Multiple vulnerabilities in Dell PowerScale OneFS
| Risk | Medium |
| Patch available | YES |
| Number of vulnerabilities | 3 |
| CVE-ID | CVE-2023-42465 CVE-2023-23931 CVE-2024-29170 |
| CWE-ID | CWE-287 CWE-388 CWE-798 |
| Exploitation vector | Local network |
| Public exploit | N/A |
| Vulnerable software Subscribe |
PowerScale OneFS Hardware solutions / Firmware |
| Vendor | Dell |
Security Bulletin
This security bulletin contains information about 3 vulnerabilities.
1) Improper Authentication
EUVDB-ID: #VU85764
Risk: Low
CVSSv3.1: 7.7 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2023-42465
CWE-ID:
CWE-287 - Improper Authentication
Exploit availability: No
DescriptionThe vulnerability allows a local user to bypass authentication process.
The vulnerability exists due to insufficient resistance to rowhammer attacks. A local user can bypass authentication process and gain unauthorized access to the system.
MitigationInstall update from vendor's website.
Vulnerable software versionsPowerScale OneFS: before 9.7.1.0
External linksQ & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Error Handling
EUVDB-ID: #VU72036
Risk: Low
CVSSv3.1: 2 [CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2023-23931
CWE-ID:
CWE-388 - Error Handling
Exploit availability: No
DescriptionThe vulnerability allows an attacker to misuse Python API.
The vulnerability exists due to a soundness bug within the Cipher.update_into function, which can allow immutable objects (such as bytes) to be mutated. A malicious programmer can misuse Python API to introduce unexpected behavior into the application.
Install update from vendor's website.
Vulnerable software versionsPowerScale OneFS: before 9.7.1.0
External linksQ & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Use of hard-coded credentials
EUVDB-ID: #VU92999
Risk: Medium
CVSSv3.1: 7.1 [CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2024-29170
CWE-ID:
CWE-798 - Use of Hard-coded Credentials
Exploit availability: No
DescriptionThe vulnerability allows an adjacent network attacker to gain full access to vulnerable system.
The vulnerability exists due to presence of hard-coded credentials in application code. An adjacent network unauthenticated attacker can potentially exploit this vulnerability, leading to information disclosure of network traffic and denial of service.
MitigationInstall update from vendor's website.
Vulnerable software versionsPowerScale OneFS: before 9.7.1.0
External linksQ & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the local network (LAN).
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
