DSA-2022-159: Dell PowerStore Family Security Update for Multiple Vulnerabilities
Summary: Dell PowerStore Family remediation is available for multiple security vulnerabilities that maybe exploited by malicious users to compromise the affected system.
This article applies to
This article does not apply to
This article is not tied to any specific product.
Not all product versions are identified in this article.
Impact
Critical
Details
| Proprietary Code CVEs | Description | CVSS Base Score | CVSS Vector String |
| CVE-2022-31234 | Dell PowerStore contains an Improper Restriction of Excessive Authentication Attempts Vulnerability in PowerStore Manager GUI. A remote unauthenticated attacker may potentially exploit this vulnerability, leading to password brute-forcing. Account takeover is possible if weak passwords are used by users. | 8.1 | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H  |
| CVE-2022-22555 | Dell PowerStore contains an OS command injection vulnerability. A locally authenticated attacker may potentially exploit this vulnerability, leading to the execution of arbitrary OS commands on the PowerStore underlying OS, with the privileges of the vulnerable application. Exploitation may lead to an elevation of privilege. | 6.0 | CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H |
| CVE-2022-32498 | Dell PowerStore CLI for Windows has the potential for a DLL highjacking exploit. Exploitation may lead to the execution of arbitrary code. | 5.5 | CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:L/A:L |
| CVE-2022-33923 | Dell PowerStore contains an OS Command Injection vulnerability in the PowerStore T environment. A locally authenticated attacker may potentially exploit this vulnerability, leading to the execution of arbitrary OS commands on the PowerStore underlying OS. Exploiting may lead to a system takeover by an attacker. | 6.4 | CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H |
| Third-party Component | CVEs | More Information |
| Ansible | CVE-2019-10156 | See NVD (http://nvd.nist.gov/ ) for individual scores of each CVE. |
| Apache Shiro | CVE-2021-41303 | |
| Highcharts JS | CVE-2021-29489 | |
| Jinja2 | CVE-2019-10906 | |
| CVE-2016-10745 | ||
| CVE-2020-28493 | ||
| libsndfile | CVE-2021-3246 | |
| libX11 libX11-data |
CVE-2021-31535 | |
| libexpat | CVE-2022-22822 | |
| CVE-2022-22823 | ||
| CVE-2022-22824 | ||
| CVE-2022-23852 | ||
| CVE-2022-23990 | ||
| CVE-2022-25235 | ||
| CVE-2022-25236 | ||
| CVE-2022-25315 | ||
| Log4j | CVE-2020-9488 | |
| CVE-2021-45105 | ||
| CVE-2021-44832 | ||
| lxml | CVE-2021-43818 | |
| CVE-2021-28957 | ||
| CVE-2020-27783 | ||
| netty | CVE-2021-43797 | |
| NSS NSPR libfreebl3 libfreebl3-hmac libsoftokn3 libsoftokn3-hmac mozilla-nss mozilla-nss-certs mozilla-nss-tools mozilla-nspr |
CVE-2020-12403 | |
| CVE-2021-43527 | ||
| numpy | CVE-2021-41496 | |
| openssl | CVE-2021-3711 | |
| pip | CVE-2019-20916 | |
| postgres | CVE-2021-32027 | |
| CVE-2021-32028 | ||
| CVE-2021-3393 | ||
| CVE-2021-3677 | ||
| CVE-2021-23222 | ||
| CVE-2021-23214 | ||
| Python-3 | CVE-2021-25315 | |
| CVE-2020-25592 | ||
| CVE-2020-11651 | ||
| CVE-2020-11652 | ||
| CVE-2018-15751 | ||
| pyyaml | CVE-2020-14343 | |
| CVE-2017-18342 | ||
| ruby | CVE-2020-25613 | |
| xterm xterm-bin |
CVE-2021-27135 |
| Proprietary Code CVEs | Description | CVSS Base Score | CVSS Vector String |
| CVE-2022-31234 | Dell PowerStore contains an Improper Restriction of Excessive Authentication Attempts Vulnerability in PowerStore Manager GUI. A remote unauthenticated attacker may potentially exploit this vulnerability, leading to password brute-forcing. Account takeover is possible if weak passwords are used by users. | 8.1 | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H |
| CVE-2022-22555 | Dell PowerStore contains an OS command injection vulnerability. A locally authenticated attacker may potentially exploit this vulnerability, leading to the execution of arbitrary OS commands on the PowerStore underlying OS, with the privileges of the vulnerable application. Exploitation may lead to an elevation of privilege. | 6.0 | CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H |
| CVE-2022-32498 | Dell PowerStore CLI for Windows has the potential for a DLL highjacking exploit. Exploitation may lead to the execution of arbitrary code. | 5.5 | CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:L/A:L |
| CVE-2022-33923 | Dell PowerStore contains an OS Command Injection vulnerability in the PowerStore T environment. A locally authenticated attacker may potentially exploit this vulnerability, leading to the execution of arbitrary OS commands on the PowerStore underlying OS. Exploiting may lead to a system takeover by an attacker. | 6.4 | CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H |
| Third-party Component | CVEs | More Information |
| Ansible | CVE-2019-10156 | See NVD (http://nvd.nist.gov/ ) for individual scores of each CVE. |
| Apache Shiro | CVE-2021-41303 | |
| Highcharts JS | CVE-2021-29489 | |
| Jinja2 | CVE-2019-10906 | |
| CVE-2016-10745 | ||
| CVE-2020-28493 | ||
| libsndfile | CVE-2021-3246 | |
| libX11 libX11-data |
CVE-2021-31535 | |
| libexpat | CVE-2022-22822 | |
| CVE-2022-22823 | ||
| CVE-2022-22824 | ||
| CVE-2022-23852 | ||
| CVE-2022-23990 | ||
| CVE-2022-25235 | ||
| CVE-2022-25236 | ||
| CVE-2022-25315 | ||
| Log4j | CVE-2020-9488 | |
| CVE-2021-45105 | ||
| CVE-2021-44832 | ||
| lxml | CVE-2021-43818 | |
| CVE-2021-28957 | ||
| CVE-2020-27783 | ||
| netty | CVE-2021-43797 | |
| NSS NSPR libfreebl3 libfreebl3-hmac libsoftokn3 libsoftokn3-hmac mozilla-nss mozilla-nss-certs mozilla-nss-tools mozilla-nspr |
CVE-2020-12403 | |
| CVE-2021-43527 | ||
| numpy | CVE-2021-41496 | |
| openssl | CVE-2021-3711 | |
| pip | CVE-2019-20916 | |
| postgres | CVE-2021-32027 | |
| CVE-2021-32028 | ||
| CVE-2021-3393 | ||
| CVE-2021-3677 | ||
| CVE-2021-23222 | ||
| CVE-2021-23214 | ||
| Python-3 | CVE-2021-25315 | |
| CVE-2020-25592 | ||
| CVE-2020-11651 | ||
| CVE-2020-11652 | ||
| CVE-2018-15751 | ||
| pyyaml | CVE-2020-14343 | |
| CVE-2017-18342 | ||
| ruby | CVE-2020-25613 | |
| xterm xterm-bin |
CVE-2021-27135 |
Affected Products & Remediation
| CVEs Addressed | Products | Affected Versions | Updated Versions | Link to Update |
| All CVEs above excluding CVE-2022-32498 | PowerStore T OS | PowerStore T OS versions before PowerStore T OS Upgrade 3.0.0.0-1732745 | PowerStore T OS Upgrade 3.0.0.0-1732745 | https://www.dell.com/support/home/?app=drivers |
| CVE-2022-32498 | PowerStore Command Line Interface (CLI) tool for Windows | PowerStore Command Line Interface (CLI) tool for Linux x64 versions before 3.0.0.0-1732745 PowerStore Command Line Interface (CLI) tool for Linux x86 versions before 3.0.0.0-1732745 |
PowerStore Command Line Interface (CLI) tool for Linux x64 3.0.0.0-1732745 PowerStore Command Line Interface (CLI) tool for Linux x86 3.0.0.0-1732745 |
https://www.dell.com/support/home/?app=drivers |
| CVEs Addressed | Products | Affected Versions | Updated Versions | Link to Update |
| All CVEs above excluding CVE-2022-32498 | PowerStore T OS | PowerStore T OS versions before PowerStore T OS Upgrade 3.0.0.0-1732745 | PowerStore T OS Upgrade 3.0.0.0-1732745 | https://www.dell.com/support/home/?app=drivers |
| CVE-2022-32498 | PowerStore Command Line Interface (CLI) tool for Windows | PowerStore Command Line Interface (CLI) tool for Linux x64 versions before 3.0.0.0-1732745 PowerStore Command Line Interface (CLI) tool for Linux x86 versions before 3.0.0.0-1732745 |
PowerStore Command Line Interface (CLI) tool for Linux x64 3.0.0.0-1732745 PowerStore Command Line Interface (CLI) tool for Linux x86 3.0.0.0-1732745 |
https://www.dell.com/support/home/?app=drivers |
Workarounds & Mitigations
CVE-2022-31234:
Configure a long, complex password for the System management account, and change it on a regular basis. See the PowerStore Security Configuration Guide on the PowerStore Product Page at Dell Support for password requirements. The minimum number of characters is 8 however you should configure a longer than 8 password in order to make it very difficult to brute force.
CVE-2022-22555:
An attacker requires local access through external SSH; therefore, it is recommended to always leave the external SSH service interface disabled unless it must be used to perform service operations on the appliance. After performing the necessary service operations, disable the SSH interface to ensure that the appliance remains secure. See the PowerStore Security Configuration Guide on the PowerStore Product Page at Dell Support for detailed information about external SSH access.
Revision History
| Revision | Date | More Information |
| 1.0 | 2022-07-07 | Initial Release |
Related Information
Legal Disclaimer
Affected Products
PowerStore, PowerStore 1000T, PowerStore 1200T, PowerStore 3000T, PowerStore 5000T, PowerStore 500T, PowerStore 7000T, PowerStore 9000T, Product Security InformationArticle Properties
Article Number: 000201283
Article Type: Dell Security Advisory
Last Modified: 20 Jun 2023
Find answers to your questions from other Dell users
Support Services
Check if your device is covered by Support Services.