Article Number: 000213152
DSA-2023-141: Dell Unity, Unity VSA and Unity XT Security Update for Multiple Vulnerability
Summary: Dell Unity, Unity VSA and Unity XT remediation is available for multiple security vulnerabilities that may be exploited by malicious users to compromise the affected system.
Article Content
Impact
Critical
Details
| Proprietary Code CVEs | Description | CVSS Base Score | CVSS Vector String |
|---|---|---|---|
| CVE-2023-43074 | Dell Unity 5.3 contain(s) an Arbitrary File Creation vulnerability. A remote unauthenticated attacker could potentially exploit this vulnerability by crafting arbitrary files through a request to the server. | 5.2 | CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:H/A:L |
| CVE-2023-43065 | Dell Unity prior to 5.3 contains a Cross-site scripting vulnerability. A low-privileged authenticated attacker can exploit these issues to obtain escalated privileges. | 5.5 | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:L/A:L |
| CVE-2023-43066 | Dell Unity prior to 5.3 contains a Restricted Shell Bypass vulnerability. This could allow an authenticated, local attacker to exploit this vulnerability by authenticating to the device CLI and issuing certain commands. | 5.1 | CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:L |
| CVE-2023-43067 | Dell Unity prior to 5.3 contains an XML External Entity injection vulnerability. An XXE attack could potentially exploit this vulnerability disclosing local files in the file system. | 4.9 | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H |
| CVE-2023-43082 | Dell Unity prior to 5.3 contains a 'man in the middle' vulnerability in the vmadapter component. If a customer has a certificate signed by a third-party public Certificate Authority, the vCenter CA could be spoofed by an attacker who can obtain a CA-signed certificate. | 8.6 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N |
| CVE-2024-22229 | Dell Unity, versions prior to 5.4, contain a vulnerability whereby log messages can be spoofed by an authenticated attacker. An attacker could exploit this vulnerability to forge log entries, create false alarms, and inject malicious content into logs that compromise logs integrity. A malicious attacker could also prevent the product from logging information while malicious actions are performed or implicate an arbitrary user for malicious activities. | 3.1 | CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N |
| Proprietary Code CVEs | Description | CVSS Base Score | CVSS Vector String |
|---|---|---|---|
| CVE-2023-43074 | Dell Unity 5.3 contain(s) an Arbitrary File Creation vulnerability. A remote unauthenticated attacker could potentially exploit this vulnerability by crafting arbitrary files through a request to the server. | 5.2 | CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:H/A:L |
| CVE-2023-43065 | Dell Unity prior to 5.3 contains a Cross-site scripting vulnerability. A low-privileged authenticated attacker can exploit these issues to obtain escalated privileges. | 5.5 | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:L/A:L |
| CVE-2023-43066 | Dell Unity prior to 5.3 contains a Restricted Shell Bypass vulnerability. This could allow an authenticated, local attacker to exploit this vulnerability by authenticating to the device CLI and issuing certain commands. | 5.1 | CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:L |
| CVE-2023-43067 | Dell Unity prior to 5.3 contains an XML External Entity injection vulnerability. An XXE attack could potentially exploit this vulnerability disclosing local files in the file system. | 4.9 | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H |
| CVE-2023-43082 | Dell Unity prior to 5.3 contains a 'man in the middle' vulnerability in the vmadapter component. If a customer has a certificate signed by a third-party public Certificate Authority, the vCenter CA could be spoofed by an attacker who can obtain a CA-signed certificate. | 8.6 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N |
| CVE-2024-22229 | Dell Unity, versions prior to 5.4, contain a vulnerability whereby log messages can be spoofed by an authenticated attacker. An attacker could exploit this vulnerability to forge log entries, create false alarms, and inject malicious content into logs that compromise logs integrity. A malicious attacker could also prevent the product from logging information while malicious actions are performed or implicate an arbitrary user for malicious activities. | 3.1 | CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N |
Affected Products and Remediation
| Product | Affected Versions | Remediated Versions | Link |
|---|---|---|---|
| Dell Unity Operating Environment (OE) | Versions prior to 5.3.0.0.5.120 | Version 5.3.0.0.5.120 | https://www.dell.com/support/home/product-support/product/unity-all-flash-family/drivers |
| Dell UnityVSA Operating Environment (OE) | Versions prior to 5.3.0.0.5.120 | Version 5.3.0.0.5.120 | https://www.dell.com/support/home/product-support/product/unity-all-flash-family/drivers |
| Dell Unity XT Operating Environment (OE) | Versions prior to 5.3.0.0.5.120 | Version 5.3.0.0.5.120 | https://www.dell.com/support/home/product-support/product/unity-all-flash-family/drivers |
| Product | Affected Versions | Remediated Versions | Link |
|---|---|---|---|
| Dell Unity Operating Environment (OE) | Versions prior to 5.3.0.0.5.120 | Version 5.3.0.0.5.120 | https://www.dell.com/support/home/product-support/product/unity-all-flash-family/drivers |
| Dell UnityVSA Operating Environment (OE) | Versions prior to 5.3.0.0.5.120 | Version 5.3.0.0.5.120 | https://www.dell.com/support/home/product-support/product/unity-all-flash-family/drivers |
| Dell Unity XT Operating Environment (OE) | Versions prior to 5.3.0.0.5.120 | Version 5.3.0.0.5.120 | https://www.dell.com/support/home/product-support/product/unity-all-flash-family/drivers |
Revision History
|
Revision |
Date |
Description |
|---|---|---|
|
1.0 |
2023-05-08 |
Initial Release |
| 2.0 | 2023-09-01 | Updated for enhanced presentation with no changes to content. |
| 3.0 | 2023-10-23 | Added 4 new CVEs, CVE-2023-43074, CVE-2023-43065, CVE-2023-43066, CVE-2023-43067 under "PROPRIERTARY CODE" section |
| 4.0 | 2023-11-22 | Added 1 new CVE-2023-43082 under "PROPRIERTARY CODE" section |
| 5.0 | 2024-01-24 | Added 1 new CVE-2024-22229 under "PROPRIERTARY CODE" section |
Related Information
Legal Information
Article Properties
Affected Product
Dell EMC Unity, Dell Unity 300, Dell EMC Unity 300F, Dell EMC Unity 350F, Dell EMC Unity 400, Dell EMC Unity 400F, Dell Unity Operating Environment (OE), Dell EMC UnityVSA Professional Edition/Unity Cloud Edition
Last Published Date
24 Jan 2024
Version
6
Article Type
Dell Security Advisory