SB2024102543 - Multiple vulnerabilities in Dell APEX Cloud Platform for Microsoft Azure

Description

This security bulletin contains information about 15 secuirty vulnerabilities.

1) Input validation error (CVE-ID: CVE-2024-23499)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient validation of user-supplied input. A remote attacker can pass specially crafted input to the system and perform a denial of service (DoS) attack.

2) Race condition (CVE-ID: CVE-2023-41833)

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to a race condition in UEFI firmware. A local privileged user can exploit the race and escalate privileges on the system.

3) Improper handling of exceptional conditions (CVE-ID: CVE-2023-43753)

The vulnerability allows a local user to gain access to sensitive information.

The vulnerability exists due to improper handling of errors in Intel Processors with Intel Software Guard Extensions. A local user can gain access to sensitive information.

4) Out-of-bounds write (CVE-ID: CVE-2023-40481)

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a boundary error when parsing SQFS files. A remote attacker can create a specially crafted archive, trick the victim into opening it, trigger an out-of-bounds write and execute arbitrary code on the target system.

5) Integer underflow (CVE-ID: CVE-2023-31102)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to integer underflow when parsing 7Z files. A remote attacker can trick the victim to open a specially crafted archive, trigger an integer underflow and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

6) Improper Check for Unusual or Exceptional Conditions (CVE-ID: CVE-2024-21806)

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to improper error handling in Linux kernel mode driver. A local user can perform a denial of service (DoS) attack.

7) Input validation error (CVE-ID: CVE-2024-24983)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient validation of user-supplied input. A remote attacker can send specially crafted packets to the system and perform a denial of service (DoS) attack.

8) Insufficient Control Flow Management (CVE-ID: CVE-2024-22374)

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient control flow management for some Intel Xeon Processors. A local user can perform a denial of service (DoS) attack.

9) Untrusted search path (CVE-ID: CVE-2024-21769)

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to usage of an untrusted search path in some Intel(R) Ethernet Connection I219-LM install software. A local user can place a malicious binary into a specific location on the system and execute arbitrary code with escalated privileges.

10) Improper Initialization (CVE-ID: CVE-2024-21807)

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to improper initialization. A local user can run a specially crafted application to execute arbitrary code with escalated privileges on the system.

11) Improper access control (CVE-ID: CVE-2024-24986)

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to improper access restrictions. A local user can execute arbitrary code with elevated privileges.

12) Integer overflow (CVE-ID: CVE-2024-23981)

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to a boundary error. A local user can trigger ab integer overflow and execute arbitrary code with elevated privileges.

13) Out-of-bounds write (CVE-ID: CVE-2024-23497)

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to a boundary error. A local user can trigger an out-of-bounds write and execute arbitrary code with elevated privileges.

14) Input validation error (CVE-ID: CVE-2024-21810)

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to insufficient validation of user-supplied input in the Linux kernel mode driver for some Intel Ethernet Network Controllers and Adapters. A local user can execute arbitrary code with escalated privileges.

15) Untrusted search path (CVE-ID: CVE-2024-22376)

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to usage of an untrusted search path in some installation software. A local user can place a malicious binary into a specific location on the system and execute arbitrary code with escalated privileges.

Remediation

Install update from vendor's website.

References

• https://www.dell.com/support/kbdoc/nl-nl/000237607/dsa-2024-416-security-update-for-dell-apex-cloud-platform-for-microsoft-azure-and-dell-apex-cloud-platform-foundation-software-for-multiple-third-party-component-vulnerabilities