DSA-2022-159: Dell PowerStore Family Security Update for Multiple Vulnerabilities
Resumen: Dell PowerStore Family remediation is available for multiple security vulnerabilities that maybe exploited by malicious users to compromise the affected system.
Este artículo se aplica a
Este artículo no se aplica a
Este artículo no está vinculado a ningún producto específico.
No se identifican todas las versiones del producto en este artículo.
Impacto
Critical
Detalles
| Proprietary Code CVEs | Description | CVSS Base Score | CVSS Vector String |
| CVE-2022-31234 | Dell PowerStore contains an Improper Restriction of Excessive Authentication Attempts Vulnerability in PowerStore Manager GUI. A remote unauthenticated attacker may potentially exploit this vulnerability, leading to password brute-forcing. Account takeover is possible if weak passwords are used by users. | 8.1 | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H  |
| CVE-2022-22555 | Dell PowerStore contains an OS command injection vulnerability. A locally authenticated attacker may potentially exploit this vulnerability, leading to the execution of arbitrary OS commands on the PowerStore underlying OS, with the privileges of the vulnerable application. Exploitation may lead to an elevation of privilege. | 6.0 | CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H |
| CVE-2022-32498 | Dell PowerStore CLI for Windows has the potential for a DLL highjacking exploit. Exploitation may lead to the execution of arbitrary code. | 5.5 | CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:L/A:L |
| CVE-2022-33923 | Dell PowerStore contains an OS Command Injection vulnerability in the PowerStore T environment. A locally authenticated attacker may potentially exploit this vulnerability, leading to the execution of arbitrary OS commands on the PowerStore underlying OS. Exploiting may lead to a system takeover by an attacker. | 6.4 | CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H |
| Third-party Component | CVEs | More Information |
| Ansible | CVE-2019-10156 | See NVD (http://nvd.nist.gov/ ) for individual scores of each CVE. |
| Apache Shiro | CVE-2021-41303 | |
| Highcharts JS | CVE-2021-29489 | |
| Jinja2 | CVE-2019-10906 | |
| CVE-2016-10745 | ||
| CVE-2020-28493 | ||
| libsndfile | CVE-2021-3246 | |
| libX11 libX11-data |
CVE-2021-31535 | |
| libexpat | CVE-2022-22822 | |
| CVE-2022-22823 | ||
| CVE-2022-22824 | ||
| CVE-2022-23852 | ||
| CVE-2022-23990 | ||
| CVE-2022-25235 | ||
| CVE-2022-25236 | ||
| CVE-2022-25315 | ||
| Log4j | CVE-2020-9488 | |
| CVE-2021-45105 | ||
| CVE-2021-44832 | ||
| lxml | CVE-2021-43818 | |
| CVE-2021-28957 | ||
| CVE-2020-27783 | ||
| netty | CVE-2021-43797 | |
| NSS NSPR libfreebl3 libfreebl3-hmac libsoftokn3 libsoftokn3-hmac mozilla-nss mozilla-nss-certs mozilla-nss-tools mozilla-nspr |
CVE-2020-12403 | |
| CVE-2021-43527 | ||
| numpy | CVE-2021-41496 | |
| openssl | CVE-2021-3711 | |
| pip | CVE-2019-20916 | |
| postgres | CVE-2021-32027 | |
| CVE-2021-32028 | ||
| CVE-2021-3393 | ||
| CVE-2021-3677 | ||
| CVE-2021-23222 | ||
| CVE-2021-23214 | ||
| Python-3 | CVE-2021-25315 | |
| CVE-2020-25592 | ||
| CVE-2020-11651 | ||
| CVE-2020-11652 | ||
| CVE-2018-15751 | ||
| pyyaml | CVE-2020-14343 | |
| CVE-2017-18342 | ||
| ruby | CVE-2020-25613 | |
| xterm xterm-bin |
CVE-2021-27135 |
| Proprietary Code CVEs | Description | CVSS Base Score | CVSS Vector String |
| CVE-2022-31234 | Dell PowerStore contains an Improper Restriction of Excessive Authentication Attempts Vulnerability in PowerStore Manager GUI. A remote unauthenticated attacker may potentially exploit this vulnerability, leading to password brute-forcing. Account takeover is possible if weak passwords are used by users. | 8.1 | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H |
| CVE-2022-22555 | Dell PowerStore contains an OS command injection vulnerability. A locally authenticated attacker may potentially exploit this vulnerability, leading to the execution of arbitrary OS commands on the PowerStore underlying OS, with the privileges of the vulnerable application. Exploitation may lead to an elevation of privilege. | 6.0 | CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H |
| CVE-2022-32498 | Dell PowerStore CLI for Windows has the potential for a DLL highjacking exploit. Exploitation may lead to the execution of arbitrary code. | 5.5 | CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:L/A:L |
| CVE-2022-33923 | Dell PowerStore contains an OS Command Injection vulnerability in the PowerStore T environment. A locally authenticated attacker may potentially exploit this vulnerability, leading to the execution of arbitrary OS commands on the PowerStore underlying OS. Exploiting may lead to a system takeover by an attacker. | 6.4 | CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H |
| Third-party Component | CVEs | More Information |
| Ansible | CVE-2019-10156 | See NVD (http://nvd.nist.gov/ ) for individual scores of each CVE. |
| Apache Shiro | CVE-2021-41303 | |
| Highcharts JS | CVE-2021-29489 | |
| Jinja2 | CVE-2019-10906 | |
| CVE-2016-10745 | ||
| CVE-2020-28493 | ||
| libsndfile | CVE-2021-3246 | |
| libX11 libX11-data |
CVE-2021-31535 | |
| libexpat | CVE-2022-22822 | |
| CVE-2022-22823 | ||
| CVE-2022-22824 | ||
| CVE-2022-23852 | ||
| CVE-2022-23990 | ||
| CVE-2022-25235 | ||
| CVE-2022-25236 | ||
| CVE-2022-25315 | ||
| Log4j | CVE-2020-9488 | |
| CVE-2021-45105 | ||
| CVE-2021-44832 | ||
| lxml | CVE-2021-43818 | |
| CVE-2021-28957 | ||
| CVE-2020-27783 | ||
| netty | CVE-2021-43797 | |
| NSS NSPR libfreebl3 libfreebl3-hmac libsoftokn3 libsoftokn3-hmac mozilla-nss mozilla-nss-certs mozilla-nss-tools mozilla-nspr |
CVE-2020-12403 | |
| CVE-2021-43527 | ||
| numpy | CVE-2021-41496 | |
| openssl | CVE-2021-3711 | |
| pip | CVE-2019-20916 | |
| postgres | CVE-2021-32027 | |
| CVE-2021-32028 | ||
| CVE-2021-3393 | ||
| CVE-2021-3677 | ||
| CVE-2021-23222 | ||
| CVE-2021-23214 | ||
| Python-3 | CVE-2021-25315 | |
| CVE-2020-25592 | ||
| CVE-2020-11651 | ||
| CVE-2020-11652 | ||
| CVE-2018-15751 | ||
| pyyaml | CVE-2020-14343 | |
| CVE-2017-18342 | ||
| ruby | CVE-2020-25613 | |
| xterm xterm-bin |
CVE-2021-27135 |
Corrección y productos afectados
| CVEs Addressed | Products | Affected Versions | Updated Versions | Link to Update |
| All CVEs above excluding CVE-2022-32498 | PowerStore T OS | PowerStore T OS versions before PowerStore T OS Upgrade 3.0.0.0-1732745 | PowerStore T OS Upgrade 3.0.0.0-1732745 | https://www.dell.com/support/home/?app=drivers |
| CVE-2022-32498 | PowerStore Command Line Interface (CLI) tool for Windows | PowerStore Command Line Interface (CLI) tool for Linux x64 versions before 3.0.0.0-1732745 PowerStore Command Line Interface (CLI) tool for Linux x86 versions before 3.0.0.0-1732745 |
PowerStore Command Line Interface (CLI) tool for Linux x64 3.0.0.0-1732745 PowerStore Command Line Interface (CLI) tool for Linux x86 3.0.0.0-1732745 |
https://www.dell.com/support/home/?app=drivers |
| CVEs Addressed | Products | Affected Versions | Updated Versions | Link to Update |
| All CVEs above excluding CVE-2022-32498 | PowerStore T OS | PowerStore T OS versions before PowerStore T OS Upgrade 3.0.0.0-1732745 | PowerStore T OS Upgrade 3.0.0.0-1732745 | https://www.dell.com/support/home/?app=drivers |
| CVE-2022-32498 | PowerStore Command Line Interface (CLI) tool for Windows | PowerStore Command Line Interface (CLI) tool for Linux x64 versions before 3.0.0.0-1732745 PowerStore Command Line Interface (CLI) tool for Linux x86 versions before 3.0.0.0-1732745 |
PowerStore Command Line Interface (CLI) tool for Linux x64 3.0.0.0-1732745 PowerStore Command Line Interface (CLI) tool for Linux x86 3.0.0.0-1732745 |
https://www.dell.com/support/home/?app=drivers |
Soluciones alternativas y mitigaciones
CVE-2022-31234:
Configure a long, complex password for the System management account, and change it on a regular basis. See the PowerStore Security Configuration Guide on the PowerStore Product Page at Dell Support for password requirements. The minimum number of characters is 8 however you should configure a longer than 8 password in order to make it very difficult to brute force.
CVE-2022-22555:
An attacker requires local access through external SSH; therefore, it is recommended to always leave the external SSH service interface disabled unless it must be used to perform service operations on the appliance. After performing the necessary service operations, disable the SSH interface to ensure that the appliance remains secure. See the PowerStore Security Configuration Guide on the PowerStore Product Page at Dell Support for detailed information about external SSH access.
Historial de revisiones
| Revision | Date | More Information |
| 1.0 | 2022-07-07 | Initial Release |
Información relacionada
Descargo de responsabilidad
Productos afectados
PowerStore, PowerStore 1000T, PowerStore 1200T, PowerStore 3000T, PowerStore 5000T, PowerStore 500T, PowerStore 7000T, PowerStore 9000T, Product Security InformationPropiedades del artículo
Número del artículo: 000201283
Tipo de artículo: Dell Security Advisory
Última modificación: 20 jun 2023
Encuentre respuestas a sus preguntas de otros usuarios de Dell
Servicios de soporte
Compruebe si el dispositivo está cubierto por los servicios de soporte.