Article Number: 000220264
DSA-2023-412: Dell Technologies PowerProtect Security Update for Multiple Security Vulnerabilities
Summary: Dell Technologies PowerProtect products remediation is available for various multiple security vulnerabilities that could be exploited by malicious users to compromise the affected system. ...
Article Content
Impact
High
Additional Details
Update Dec-23-2023: All known issues found in DDOS 7.13.0.10 have been resolved with the latest DDOS version 7.13.0.20
Details
| Proprietary Code CVEs |
Description |
CVSS Base Score |
CVSS Vector String |
|---|---|---|---|
| CVE-2023-44286 |
Dell PowerProtect DD , versions prior to 7.13.0.10, LTS 7.7.5.25, LTS 7.10.1.15, 6.2.1.110 contain a DOM-based Cross-Site Scripting vulnerability. A remote unauthenticated attacker could potentially exploit this vulnerability, leading to the injection of malicious HTML or JavaScript code to a victim user's DOM environment in the browser. . Exploitation may lead to information disclosure, session theft, or client-side request forgery. |
8.8 |
|
| CVE-2023-48668 |
Dell PowerProtect DD, versions prior to 7.13.0.10, LTS 7.7.5.25, LTS 7.10.1.15, 6.2.1.110 on DDMC contain an OS command injection vulnerability in an admin operation. A local high privileged attacker could potentially exploit this vulnerability, leading to the execution of arbitrary OS commands on the managed system application's underlying OS with the privileges of the vulnerable application. Exploitation may lead to a system take over by an attacker on a managed system of DDMC. |
8.2 |
|
| CVE-2023-44285 |
Dell PowerProtect DD, versions prior to 7.13.0.10, LTS 7.7.5.25, LTS 7.10.1.15, 6.2.1.110 contain an improper access control vulnerability. A local malicious user with low privileges could potentially exploit this vulnerability leading to escalation of privilege. |
7.8 |
|
| CVE-2023-44277 |
Dell PowerProtect DD, versions prior to 7.13.0.10, LTS 7.7.5.25, LTS 7.10.1.15, 6.2.1.110 contain an OS command injection vulnerability in the CLI. A local low privileged attacker could potentially exploit this vulnerability, leading to the execution of arbitrary OS commands on the application's underlying OS, with the privileges of the vulnerable application. Exploitation may lead to a system take over by an attacker. |
7.8 |
|
| CVE-2023-48667 |
Dell PowerProtect DD, versions prior to 7.13.0.10, LTS 7.7.5.25, LTS 7.10.1.15, 6.2.1.110 contain an OS command injection vulnerability in administrator CLI. A remote high privileged attacker could potentially exploit this vulnerability, leading to the execution of arbitrary OS commands on the application's underlying OS to bypass security restriction. Exploitation may lead to a system take over by an attacker. |
7.2 |
|
| CVE-2023-44279 |
Dell PowerProtect DD , versions prior to 7.13.0.10, LTS 7.7.5.25, LTS 7.10.1.15, 6.2.1.110 contain an OS command injection vulnerability in administrator CLI. A local high privileged attacker could potentially exploit this vulnerability, to bypass security restrictions. Exploitation may lead to a system take over by an attacker. |
6.7 |
|
| CVE-2023-44278 |
Dell PowerProtect DD , versions prior to 7.13.0.10, LTS 7.7.5.25, LTS 7.10.1.15, 6.2.1.110 contain a path traversal vulnerability. A local high privileged attacker could potentially exploit this vulnerability, to gain unauthorized read and write access to the OS files stored on the server filesystem, with the privileges of the running application. |
6.7 |
|
| CVE-2023-44284 |
Dell PowerProtect DD , versions prior to 7.13.0.10, LTS 7.7.5.25, LTS 7.10.1.15, 6.2.1.110 contain an SQL Injection vulnerability. A remote low privileged attacker could potentially exploit this vulnerability, leading to the execution of certain SQL commands on the application's backend database causing unauthorized read access to application data. |
4.3 |
| Proprietary Code CVEs |
Description |
CVSS Base Score |
CVSS Vector String |
|---|---|---|---|
| CVE-2023-44286 |
Dell PowerProtect DD , versions prior to 7.13.0.10, LTS 7.7.5.25, LTS 7.10.1.15, 6.2.1.110 contain a DOM-based Cross-Site Scripting vulnerability. A remote unauthenticated attacker could potentially exploit this vulnerability, leading to the injection of malicious HTML or JavaScript code to a victim user's DOM environment in the browser. . Exploitation may lead to information disclosure, session theft, or client-side request forgery. |
8.8 |
|
| CVE-2023-48668 |
Dell PowerProtect DD, versions prior to 7.13.0.10, LTS 7.7.5.25, LTS 7.10.1.15, 6.2.1.110 on DDMC contain an OS command injection vulnerability in an admin operation. A local high privileged attacker could potentially exploit this vulnerability, leading to the execution of arbitrary OS commands on the managed system application's underlying OS with the privileges of the vulnerable application. Exploitation may lead to a system take over by an attacker on a managed system of DDMC. |
8.2 |
|
| CVE-2023-44285 |
Dell PowerProtect DD, versions prior to 7.13.0.10, LTS 7.7.5.25, LTS 7.10.1.15, 6.2.1.110 contain an improper access control vulnerability. A local malicious user with low privileges could potentially exploit this vulnerability leading to escalation of privilege. |
7.8 |
|
| CVE-2023-44277 |
Dell PowerProtect DD, versions prior to 7.13.0.10, LTS 7.7.5.25, LTS 7.10.1.15, 6.2.1.110 contain an OS command injection vulnerability in the CLI. A local low privileged attacker could potentially exploit this vulnerability, leading to the execution of arbitrary OS commands on the application's underlying OS, with the privileges of the vulnerable application. Exploitation may lead to a system take over by an attacker. |
7.8 |
|
| CVE-2023-48667 |
Dell PowerProtect DD, versions prior to 7.13.0.10, LTS 7.7.5.25, LTS 7.10.1.15, 6.2.1.110 contain an OS command injection vulnerability in administrator CLI. A remote high privileged attacker could potentially exploit this vulnerability, leading to the execution of arbitrary OS commands on the application's underlying OS to bypass security restriction. Exploitation may lead to a system take over by an attacker. |
7.2 |
|
| CVE-2023-44279 |
Dell PowerProtect DD , versions prior to 7.13.0.10, LTS 7.7.5.25, LTS 7.10.1.15, 6.2.1.110 contain an OS command injection vulnerability in administrator CLI. A local high privileged attacker could potentially exploit this vulnerability, to bypass security restrictions. Exploitation may lead to a system take over by an attacker. |
6.7 |
|
| CVE-2023-44278 |
Dell PowerProtect DD , versions prior to 7.13.0.10, LTS 7.7.5.25, LTS 7.10.1.15, 6.2.1.110 contain a path traversal vulnerability. A local high privileged attacker could potentially exploit this vulnerability, to gain unauthorized read and write access to the OS files stored on the server filesystem, with the privileges of the running application. |
6.7 |
|
| CVE-2023-44284 |
Dell PowerProtect DD , versions prior to 7.13.0.10, LTS 7.7.5.25, LTS 7.10.1.15, 6.2.1.110 contain an SQL Injection vulnerability. A remote low privileged attacker could potentially exploit this vulnerability, leading to the execution of certain SQL commands on the application's backend database causing unauthorized read access to application data. |
4.3 |
Affected Products and Remediation
| CVEs Addressed |
Product |
Affected Versions |
Remediated Versions |
Link |
|---|---|---|---|---|
| CVE-2023-44286, CVE-2023-44285, CVE-2023-44277, CVE-2023-48667, CVE-2023-44279, CVE-2023-44278, CVE-2023-44284
|
Dell PowerProtect DD series appliances Dell PowerProtect DD Virtual Edition Dell APEX Protection Storage
|
7.0 to 7.12.0.0
|
7.13.0.20 and above or |
For more details about DD OS software versions available for download, see the links below (requires log in to Dell Support to view articles):
|
| 6.2.1.100 and below |
6.2.1.110 and above |
|||
| CVE-2023-44286, CVE-2023-48668, CVE-2023-44285, CVE-2023-44277, CVE-2023-48667, CVE-2023-44279, CVE-2023-44278 |
Dell PowerProtect DD management Center |
7.0 to 7.12.0.0 |
7.13.0.10 and above |
|
| 6.2.1.100 and below |
6.2.1.110 and above |
|||
| CVE-2023-44286, CVE-2023-44285, CVE-2023-44277, CVE-2023-48667, CVE-2023-44279, CVE-2023-44278, CVE-2023-44284 |
PowerProtect DP Series Appliance (IDPA): All Models |
2.7.4 and below |
2.7.6 and above |
Link to PowerProtect DP Series Software: https://www.dell.com/support/home/en-us/product-support/product/integrated-data-protection-appliance/drivers
|
| CVE-2023-44284 |
PowerProtect Data Manager Appliance model: DM5500 |
5.14 and below |
5.15.0.0 and above |
To download (requires log in to Dell Support): https://dl.dell.com/downloads/HY8KV_PowerProtect-Data-Manager-DM5500-Appliance-5.15.0.0-Upgrade-file.pkg |
| CVE-2023-44286, CVE-2023-44285, CVE-2023-44277, CVE-2023-48667, CVE-2023-44279, CVE-2023-44278, CVE-2023-44284 |
Dell PowerProtect DD series appliances and Dell PowerProtect DD Virtual Edition leveraged in the Disk Library for Mainframe (DLm) environment |
7.0 to 7.12.0.0
|
7.13.0.20 and above or
|
Contact customer support to schedule the code update.
For more details about DDOS versions available for download, see the links below (requires log in to Dell Support to view articles): |
| 6.2.1.100 and below |
6.2.1.110 and above |
| CVEs Addressed |
Product |
Affected Versions |
Remediated Versions |
Link |
|---|---|---|---|---|
| CVE-2023-44286, CVE-2023-44285, CVE-2023-44277, CVE-2023-48667, CVE-2023-44279, CVE-2023-44278, CVE-2023-44284
|
Dell PowerProtect DD series appliances Dell PowerProtect DD Virtual Edition Dell APEX Protection Storage
|
7.0 to 7.12.0.0
|
7.13.0.20 and above or |
For more details about DD OS software versions available for download, see the links below (requires log in to Dell Support to view articles):
|
| 6.2.1.100 and below |
6.2.1.110 and above |
|||
| CVE-2023-44286, CVE-2023-48668, CVE-2023-44285, CVE-2023-44277, CVE-2023-48667, CVE-2023-44279, CVE-2023-44278 |
Dell PowerProtect DD management Center |
7.0 to 7.12.0.0 |
7.13.0.10 and above |
|
| 6.2.1.100 and below |
6.2.1.110 and above |
|||
| CVE-2023-44286, CVE-2023-44285, CVE-2023-44277, CVE-2023-48667, CVE-2023-44279, CVE-2023-44278, CVE-2023-44284 |
PowerProtect DP Series Appliance (IDPA): All Models |
2.7.4 and below |
2.7.6 and above |
Link to PowerProtect DP Series Software: https://www.dell.com/support/home/en-us/product-support/product/integrated-data-protection-appliance/drivers
|
| CVE-2023-44284 |
PowerProtect Data Manager Appliance model: DM5500 |
5.14 and below |
5.15.0.0 and above |
To download (requires log in to Dell Support): https://dl.dell.com/downloads/HY8KV_PowerProtect-Data-Manager-DM5500-Appliance-5.15.0.0-Upgrade-file.pkg |
| CVE-2023-44286, CVE-2023-44285, CVE-2023-44277, CVE-2023-48667, CVE-2023-44279, CVE-2023-44278, CVE-2023-44284 |
Dell PowerProtect DD series appliances and Dell PowerProtect DD Virtual Edition leveraged in the Disk Library for Mainframe (DLm) environment |
7.0 to 7.12.0.0
|
7.13.0.20 and above or
|
Contact customer support to schedule the code update.
For more details about DDOS versions available for download, see the links below (requires log in to Dell Support to view articles): |
| 6.2.1.100 and below |
6.2.1.110 and above |
Additional, related information is available at this Knowledgebase article KB000220263: Additional Information Regarding DSA-2023-412: Dell PowerProtect DD Vulnerabilities.
Expected availability dates are subject to change.
Expected availability dates are subject to change.
Acknowledgements
CVE-2023-44279: Dell Technologies would like to thank Rushank Shetty and Ryan Kane (Security Researchers at Northwestern Mutual) for reporting this issue.
CVE-2023-44277, CVE-2023-44284, CVE-2023-44286: Dell Technologies would like to thank Jakub Brzozowski (redfr0g), Franciszek Kalinowski, and Stanisław Koza from STM Cyber for reporting these issues.
CVE-2023-44277: Dell Technologies would like to thank Sebastian Grot and Bartosz Chalek for reporting this issue.
Revision History
|
Revision |
Date |
Description |
|---|---|---|
|
1.0 |
2023-12-13 |
Initial Release |
| 2.0 | 2023-12-13 | Updated for enhancement no change to content |
| 3.0 | 2023-12-13 |
• Updated "Affected Product" section under "Article Properties" |
| 4.0 | 2023-12-13 | Added Additional Acknowledgement in "Acknowledgements" section |
| 5.0 | 2023-12-13 | • Corrected link in the "Affected Products and Remediation" Table • Removed Additional Details statement "The downloads will be made available shortly" • Updated "Affected Product section under "Article Properties" |
| 6.0 | 2023-12-13 | Updated "Affected Product section under "Article Properties" |
| 7.0 | 2023-12-15 | Added in the "Additional Info" section the following statement" Due to a known issue, we advise against upgrading DD9800 systems to DDOS 7.13.0.10. A workaround will be made available soon, and this page will be updated with the details. DD9800 systems can still be upgraded to DDOS 7.7.5.25 or 7.10.1.15 |
| 8.0 | 2023-12-19 | Corrected hyperlink in "Affected Products and Remediation" section |
| 9.0 | 2023-12-19 | Added "Additional Details" section Updated "Affected Products and Remediation" section |
| 10.0-12.0 | 2023-12-21 | Updated "Affected Products and Remediation" section |
| 13.0 | 2024-01-11 | Updated "Acknowledgements" section |
| 14.0 | 2024-02-28 | Updated "Acknowledgments" section |
Related Information
Legal Information
Article Properties
Affected Product
Data Backup & Protection Storage, Data Domain, PowerProtect Data Protection Appliance, PowerProtect Data Manager Appliance, DD3300 Appliance, Data Domain Deduplication Storage Systems, DD OS 6.2, DD OS, DD OS 6.0, DD OS 6.1, DD OS 7.0, DD OS 7.1
, DD OS 7.10, DD OS 7.11, DD OS 7.12, DD OS 7.2, DD OS 7.3, DD OS 7.4, DD OS 7.5, DD OS 7.6, DD OS 7.7, DD OS 7.8, DD OS 7.9, Data Domain Virtual Edition, DD2200 Appliance, DD6300 Appliance, DD6400 Appliance, DD6800 Appliance, DD6900 Appliance, DD9300 Appliance, DD9400 Appliance, DD9800 Appliance, DD9900 Appliance, Disk Library for mainframe, PowerProtect Data Domain Management Center, Integrated Data Protection Appliance Software, PowerProtect DM5500
...
Last Published Date
28 Feb 2024
Version
14
Article Type
Dell Security Advisory