Advisory for Dell Security Update

  • NIC-CERT/2023-03/049
  • Date: 2023-03-03
  • CVE ID: Multiple
  • Severity: Critical
  1. Description:

A vulnerability has been found in dell product which could allow an attacker to take control of the affected system.

  1. Security Issues fixed:

Dell PowerScaleOneFS, Dell Unisphere for PowerMax, Dell Unisphere for PowerMax Virtual Appliance, Dell Solutions Enabler, Dell Solutions Enabler Virtual Appliance, Dell Unisphere 360, Dell VASA ProviderVirtual Appliance, and Dell PowerMax Embedded Management remediation is available for multiple security vulnerabilities that may be exploited by malicious users to compromise the affected system.

  1. Description:

Proprietary Code CVEs

Description

CVE-2022-45104

Dell Unisphere for PowerMaxvApp, VASA Provider vApp, and Solutions Enabler vApp version 9.2.3.x contains an Improper Input Validation in vApp Manager’sDownload Logsfeature. A low privileged remote attacker may potentially exploit this vulnerability, leading to obtaining Remote Code Execution on the underlying system.

CVE-2022-34397

Dell Unisphere for PowerMaxvApp, VASA Provider vApp, and Solutions Enabler vApp version 10.0.0.2 and earlier contains an authorization bypass vulnerability, allowing users to perform actions for which they are not authorized.

CVE-2022-45103

Dell Unisphere for PowerMaxvApp, VASA Provider vApp, and Solutions Enabler vApp version 9.2.3.x contains an Improper Input Validation in vApp Manager’sDownload Logsfeature. A low privileged remote attacker may potentially exploit this vulnerability, leading to an authenticated user to read arbitrary files on the underlying file system.

CVE-2022-34363

Dell Unisphere for PowerMaxvApp version prior to 10.0.0.2, contains an authorization bypass vulnerability in the Unisphere for VMAX application running invApp

CVE-2023-25536

Dell PowerScaleOneFS 9.4.0.x contains exposure of sensitive information to an unauthorized actor. A malicious authenticated local user could potentially exploit this vulnerability in certificate management, leading to a potential system takeover.

CVE-2023-25540

Dell PowerScaleOneFS 9.4.0.x contains an incorrect default permissions vulnerability. A local malicious user could potentially exploit this vulnerability to overwrite arbitrary files causing denial of service.

CVE-2023-23689

Dell PowerScale nodes A200, A2000, H400, H500, H600, H5600, F800, F810 integrated hardware management software contains an uncontrolled resource consumption vulnerability. This may allow an unauthenticated network host to impair integrated hardware management functionality and trigger OneFS data protection mechanism causing a denial of service.

  1. Affected Products and Solution:

Product

Affected Versions

Updated Versions

Link to Update

Unisphere for PowerMax

Versions before 10.0.0.5

10.0.0.5
EEM: 10.0.0.968

https://www.dell.com/support/home/en-us/product-support/product/unisphere-powermax/drivers

Unisphere for PowerMax

Versions before 9.2.3.22

9.2.3.22
EEM: 9.2.4.26

https://www.dell.com/support/home/en-us/product-support/product/unisphere-powermax/drivers

Unisphere for PowerMax Virtual Appliance

Versions before 9.2.3.22

9.2.3.22
EEM: 9.2.4.26

https://www.dell.com/support/home/en-us/product-support/product/unisphere-powermax/drivers

Unisphere 360

Versions before 9.2.3.12

9.2.3.12

https://www.dell.com/support/home/en-us/product-support/product/unisphere-360/drivers

Solutions Enabler

Versions before 10.0.0.5

10.0.0.5
EEM: 10.0.0.968

https://www.dell.com/support/home/en-us/product-support/product/solutions-enabler/drivers

Solutions Enabler

Versions before 9.2.3.6

9.2.3.6
EEM: 9.2.4.26

https://www.dell.com/support/home/en-us/product-support/product/solutions-enabler/drivers

Solutions Enabler Virtual Appliance

Versions before 9.2.3.6

9.2.3.6
EEM: 9.2.4.26

https://www.dell.com/support/home/en-us/product-support/product/solutions-enabler/drivers

eVASA Provider Virtual Appliance

Versions before 9.2.4.15

9.2.4.15

https://www.dell.com/support/home/en-us/product-support/product/vasa-provider/drivers

VASA Provider Standalone

Versions before 9.2.4.22

9.2.4.22

https://www.dell.com/support/home/en-us/product-support/product/vasa-provider/drivers

PowerMaxOS

10.0.0.x

10.0.0.x

Request DSA-2022-340

PowerMaxOS

5978

5978

Request DSA-2022-340

PowerScaleOneFS

9.1.0.0 through 9.1.0.27
9.2.1.0 through 9.2.1.20
9.4.0.0 through 9.4.0.11

Download and install the latest RUP.
>= 9.1.0.28
>= 9.2.1.21
>= 9.4.0.12

PowerScaleOneFS Downloads Area

Any other version

Upgrade your version of PowerScaleOneFS.

PowerScaleOneFS

9.4.0.0 through 9.4.0.11

Download and install the latest RUP.
>= 9.4.0.12

PowerScaleOneFS

9.4.0.0 through 9.4.0.11

Download and install the latest RUP.
>= 9.4.0.12

PowerScaleOneFS

9.4.0.0 through 9.4.0.11

Download and install the latest RUP.
>= 9.4.0.12

A200
A2000
F800
F810
H400
H500
H600
H5600

9.5.0.x
9.4.0.x
9.3.0.x
9.2.1.x
9.2.0.x
9.1.0.x
9.0.0.x

Download and install the latest NFP version >= 11.6.1

A300
A3000
H700
H7000

9.5.0.x
9.4.0.x
9.3.0.x
9.2.1.x
9.2.0.x
9.1.0.x
9.0.0.x

A300
A3000
H700
H7000

9.5.0.x
9.4.0.x
9.3.0.x
9.2.1.x
9.2.0.x
9.1.0.x
9.0.0.x

A200
A2000
H400
H500
H600
H5600
F800
F810

9.5.0.x
9.4.0.x
9.3.0.x
9.2.1.x
9.2.0.x
9.1.0.x
9.0.0.x

Avamar Server, Avamar Virtual Edition

19.3 and 19.4

19.7

Support for Avamar Server | Drivers & Downloads

PowerProtect DP Series Appliance and IntegratedData Protection Appliance

2.7.x (Includes Protection Software Avamar version 19.4).

2.7.2 or later with 19.4 MC Hotfix

Avamar 19.4 MC Cumulative Hotfix for Avamar Server and Avamar Virtual Edition November 2022 (Hotfix 337055)

2.6.x (Includes Protection Software Avamar 19.3).

Apply Protection Software Avamar MC hotfix that is expected to be available for 19.3.

Links will be available once the hotfix is released.

Dell NetWorker,
NVE

19.5 and earlier versions

19.6 and later versions

https://www.dell.com/support/home/en-ca/product-support/product/networker/drivers

PowerScaleOneFS

9.1.0.0 through 9.1.0.27
9.2.1.0 through 9.2.1.20
9.4.0.0 through 9.4.0.11

Download and install the latest RUP.
>= 9.1.0.28
>= 9.2.1.21
>= 9.4.0.12

PowerScaleOneFS Downloads Area

Any other version

Upgrade your version of PowerScaleOneFS.

PowerScaleOneFS

9.4.0.0 through 9.4.0.11

Download and install the latest RUP.
>= 9.4.0.12

PowerScaleOneFS

9.4.0.0 through 9.4.0.11

Download and install the latest RUP.
>= 9.4.0.12

A200
A2000
F800
F810
H400
H500
H600
H5600

9.5.0.x
9.4.0.x
9.3.0.x
9.2.1.x
9.2.0.x
9.1.0.x
9.0.0.x

Download and install the latest NFP version >= 11.6.1

A300
A3000
H700
H7000

9.5.0.x
9.4.0.x
9.3.0.x
9.2.1.x
9.2.0.x
9.1.0.x
9.0.0.x

A300
A3000
H700
H7000

9.5.0.x
9.4.0.x
9.3.0.x
9.2.1.x
9.2.0.x
9.1.0.x
9.0.0.x

A200
A2000
H400
H500
H600
H5600
F800
F810

9.5.0.x
9.4.0.x
9.3.0.x
9.2.1.x
9.2.0.x
9.1.0.x
9.0.0.x

  1. References:

https://www.dell.com/support/security/en-in