DSA-2024-210: Security Update for Dell PowerScale OneFS for Multiple Security Vulnerabilities
Zusammenfassung: Dell PowerScale OneFS remediation is available for multiple security vulnerabilities that could be exploited by malicious users to compromise the affected system.
Dieser Artikel gilt für
Dieser Artikel gilt nicht für
Dieser Artikel ist nicht an ein bestimmtes Produkt gebunden.
In diesem Artikel werden nicht alle Produktversionen aufgeführt.
Auswirkungen
High
Details
| Third-Party Component | CVEs | More information |
|---|---|---|
| Sudo | CVE-2023-42465 | https://nvd.nist.gov/vuln/detail/CVE-2023-42465 |
| pyca/cryptography | CVE-2023-23931, CVE-2020-25659 | See the NVD link below for individual scores for each CVE. https://nvd.nist.gov/ |
| Proprietary Code CVEs | Description | CVSS Base Score | CVSS Vector String |
|---|---|---|---|
| CVE-2024-29170 | Dell PowerScale OneFS versions 8.2.x through 9.8.0.x contain a use of hard coded credentials vulnerability. An adjacent network unauthenticated attacker could potentially exploit this vulnerability, leading to information disclosure of network traffic and denial of service. | 8.1 | CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H |
| Proprietary Code CVEs | Description | CVSS Base Score | CVSS Vector String |
|---|---|---|---|
| CVE-2024-29170 | Dell PowerScale OneFS versions 8.2.x through 9.8.0.x contain a use of hard coded credentials vulnerability. An adjacent network unauthenticated attacker could potentially exploit this vulnerability, leading to information disclosure of network traffic and denial of service. | 8.1 | CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H |
Betroffene Produkte und Korrektur
| CVEs Addressed | Product | Affected Versions | Remediated Versions | Links |
|---|---|---|---|---|
| CVE-2023-42465 | PowerScale OneFS | Version 8.2.x through 9.4.0.17 |
Version 9.4.0.18 or later |
PowerScale OneFS Downloads Area |
| CVE-2023-23931, CVE-2020-25659 | PowerScale OneFS | Version 8.2.x through 9.4.0.17 |
Version 9.5.1.0 or later | PowerScale OneFS Downloads Area |
| CVE-2023-42465, CVE-2023-23931, CVE-2020-25659 | PowerScale OneFS | Version 9.5.0.0 through 9.5.0.8 |
Version 9.5.1.0 or later | PowerScale OneFS Downloads Area |
| CVE-2023-42465, CVE-2023-23931, CVE-2020-25659 | PowerScale OneFS | Version 9.6.0.0 through 9.7.0.1 | Version 9.7.1.0 or later | PowerScale OneFS Downloads Area |
| CVE-2023-23931, CVE-2020-25659 | PowerScale OneFS | Version 9.7.0.2 |
Version 9.7.1.0 or later | PowerScale OneFS Downloads Area |
| CVE-2024-29170 | PowerScale OneFS | Version 8.2.x through 9.8.0.x |
N/A | PowerScale OneFS Security Configuration Guide |
| CVEs Addressed | Product | Affected Versions | Remediated Versions | Links |
|---|---|---|---|---|
| CVE-2023-42465 | PowerScale OneFS | Version 8.2.x through 9.4.0.17 |
Version 9.4.0.18 or later |
PowerScale OneFS Downloads Area |
| CVE-2023-23931, CVE-2020-25659 | PowerScale OneFS | Version 8.2.x through 9.4.0.17 |
Version 9.5.1.0 or later | PowerScale OneFS Downloads Area |
| CVE-2023-42465, CVE-2023-23931, CVE-2020-25659 | PowerScale OneFS | Version 9.5.0.0 through 9.5.0.8 |
Version 9.5.1.0 or later | PowerScale OneFS Downloads Area |
| CVE-2023-42465, CVE-2023-23931, CVE-2020-25659 | PowerScale OneFS | Version 9.6.0.0 through 9.7.0.1 | Version 9.7.1.0 or later | PowerScale OneFS Downloads Area |
| CVE-2023-23931, CVE-2020-25659 | PowerScale OneFS | Version 9.7.0.2 |
Version 9.7.1.0 or later | PowerScale OneFS Downloads Area |
| CVE-2024-29170 | PowerScale OneFS | Version 8.2.x through 9.8.0.x |
N/A | PowerScale OneFS Security Configuration Guide |
Note:Any version not listed in the Affected Products and Remediation section should upgrade PowerScale OneFS to version 9.7.1.0 or later. We encourage all customers to adopt the Long Term Support (LTS) 2024 version, the 9.7.x code line with the latest maintenance MR 9.7.1.0. For more information about LTS code lines, see Dell Infrastructure Solutions Group (ISG) LTS Release Support Customer Summary.
Workarounds und Korrekturmaßnahmen
| CVEs | Mitigations |
|---|---|
| CVE-2023-42465 | This vulnerability only applies when customers are given ISI_PRIV_LOGIN_SSH or ISI_PRIV_LOGIN_CONSOLE to users. This vulnerability can be mitigated in non-compliance mode cluster and PowerScale OneFS version 9.5 or later by enabling the restricted shell for users. More information regarding restricted shell can be found at: OneFS Restricted Shell | Dell Technologies Info Hub. |
| CVE-2024-29170 | Please refer the section "Change password on backend switches” in the “Security Configuration Guide” document listed under "Administering Your Cluster" at https://www.dell.com/support/kbdoc/000220353 |
Revisionsverlauf
| Revision | Date | Description |
|---|---|---|
| 1.0 | 2024-06-03 | Initial Release |
| 2.0 | 2024-06-12 | Updated Workarounds and Mitigations section: CVE-2024-29170 mitigation details |
| 3.0 | 2024-06-19 | Updated for enhanced presentation with no changes to content |
| 4.0 | 2024-07-01 | Updated Affected Products and Remediation section: Version 9.5.1.0 release |
| 5.0 | 2024-07-29 | Updated for enhanced presentation with no changes to content. |
| 6.0 | 2024-10-03 | Updated for enhanced presentation with no changes to content. |
Zugehörige Informationen
Rechtlicher Hinweis
Betroffene Produkte
PowerScale OneFSArtikeleigenschaften
Artikelnummer: 000225667
Artikeltyp: Dell Security Advisory
Zuletzt geändert: 03 Okt. 2024
Antworten auf Ihre Fragen erhalten Sie von anderen Dell NutzerInnen
Support Services
Prüfen Sie, ob Ihr Gerät durch Support Services abgedeckt ist.