SB2025011632 - Multiple vulnerabilities in Dell PowerScale OneFS
Published: January 16, 2025 Updated: February 28, 2025
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 14 secuirty vulnerabilities.
1) HTTP response splitting (CVE-ID: CVE-2023-38709)
The vulnerability allows a remote attacker to perform HTTP splitting attacks.
The vulnerability exists due to software does not correctly process CRLF character sequences. A malicious or exploitable backend/content generators can send specially crafted response containing CRLF sequence and make the application to send a split HTTP response.
Successful exploitation of the vulnerability may allow an attacker perform cache poisoning attack.
2) Link following (CVE-ID: CVE-2024-39578)
The vulnerability allows a local high privileged user to perform a denial of service (DoS) attack and modify data on the system.
The vulnerability exists due to Dell PowerScale OneFS UNIX symbolic link (symlink). A local high privileged user could potentially exploit this vulnerability, leading to denial of service, information tampering.
3) Incorrect Privilege Assignment (CVE-ID: CVE-2024-39579)
The vulnerability allows a local high privileged user to gain root-level access.
The vulnerability exists due to incorrect privilege assignment. A local high privileged user could potentially exploit this vulnerability to gain root-level access.
4) Resource management error (CVE-ID: CVE-2023-7250)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to improper management of internal resources within the application. A remote malicious client can initiate the connection with the server sending it less data than expected and block the iperf server from servicing other clients.
5) Missing Encryption of Sensitive Data (CVE-ID: CVE-2023-46219)
The vulnerability allows a remote attacker to perform MitM attack.
The vulnerability exists due to an error when handling HSTS long file names. When saving HSTS data to an excessively long file name, curl can end
up removing all contents from the file, making subsequent requests using that file
unaware of the HSTS status they should otherwise use. As a result, a remote attacker can perform MitM attack.
6) Information disclosure (CVE-ID: CVE-2023-46218)
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to an error in curl that allows a malicious HTTP server to set "super cookies" that are then passed back to more origins than what is otherwise allowed or possible. A remote attacker can force curl to send such cookie to different and unrelated sites and domains.
7) HTTP response splitting (CVE-ID: CVE-2024-24795)
The vulnerability allows a remote attacker to perform HTTP splitting attacks.
The vulnerability exists due to software does not correctly process CRLF character sequences in multiple modules. A remote attacker can inject malicious response headers into backend applications and perform an HTTP desynchronization attack.
Successful exploitation of the vulnerability may allow an attacker perform cache poisoning attack.
8) Resource exhaustion (CVE-ID: CVE-2024-0450)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to the zipfile module does not properly control consumption of internal resources when extracting files from a zip archive. A remote attacker can pass a specially crafted archive aka zip-bomb to the application, trigger resource exhaustion and perform a denial of service (DoS) attack.
9) UNIX symbolic link following (CVE-ID: CVE-2023-6597)
The vulnerability allows a local user to delete arbitrary files on the system.
The vulnerability exists due to a symlink following issue during cleanup when handling temporary files. A local user can create a specially crafted symbolic link to a critical file on the system and delete it.
10) XML Entity Expansion (CVE-ID: CVE-2023-52426)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to recursive XML Entity Expansion if XML_DTD is undefined at compile time. A remote attacker can pass specially crafted input to the application and perform a denial of service (DoS) attack.
11) Resource exhaustion (CVE-ID: CVE-2023-52425)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to application does not properly control consumption of internal resources when parsing large tokens. A remote attacker can trigger resource exhaustion and perform a denial of service (DoS) attack.
12) XML External Entity injection (CVE-ID: CVE-2024-28757)
The vulnerability allows a remote attacker to gain access to sensitive information.
The vulnerability exists due to insufficient validation of user-supplied XML input when using external parsers via XML_ExternalEntityParserCreate. A remote attacker can pass a specially crafted XML code to the affected application and view contents of arbitrary files on the system or initiate requests to external systems.
Successful exploitation of the vulnerability may allow an attacker to view contents of arbitrary file on the server or perform network scanning of internal and external infrastructure.
13) NULL pointer dereference (CVE-ID: CVE-2023-49083)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a NULL pointer dereference error when calling the load_pem_pkcs7_certificates() or load_der_pkcs7_certificates() functions. A remote attacker can pass specially crafted PKCS7 blob/certificate certificate to the application and perform a denial of service (DoS) attack.
14) Race condition (CVE-ID: CVE-2024-6387)
The vulnerability allows a remote attacker to compromise the affected system.
The vulnerability exists due to a race condition in portable version of sshd. A remote non-authenticated attacker can send a series of requests in order to trigger a race condition and execute arbitrary code on the system.
Remediation
Install update from vendor's website.
References
- https://downloads.apache.org/httpd/CHANGES_2.4
- https://httpd.apache.org/security/vulnerabilities_24.html
- https://www.dell.com/support/kbdoc/en-us/000228207/dsa-2024-346-security-update-for-dell-powerscale-onefs-for-multiple-security-vulnerabilities
- https://bugzilla.redhat.com/show_bug.cgi?id=2244708
- https://bugs.launchpad.net/ubuntu/+source/iperf3/+bug/2038654
- https://downloads.es.net/pub/iperf/esnet-secadv-2023-0002.txt.asc
- https://bugzilla.redhat.com/show_bug.cgi?id=2244707
- https://curl.haxx.se/docs/CVE-2023-46219.html
- https://curl.haxx.se/docs/CVE-2023-46218.html
- https://github.com/python/cpython/commit/66363b9a7b9fe7c99eba3a185b74c5fdbf842eba
- https://github.com/python/cpython/commit/fa181fcf2156f703347b03a3b1966ce47be8ab3b
- https://github.com/python/cpython/commit/a956e510f6336d5ae111ba429a61c3ade30a7549
- https://github.com/python/cpython/commit/30fe5d853b56138dbec62432d370a1f99409fc85
- https://github.com/python/cpython/commit/a2c59992e9e8d35baba9695eb186ad6c6ff85c51
- https://github.com/python/cpython/commit/d05bac0b74153beb541b88b4fca33bf053990183
- https://github.com/python/cpython/issues/109858
- https://www.bamsoftware.com/hacks/zipbomb/
- https://mail.python.org/archives/list/security-announce@python.org/thread/XELNUX2L3IOHBTFU7RQHCY6OUVEWZ2FG/
- https://github.com/python/cpython/issues/91133
- https://github.com/libexpat/libexpat/pull/777
- https://github.com/libexpat/libexpat/commit/0f075ec8ecb5e43f8fdca5182f8cca4703da0404
- https://github.com/libexpat/libexpat/pull/789
- https://github.com/libexpat/libexpat/pull/842
- https://github.com/libexpat/libexpat/issues/839
- https://github.com/pyca/cryptography/security/advisories/GHSA-jfhm-5ghh-2f97
- https://github.com/pyca/cryptography/pull/9926
- https://github.com/pyca/cryptography/commit/f09c261ca10a31fe41b1262306db7f8f1da0e48a
- https://www.openssh.com/releasenotes.html#9.8p1
- https://seclists.org/oss-sec/2024/q3/2