SB2024062113 - Multiple vulnerabilities in Dell PowerScale OneFS

Security Bulletin ID SB2024062113

Severity

Medium

Patch available

YES

Number of vulnerabilities 3

Exploitation vector Adjecent network

Highest impact Code execution

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 3 secuirty vulnerabilities.

1) Improper Authentication (CVE-ID: CVE-2023-42465)

The vulnerability allows a local user to bypass authentication process.

The vulnerability exists due to insufficient resistance to rowhammer attacks. A local user can bypass authentication process and gain unauthorized access to the system.

2) Error Handling (CVE-ID: CVE-2023-23931)

The vulnerability allows an attacker to misuse Python API.

The vulnerability exists due to a soundness bug within the Cipher.update_into function, which can allow immutable objects (such as bytes) to be mutated. A malicious programmer can misuse Python API to introduce unexpected behavior into the application.

3) Use of hard-coded credentials (CVE-ID: CVE-2024-29170)

The vulnerability allows an adjacent network attacker to gain full access to vulnerable system.

The vulnerability exists due to presence of hard-coded credentials in application code. An adjacent network unauthenticated attacker can potentially exploit this vulnerability, leading to information disclosure of network traffic and denial of service.

Remediation

Install update from vendor's website.

References

https://www.dell.com/support/kbdoc/nl-nl/000225667/dsa-2024-210-security-update-for-dell-powerscale-onefs-for-multiple-security-vulnerabilities