Skip to main content
  • Place orders quickly and easily
  • View orders and track your shipping status
  • Create and access a list of your products
  • Manage your Dell EMC sites, products, and product-level contacts using Company Administration.

Article Number: 000220264


DSA-2023-412: Dell Technologies PowerProtect Security Update for Multiple Security Vulnerabilities

Summary: Dell Technologies PowerProtect products remediation is available for various multiple security vulnerabilities that could be exploited by malicious users to compromise the affected system. ...

Article Content


Impact

High

Additional Details

Update Dec-23-2023: All known issues found in DDOS 7.13.0.10 have been resolved with the latest DDOS version 7.13.0.20

Details

Proprietary Code CVEs 

Description 

CVSS Base Score 

CVSS Vector String 

CVE-2023-44286 
 
 

Dell PowerProtect DD , versions prior to 7.13.0.10, LTS 7.7.5.25, LTS 7.10.1.15, 6.2.1.110 contain a DOM-based Cross-Site Scripting vulnerability. A remote unauthenticated attacker could potentially exploit this vulnerability, leading to the injection of malicious HTML or JavaScript code to a victim user's DOM environment in the browser. .  Exploitation may lead to information disclosure, session theft, or client-side request forgery. 

8.8 

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:HThis hyperlink is taking you to a website outside of Dell Technologies.

CVE-2023-48668 

Dell PowerProtect DD, versions prior to 7.13.0.10, LTS 7.7.5.25, LTS 7.10.1.15, 6.2.1.110 on DDMC contain an OS command injection vulnerability in an admin operation. A local high privileged attacker could potentially exploit this vulnerability, leading to the execution of arbitrary OS commands on the managed system application's underlying OS with the privileges of the vulnerable application. Exploitation may lead to a system take over by an attacker on a managed system of DDMC. 

8.2 

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:HThis hyperlink is taking you to a website outside of Dell Technologies.

CVE-2023-44285  
 
 

Dell PowerProtect DD, versions prior to 7.13.0.10, LTS 7.7.5.25, LTS 7.10.1.15, 6.2.1.110 contain an improper access control vulnerability. A local malicious user with low privileges could potentially exploit this vulnerability leading to escalation of privilege. 

7.8 

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HThis hyperlink is taking you to a website outside of Dell Technologies.

CVE-2023-44277  
 
 

Dell PowerProtect DD, versions prior to 7.13.0.10, LTS 7.7.5.25, LTS 7.10.1.15, 6.2.1.110 contain an OS command injection vulnerability in the CLI. A local low privileged attacker could potentially exploit this vulnerability, leading to the execution of arbitrary OS commands on the application's underlying OS, with the privileges of the vulnerable application. Exploitation may lead to a system take over by an attacker. 

7.8 

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HThis hyperlink is taking you to a website outside of Dell Technologies.

CVE-2023-48667 

Dell PowerProtect DD, versions prior to 7.13.0.10, LTS 7.7.5.25, LTS 7.10.1.15, 6.2.1.110 contain an OS command injection vulnerability in administrator CLI. A remote high privileged attacker could potentially exploit this vulnerability, leading to the execution of arbitrary OS commands on the application's underlying OS to bypass security restriction. Exploitation may lead to a system take over by an attacker. 

7.2 

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:HThis hyperlink is taking you to a website outside of Dell Technologies.

CVE-2023-44279  
 
 

Dell PowerProtect DD , versions prior to 7.13.0.10,  LTS 7.7.5.25, LTS 7.10.1.15, 6.2.1.110 contain an OS command injection vulnerability in administrator CLI. A local high privileged attacker could potentially exploit this vulnerability, to bypass security restrictions. Exploitation may lead to a system take over by an attacker. 

6.7 

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:HThis hyperlink is taking you to a website outside of Dell Technologies.

CVE-2023-44278 
 
 

Dell PowerProtect DD , versions prior to 7.13.0.10, LTS 7.7.5.25, LTS 7.10.1.15, 6.2.1.110  contain a path traversal vulnerability. A local high privileged attacker could potentially exploit this vulnerability, to gain unauthorized read and write access to the OS files stored on the server filesystem, with the privileges of the running application. 

6.7 

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:HThis hyperlink is taking you to a website outside of Dell Technologies.

CVE-2023-44284 

Dell PowerProtect DD , versions prior to 7.13.0.10, LTS 7.7.5.25, LTS 7.10.1.15, 6.2.1.110 contain an SQL Injection vulnerability. A remote low privileged attacker could potentially exploit this vulnerability, leading to the execution of certain SQL commands on the application's backend database causing unauthorized read access to application data. 

 4.3 

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:NThis hyperlink is taking you to a website outside of Dell Technologies.

Proprietary Code CVEs 

Description 

CVSS Base Score 

CVSS Vector String 

CVE-2023-44286 
 
 

Dell PowerProtect DD , versions prior to 7.13.0.10, LTS 7.7.5.25, LTS 7.10.1.15, 6.2.1.110 contain a DOM-based Cross-Site Scripting vulnerability. A remote unauthenticated attacker could potentially exploit this vulnerability, leading to the injection of malicious HTML or JavaScript code to a victim user's DOM environment in the browser. .  Exploitation may lead to information disclosure, session theft, or client-side request forgery. 

8.8 

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:HThis hyperlink is taking you to a website outside of Dell Technologies.

CVE-2023-48668 

Dell PowerProtect DD, versions prior to 7.13.0.10, LTS 7.7.5.25, LTS 7.10.1.15, 6.2.1.110 on DDMC contain an OS command injection vulnerability in an admin operation. A local high privileged attacker could potentially exploit this vulnerability, leading to the execution of arbitrary OS commands on the managed system application's underlying OS with the privileges of the vulnerable application. Exploitation may lead to a system take over by an attacker on a managed system of DDMC. 

8.2 

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:HThis hyperlink is taking you to a website outside of Dell Technologies.

CVE-2023-44285  
 
 

Dell PowerProtect DD, versions prior to 7.13.0.10, LTS 7.7.5.25, LTS 7.10.1.15, 6.2.1.110 contain an improper access control vulnerability. A local malicious user with low privileges could potentially exploit this vulnerability leading to escalation of privilege. 

7.8 

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HThis hyperlink is taking you to a website outside of Dell Technologies.

CVE-2023-44277  
 
 

Dell PowerProtect DD, versions prior to 7.13.0.10, LTS 7.7.5.25, LTS 7.10.1.15, 6.2.1.110 contain an OS command injection vulnerability in the CLI. A local low privileged attacker could potentially exploit this vulnerability, leading to the execution of arbitrary OS commands on the application's underlying OS, with the privileges of the vulnerable application. Exploitation may lead to a system take over by an attacker. 

7.8 

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HThis hyperlink is taking you to a website outside of Dell Technologies.

CVE-2023-48667 

Dell PowerProtect DD, versions prior to 7.13.0.10, LTS 7.7.5.25, LTS 7.10.1.15, 6.2.1.110 contain an OS command injection vulnerability in administrator CLI. A remote high privileged attacker could potentially exploit this vulnerability, leading to the execution of arbitrary OS commands on the application's underlying OS to bypass security restriction. Exploitation may lead to a system take over by an attacker. 

7.2 

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:HThis hyperlink is taking you to a website outside of Dell Technologies.

CVE-2023-44279  
 
 

Dell PowerProtect DD , versions prior to 7.13.0.10,  LTS 7.7.5.25, LTS 7.10.1.15, 6.2.1.110 contain an OS command injection vulnerability in administrator CLI. A local high privileged attacker could potentially exploit this vulnerability, to bypass security restrictions. Exploitation may lead to a system take over by an attacker. 

6.7 

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:HThis hyperlink is taking you to a website outside of Dell Technologies.

CVE-2023-44278 
 
 

Dell PowerProtect DD , versions prior to 7.13.0.10, LTS 7.7.5.25, LTS 7.10.1.15, 6.2.1.110  contain a path traversal vulnerability. A local high privileged attacker could potentially exploit this vulnerability, to gain unauthorized read and write access to the OS files stored on the server filesystem, with the privileges of the running application. 

6.7 

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:HThis hyperlink is taking you to a website outside of Dell Technologies.

CVE-2023-44284 

Dell PowerProtect DD , versions prior to 7.13.0.10, LTS 7.7.5.25, LTS 7.10.1.15, 6.2.1.110 contain an SQL Injection vulnerability. A remote low privileged attacker could potentially exploit this vulnerability, leading to the execution of certain SQL commands on the application's backend database causing unauthorized read access to application data. 

 4.3 

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:NThis hyperlink is taking you to a website outside of Dell Technologies.

Dell Technologies recommends all customers consider both the CVSS base score and any relevant temporal and environmental scores that may impact the potential severity associated with a particular security vulnerability.

Affected Products and Remediation

CVEs Addressed                    

Product 

Affected Versions 

Remediated Versions 

Link 

CVE-2023-44286,  CVE-2023-44285, CVE-2023-44277, CVE-2023-48667, CVE-2023-44279, CVE-2023-44278, CVE-2023-44284 

 

Dell PowerProtect DD series appliances 

Dell PowerProtect DD Virtual Edition 

Dell APEX Protection Storage 

 

7.0 to 7.12.0.0 
 
 

  

7.13.0.20 and above or
7.10.1.15 and above to stay on LTS2023 7.10 
or  
7.7.5.25 and above to stay on LTS2022 7.7 

For more details about DD OS software versions available for download, see the links below (requires log in to Dell Support to view articles): 
 

 

6.2.1.100 and below 

6.2.1.110 and above 

CVE-2023-44286, CVE-2023-48668, CVE-2023-44285, CVE-2023-44277, CVE-2023-48667, CVE-2023-44279, CVE-2023-44278 

Dell PowerProtect DD management Center 

7.0 to 7.12.0.0 

7.13.0.10 and above 
or
7.10.1.15 and above to stay on LTS2023 7.10  
or   
7.7.5.25 and above to stay on LTS2022 7.7 

6.2.1.100 and below   

6.2.1.110 and above   

CVE-2023-44286, CVE-2023-44285, CVE-2023-44277, CVE-2023-48667, CVE-2023-44279, CVE-2023-44278, CVE-2023-44284 
 

PowerProtect DP Series Appliance (IDPA): All Models 

2.7.4 and below 

2.7.6 and above 

Link to PowerProtect DP Series Software:  https://www.dell.com/support/home/en-us/product-support/product/integrated-data-protection-appliance/drivers 
Link to PowerProtect DP Series Installation and Upgrade guide:  
Dell EMC PowerProtect DP Series Appliance 2.7.6 Installation and Upgrade Guide

 

 CVE-2023-44284 

PowerProtect Data Manager Appliance model: DM5500  

5.14 and below 

5.15.0.0 and above 

To download (requires log in to Dell Support): https://dl.dell.com/downloads/HY8KV_PowerProtect-Data-Manager-DM5500-Appliance-5.15.0.0-Upgrade-file.pkg 

CVE-2023-44286, CVE-2023-44285, CVE-2023-44277, CVE-2023-48667, CVE-2023-44279, CVE-2023-44278, CVE-2023-44284 
 
 
 
 

Dell PowerProtect DD series appliances and Dell PowerProtect DD Virtual Edition leveraged in the Disk Library for Mainframe (DLm) environment 

 

 

 

 

7.0 to 7.12.0.0 

 

 

 

 

 

 

 

 

 

 

 

 
 
 

 

7.13.0.20 and above or
7.10.1.15 and above to stay on LTS2023 7.10 
or  
7.7.5.25 and above to stay on LTS2022 7.7  
 

 

 

 

 

 

 

 

 

Contact customer support to schedule the code update. 

 

For more details about DDOS versions available for download, see the links below (requires log in to Dell Support to view articles): 

6.2.1.100 and below 

6.2.1.110 and above  

CVEs Addressed                    

Product 

Affected Versions 

Remediated Versions 

Link 

CVE-2023-44286,  CVE-2023-44285, CVE-2023-44277, CVE-2023-48667, CVE-2023-44279, CVE-2023-44278, CVE-2023-44284 

 

Dell PowerProtect DD series appliances 

Dell PowerProtect DD Virtual Edition 

Dell APEX Protection Storage 

 

7.0 to 7.12.0.0 
 
 

  

7.13.0.20 and above or
7.10.1.15 and above to stay on LTS2023 7.10 
or  
7.7.5.25 and above to stay on LTS2022 7.7 

For more details about DD OS software versions available for download, see the links below (requires log in to Dell Support to view articles): 
 

 

6.2.1.100 and below 

6.2.1.110 and above 

CVE-2023-44286, CVE-2023-48668, CVE-2023-44285, CVE-2023-44277, CVE-2023-48667, CVE-2023-44279, CVE-2023-44278 

Dell PowerProtect DD management Center 

7.0 to 7.12.0.0 

7.13.0.10 and above 
or
7.10.1.15 and above to stay on LTS2023 7.10  
or   
7.7.5.25 and above to stay on LTS2022 7.7 

6.2.1.100 and below   

6.2.1.110 and above   

CVE-2023-44286, CVE-2023-44285, CVE-2023-44277, CVE-2023-48667, CVE-2023-44279, CVE-2023-44278, CVE-2023-44284 
 

PowerProtect DP Series Appliance (IDPA): All Models 

2.7.4 and below 

2.7.6 and above 

Link to PowerProtect DP Series Software:  https://www.dell.com/support/home/en-us/product-support/product/integrated-data-protection-appliance/drivers 
Link to PowerProtect DP Series Installation and Upgrade guide:  
Dell EMC PowerProtect DP Series Appliance 2.7.6 Installation and Upgrade Guide

 

 CVE-2023-44284 

PowerProtect Data Manager Appliance model: DM5500  

5.14 and below 

5.15.0.0 and above 

To download (requires log in to Dell Support): https://dl.dell.com/downloads/HY8KV_PowerProtect-Data-Manager-DM5500-Appliance-5.15.0.0-Upgrade-file.pkg 

CVE-2023-44286, CVE-2023-44285, CVE-2023-44277, CVE-2023-48667, CVE-2023-44279, CVE-2023-44278, CVE-2023-44284 
 
 
 
 

Dell PowerProtect DD series appliances and Dell PowerProtect DD Virtual Edition leveraged in the Disk Library for Mainframe (DLm) environment 

 

 

 

 

7.0 to 7.12.0.0 

 

 

 

 

 

 

 

 

 

 

 

 
 
 

 

7.13.0.20 and above or
7.10.1.15 and above to stay on LTS2023 7.10 
or  
7.7.5.25 and above to stay on LTS2022 7.7  
 

 

 

 

 

 

 

 

 

Contact customer support to schedule the code update. 

 

For more details about DDOS versions available for download, see the links below (requires log in to Dell Support to view articles): 

6.2.1.100 and below 

6.2.1.110 and above  

Additional, related information is available at this Knowledgebase article KB000220263: Additional Information Regarding DSA-2023-412: Dell PowerProtect DD Vulnerabilities.  

Expected availability dates are subject to change.

Acknowledgements

CVE-2023-44279: Dell Technologies would like to thank Rushank Shetty and Ryan Kane (Security Researchers at Northwestern Mutual) for reporting this issue. 

CVE-2023-44277, CVE-2023-44284, CVE-2023-44286: Dell Technologies would like to thank Jakub Brzozowski (redfr0g), Franciszek Kalinowski, and Stanisław Koza from STM Cyber for reporting these issues. 

CVE-2023-44277: Dell Technologies would like to thank Sebastian Grot and Bartosz Chalek for reporting this issue.

Revision History

Revision 

Date 

Description 

1.0 

2023-12-13

Initial Release 

2.02023-12-13 Updated for enhancement no change to content
3.02023-12-13 

• Updated "Affected Product" section under "Article Properties"
• Added Additional details stating "The downloads will be made available shortly"

4.02023-12-13Added Additional Acknowledgement in "Acknowledgements" section
5.02023-12-13• Corrected link in the "Affected Products and Remediation" Table 
• Removed Additional Details statement "The downloads will be made available shortly" 
• Updated "Affected Product section under "Article Properties"
6.02023-12-13Updated "Affected Product section under "Article Properties"
7.02023-12-15Added in the "Additional Info" section the following statement" Due to a known issue, we advise against upgrading DD9800 systems to DDOS 7.13.0.10. A workaround will be made available soon, and this page will be updated with the details. DD9800 systems can still be upgraded to DDOS 7.7.5.25 or 7.10.1.15
8.02023-12-19Corrected hyperlink in "Affected Products and Remediation" section
9.02023-12-19Added "Additional Details" section
Updated "Affected Products and Remediation" section
10.0-12.02023-12-21Updated "Affected Products and Remediation" section
13.02024-01-11Updated "Acknowledgements" section
14.02024-02-28Updated "Acknowledgments" section 

Related Information


Article Properties


Affected Product
Data Backup & Protection Storage, Data Domain, PowerProtect Data Protection Appliance, PowerProtect Data Manager Appliance, DD3300 Appliance, Data Domain Deduplication Storage Systems, DD OS 6.2, DD OS, DD OS 6.0, DD OS 6.1, DD OS 7.0, DD OS 7.1 , DD OS 7.10, DD OS 7.11, DD OS 7.12, DD OS 7.2, DD OS 7.3, DD OS 7.4, DD OS 7.5, DD OS 7.6, DD OS 7.7, DD OS 7.8, DD OS 7.9, Data Domain Virtual Edition, DD2200 Appliance, DD6300 Appliance, DD6400 Appliance, DD6800 Appliance, DD6900 Appliance, DD9300 Appliance, DD9400 Appliance, DD9800 Appliance, DD9900 Appliance, Disk Library for mainframe, PowerProtect Data Domain Management Center, Integrated Data Protection Appliance Software, PowerProtect DM5500 ...
Last Published Date

28 Feb 2024

Version

14

Article Type

Dell Security Advisory