Skip to main content
  • Place orders quickly and easily
  • View orders and track your shipping status
  • Enjoy members-only rewards and discounts
  • Create and access a list of your products
  • Manage your Dell EMC sites, products, and product-level contacts using Company Administration.

Article Number: 000204995


DSA-2022-273: Dell Secure Connect Gateway (SCG) Policy Manager Security Update for Multiple Proprietary Code Vulnerabilities

Summary: Dell Secure Connect Gateway (SCG) Policy Manager contains remediation for multiple vulnerabilities that could be exploited by malicious users to compromise the affected system.

Article Content


Impact

Critical

Details

Proprietary Code CVEs   Description   CVSS Base Score   CVSS Vector String   
CVE-2022-34440 Dell EMC SCG Policy Manager, versions from 5.10 to 5.12, contain(s) a contain a Hard-coded Cryptographic Key vulnerability.  An attacker with the knowledge of the hard-coded sensitive information, could potentially exploit this vulnerability to login to the system to gain admin privileges. 8.4 HIGH CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVE-2022-34441
 
Dell EMC SCG Policy Manager, versions from 5.10 to 5.12, contain(s) a contain a Hard-coded Cryptographic Key vulnerability.  An attacker with the knowledge of the hard-coded sensitive information, could potentially exploit this vulnerability to login to the system to gain admin privileges. 8.0 HIGH
 
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L
CVE-2022-34442 Dell EMC SCG Policy Manager, versions from 5.10 to 5.12, contain(s) a contain a Hard-coded Cryptographic Key vulnerability.  An attacker with the knowledge of the hard-coded sensitive information, could potentially exploit this vulnerability to login to the system to gain LDAP user privileges. 8.0 HIGH CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L
CVE-2022-34462 Dell EMC SCG Policy Manager, versions from 5.10 to 5.12, contain(s) a Hard-coded Password Vulnerability. An attacker, with the knowledge of the hard-coded credentials, could potentially exploit this vulnerability to login to the system to gain admin privileges. 8.4 HIGH CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
 
Third-Party Component
 
CVEs More information
SUSE Enterprise 12 SP5 CVE-2022-1292 
 
See NVD (http://nvd.nist.gov/) for individual scores for each CVE
 
SUSE Enterprise 12 SP5 CVE-2022-2068
 
org.yaml.snakeyaml CVE-2022-38752
 
com.fasterxml.jackson CVE-2022-42003
 
CVE-2022-42004
 
Proprietary Code CVEs   Description   CVSS Base Score   CVSS Vector String   
CVE-2022-34440 Dell EMC SCG Policy Manager, versions from 5.10 to 5.12, contain(s) a contain a Hard-coded Cryptographic Key vulnerability.  An attacker with the knowledge of the hard-coded sensitive information, could potentially exploit this vulnerability to login to the system to gain admin privileges. 8.4 HIGH CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVE-2022-34441
 
Dell EMC SCG Policy Manager, versions from 5.10 to 5.12, contain(s) a contain a Hard-coded Cryptographic Key vulnerability.  An attacker with the knowledge of the hard-coded sensitive information, could potentially exploit this vulnerability to login to the system to gain admin privileges. 8.0 HIGH
 
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L
CVE-2022-34442 Dell EMC SCG Policy Manager, versions from 5.10 to 5.12, contain(s) a contain a Hard-coded Cryptographic Key vulnerability.  An attacker with the knowledge of the hard-coded sensitive information, could potentially exploit this vulnerability to login to the system to gain LDAP user privileges. 8.0 HIGH CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L
CVE-2022-34462 Dell EMC SCG Policy Manager, versions from 5.10 to 5.12, contain(s) a Hard-coded Password Vulnerability. An attacker, with the knowledge of the hard-coded credentials, could potentially exploit this vulnerability to login to the system to gain admin privileges. 8.4 HIGH CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
 
Third-Party Component
 
CVEs More information
SUSE Enterprise 12 SP5 CVE-2022-1292 
 
See NVD (http://nvd.nist.gov/) for individual scores for each CVE
 
SUSE Enterprise 12 SP5 CVE-2022-2068
 
org.yaml.snakeyaml CVE-2022-38752
 
com.fasterxml.jackson CVE-2022-42003
 
CVE-2022-42004
 
Dell Technologies recommends all customers consider both the CVSS base score and any relevant temporal and environmental scores that may impact the potential severity associated with a particular security vulnerability.

Affected Products and Remediation

CVEs Addressed Product Affected Version Updated Version Link to Update
CVE-2022-1292  Dell SCG Policy Manager 5.12.00.00 5.14.00.00 SCG PM Download Page
CVE-2022-2068
CVE-2022-34440
CVE-2022-34441
CVE-2022-34442
CVE-2022-34462
CVE-2022-42003
CVE-2022-42004
CVEs Addressed Product Affected Version Updated Version Link to Update
CVE-2022-1292  Dell SCG Policy Manager 5.12.00.00 5.14.00.00 SCG PM Download Page
CVE-2022-2068
CVE-2022-34440
CVE-2022-34441
CVE-2022-34442
CVE-2022-34462
CVE-2022-42003
CVE-2022-42004

Acknowledgements

Dell would like to thank Matei "Mal" Badanoiu and sradulea for reporting CVE-2022-34440, CVE-2022-34441, CVE-2022-34442 and CVE-2022-34462.
 

Revision History

RevisionDateDescription
1.02022-11-10Initial Release

Related Information


Article Properties


Affected Product

Secure Connect Gateway

Last Published Date

10 Nov 2022

Version

2

Article Type

Dell Security Advisory