 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-42465

CWE-ID: CWE-287 - Improper Authentication

Exploit availability: No

Description

The vulnerability allows a local user to bypass authentication process.

The vulnerability exists due to insufficient resistance to rowhammer attacks. A local user can bypass authentication process and gain unauthorized access to the system.

Mitigation

Install update from vendor's website.

Vulnerable software versions

PowerScale OneFS: before 9.7.1.0

CPE2.3

External links

http://www.dell.com/support/kbdoc/nl-nl/000225667/dsa-2024-210-security-update-for-dell-powerscale-onefs-for-multiple-security-vulnerabilities

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Error Handling

EUVDB-ID: #VU72036

Risk: Low

CVSSv3.1: 2 [CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-23931

CWE-ID: CWE-388 - Error Handling

Exploit availability: No

Description

The vulnerability allows an attacker to misuse Python API.

The vulnerability exists due to a soundness bug within the Cipher.update_into function, which can allow immutable objects (such as bytes) to be mutated. A malicious programmer can misuse Python API to introduce unexpected behavior into the application.

Mitigation

Install update from vendor's website.

Vulnerable software versions

PowerScale OneFS: before 9.7.1.0

CPE2.3

External links

http://www.dell.com/support/kbdoc/nl-nl/000225667/dsa-2024-210-security-update-for-dell-powerscale-onefs-for-multiple-security-vulnerabilities

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

3) Use of hard-coded credentials

EUVDB-ID: #VU92999

Risk: Medium

CVSSv3.1: 7.1 [CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2024-29170

CWE-ID: CWE-798 - Use of Hard-coded Credentials

Exploit availability: No

Description

The vulnerability allows an adjacent network attacker to gain full access to vulnerable system.

The vulnerability exists due to presence of hard-coded credentials in application code. An adjacent network unauthenticated attacker can potentially exploit this vulnerability, leading to information disclosure of network traffic and denial of service.

Mitigation

Install update from vendor's website.

Vulnerable software versions

PowerScale OneFS: before 9.7.1.0

CPE2.3

External links

http://www.dell.com/support/kbdoc/nl-nl/000225667/dsa-2024-210-security-update-for-dell-powerscale-onefs-for-multiple-security-vulnerabilities

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the local network (LAN).

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.