Advisory for Dell Security Update

  • NIC-CERT/2022-07/308
  • Date: 2022-07-07
  • CVE ID: Multiple
  • Severity: Critical

Description:

A vulnerability has been reported in Dell product which could allow an attacker to compromise the affected system.

Security Issues Fixed:

Dell BSAFE Crypto-C Micro Edition and Dell BSAFE Micro Edition Suite remediations are available for multiple security vulnerabilities that may be exploited by malicious users to compromise the affected system. Dell BSAFE Micro Edition Suite remediation is available for multiple security vulnerabilities that could be exploited by malicious users to compromise the affected system. Cloud Mobility for Dell EMC Storageremediation is available for a path traversal/RCE vulnerabilitythat may be exploited by malicious users to compromise the affected system.

Details:

Proprietary Code CVEs

Description

CVSS Base Score

CVE-2020-35169

Dell BSAFE Crypto-C Micro Edition, versions before 4.1.5, and Dell BSAFE Micro Edition Suite,
versions before 4.5.2, contain an Improper Input Validation Vulnerability.

9.1

CVE-2020-29504

Dell BSAFE Crypto-C Micro Edition, versionsbefore 4.1.5, and Dell BSAFE Micro Edition Suite,
versions before 4.5.2, contain a Missing Required Cryptographic Step Vulnerability.

7.4

CVE-2020-29505

Dell BSAFE Crypto-C Micro Edition, versions before 4.1.5, and Dell BSAFE Micro Edition Suite,
versions before 4.5.2, contain a Key Management Error Vulnerability.

7.1

CVE-2020-29506

Dell BSAFE Crypto-C Micro Edition, versions before 4.1.5, and Dell BSAFE Micro Edition Suite,
versions before 4.5.2, contain an Observable Timing Discrepancy Vulnerability.

6.8

CVE-2020-35164

Dell BSAFE Crypto-C Micro Edition, versions before 4.1.5, and Dell BSAFE Micro Edition Suite,
versions before 4.6, contain an Observable Timing Discrepancy Vulnerability.

6.7

CVE-2021-21575

Dell BSAFE Micro Edition Suite,
versions before 4.5.2, contain an Observable Timing Discrepancy Vulnerability.

5.9

CVE-2020-29507

Dell BSAFE Crypto-C Micro Edition, versions before 4.1.4, and Dell BSAFE Micro Edition Suite,
versions before 4.4, contain an Improper Input Validation Vulnerability.

5.3

CVE-2020-29508

Dell BSAFE Crypto-C Micro Edition, versions before 4.1.5, and Dell BSAFE Micro Edition Suite,
versions before 4.6, contain an Improper Input Validation Vulnerability.

5.3

CVE-2020-35163

Dell BSAFE Crypto-C Micro Edition, versions before 4.1.5, and Dell BSAFE Micro Edition Suite,
versions before 4.6, contain a Use of Insufficiently Random Values Vulnerability.

5.3

CVE-2020-35165

Dell BSAFE Crypto-C Micro Edition, versions before 4.1.5, and Dell BSAFE Micro Edition Suite,
versions before 4.6, contain an Observable Timing Discrepancy Vulnerability.

5.1

CVE-2020-35166

Dell BSAFE Crypto-C Micro Edition, versions before 4.1.5, and Dell BSAFE Micro Edition Suite,
versions before 4.6, contain an Observable Timing Discrepancy Vulnerability.

5.1

CVE-2020-35167

Dell BSAFE Crypto-C Micro Edition, versions before 4.1.5, and Dell BSAFE Micro Edition Suite,
versions before 4.6, contain an Observable Timing Discrepancy Vulnerability.

4.8

CVE-2020-35168

Dell BSAFE Crypto-C Micro Edition, versions before 4.1.5, and Dell BSAFE Micro Edition Suite,
versions before 4.6, contain an Observable Timing Discrepancy Vulnerability.

4.7

CVE-2022-33936

Cloud Mobility for Dell EMC Storage, versions 1.3.0 and earlier, contains a path traversal inthe backup mechanism for the vApp. Any basic usermay purposefully or accidentlyexploit thisvulnerability, leading to RCE with full take over of the system.

8.0


  1. Affected Products and Remediation:

CVEs addressed

Product

Affected Versions

Updated Versions

CVE-2020-35169
CVE-2020-29504
CVE-2020-29505
CVE-2020-29506
CVE-2021-21575

Dell BSAFE Crypto-C Micro Edition

All versions before 4.1.5

4.1.5

Dell BSAFE Micro Edition Suite

All versions before 4.5.2

4.5.2
4.6

CVE-2020-35164
CVE-2020-29508
CVE-2020-35163
CVE-2020-35165
CVE-2020-35166
CVE-2020-35167
CVE-2020-35168

Dell BSAFE Crypto-C Micro Edition

All versions before 4.1.5

4.1.5

Dell BSAFE Micro Edition Suite

All versions before 4.6

4.6

CVE-2020-29507

Dell BSAFE Crypto-C Micro Edition

All versions before 4.1.4

4.1.4

Dell BSAFE Micro Edition Suite

All versions before 4.4

4.4

CVE-2022-33936

Cloud Mobility for Dell EMC Storage

1.3.0

1.3.1

Product

Affected Versions

Updated Versions

Link to Update

OneFS

>= 9.1.0.20
>= 9.2.1.13
>= 9.4.0.3

These versions are remediated.

PowerScale OneFS Downloads Area

9.1.0.0 through 9.1.0.19
9.2.1.0 through 9.2.1.12
9.4.0.0 through 9.4.0.2

Download and install the latest RUP.

9.3.0.0 through 9.3.0.6

RUP expected in July. If a fix is needed sooner, upgrade your version of OneFS.

Any other version

Upgrade your version of OneFS

OneFS

>= 9.1.0.20
>= 9.2.1.13
>= 9.4.0.3

These versions are remediated.

9.1.0.0 through 9.1.0.19
9.2.1.0 through 9.2.1.12
9.4.0.0 through 9.4.0.2

Download and install the latest RUP.

9.3.0.0 through 9.3.0.6

RUP expected in July. If a fix is needed sooner, upgrade your version of OneFS.

Any other version

Upgrade your version of OneFS

OneFS

>= 9.1.0.20
>= 9.2.1.13
>= 9.4.0.0

These versions are remediated.

9.1.0.0 through 9.1.0.19
9.2.1.0 through 9.2.1.12

Download and install the latest RUP.

9.3.0.0 through 9.3.0.6

RUP expected in July. If a fix is needed sooner, upgrade your version of OneFS.

Any other version

Upgrade your version of OneFS

OneFS

>= 9.1.0.20
>= 9.2.1.13
>= 9.4.0.3

These versions are remediated.

9.1.0.0 through 9.1.0.19
9.2.1.0 through 9.2.1.12
9.4.0.0 through 9.4.0.2

Download and install the latest RUP.

9.3.0.0 through 9.3.0.6

RUP expected in July. If a fix is needed sooner, upgrade your version of OneFS.

Any other version

Upgrade your version of OneFS

OneFS

>= 9.2.1.13
>= 9.4.0.0

These versions are remediated.

9.2.1.0 through 9.2.1.12

Download and install the latest RUP.

9.3.0.0 through 9.3.0.6

RUP expected in July. If a fix is needed sooner, upgrade your version of OneFS.

9.2.0.0 or 9.2.0.1

Upgrade your version of OneFS

libxml2

>= 9.1.0.20
>= 9.2.1.13
>= 9.4.0.3

These versions are remediated.

9.1.0.0 through 9.1.0.19
9.2.1.0 through 9.2.1.12
9.4.0.0 through 9.4.0.2

Download and install the latest RUP.

9.3.0.0 through 9.3.0.6

RUP expected in July. If a fix is needed sooner, upgrade your version of OneFS.

Any other version

Upgrade your version of OneFS.

libexpat

>= 9.1.0.20
>= 9.2.1.13
>= 9.4.0.0

These versions are remediated.

9.1.0.0 through 9.1.0.19
9.2.1.0 through 9.2.1.12

Download and install the latest RUP.

9.3.0.0 through 9.3.0.6

RUP expected in July. If a fix is needed sooner, upgrade your version of OneFS.

Any other version

Upgrade your version of OneFS.

Cyber Recovery

Versions before 19.11

19.11

Cyber Recovery Downloads


Dell recommends all customers upgrade at the earliest opportunity.

References:

https://www.dell.com/support/security/en-us