Skip to main content
Sign Out

Welcome to Dell

My Account
  • Place orders quickly and easily
  • View orders and track your shipping status
  • Enjoy members-only rewards and discounts
  • Create and access a list of your products
  • Manage your Dell EMC sites, products, and product-level contacts using Company Administration.
Sign In Create an Account Dell Financial Services Premier Sign In Partner Program Sign In
Contact Us

Your Dell.com Carts

Some article numbers may have changed. If this isn't what you're looking for, try searching all articles. Search articles

Article Number: 000201283

DSA-2022-159: Dell PowerStore Family Security Update for Multiple Vulnerabilities

Summary: Dell PowerStore Family remediation is available for multiple security vulnerabilities that maybe exploited by malicious users to compromise the affected system.

Article Content

Impact

Critical

Details

Proprietary Code CVEs Description CVSS Base Score CVSS Vector String
CVE-2022-31234 Dell PowerStore contains an Improper Restriction of Excessive Authentication Attempts Vulnerability in PowerStore Manager GUI. A remote unauthenticated attacker may potentially exploit this vulnerability, leading to password brute-forcing. Account takeover is possible if weak passwords are used by users. 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H This hyperlink is taking you to a website outside of Dell Technologies.
CVE-2022-22555 Dell PowerStore contains an OS command injection vulnerability. A locally authenticated attacker may potentially exploit this vulnerability, leading to the execution of arbitrary OS commands on the PowerStore underlying OS, with the privileges of the vulnerable application. Exploitation may lead to an elevation of privilege. 6.0 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H This hyperlink is taking you to a website outside of Dell Technologies.
CVE-2022-32498 Dell PowerStore CLI for Windows has the potential for a DLL highjacking exploit. Exploitation may lead to the execution of arbitrary code.   5.5 CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:L/A:L  This hyperlink is taking you to a website outside of Dell Technologies.
CVE-2022-33923 Dell PowerStore contains an OS Command Injection vulnerability in the PowerStore T environment. A locally authenticated attacker may potentially exploit this vulnerability, leading to the execution of arbitrary OS commands on the PowerStore underlying OS. Exploiting may lead to a system takeover by an attacker. 6.4 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H This hyperlink is taking you to a website outside of Dell Technologies.
 
Third-party Component CVEs More Information
Ansible CVE-2019-10156 See NVD (http://nvd.nist.gov/ This hyperlink is taking you to a website outside of Dell Technologies.) for individual scores of each CVE.
Apache Shiro CVE-2021-41303
Highcharts JS CVE-2021-29489
Jinja2 CVE-2019-10906
CVE-2016-10745
CVE-2020-28493
libsndfile CVE-2021-3246
libX11
libX11-data		 CVE-2021-31535
libexpat CVE-2022-22822
CVE-2022-22823
CVE-2022-22824
CVE-2022-23852
CVE-2022-23990
CVE-2022-25235
CVE-2022-25236
CVE-2022-25315
Log4j CVE-2020-9488
CVE-2021-45105
CVE-2021-44832
lxml CVE-2021-43818
CVE-2021-28957
CVE-2020-27783
netty CVE-2021-43797
NSS NSPR
libfreebl3
libfreebl3-hmac
libsoftokn3
libsoftokn3-hmac
mozilla-nss
mozilla-nss-certs
mozilla-nss-tools     
mozilla-nspr		 CVE-2020-12403
CVE-2021-43527
numpy CVE-2021-41496
openssl CVE-2021-3711
pip CVE-2019-20916
postgres CVE-2021-32027
CVE-2021-32028
CVE-2021-3393
CVE-2021-3677
CVE-2021-23222
CVE-2021-23214
Python-3 CVE-2021-25315
CVE-2020-25592
CVE-2020-11651
CVE-2020-11652
CVE-2018-15751
pyyaml CVE-2020-14343
CVE-2017-18342
ruby CVE-2020-25613
xterm
xterm-bin		 CVE-2021-27135
Proprietary Code CVEs Description CVSS Base Score CVSS Vector String
CVE-2022-31234 Dell PowerStore contains an Improper Restriction of Excessive Authentication Attempts Vulnerability in PowerStore Manager GUI. A remote unauthenticated attacker may potentially exploit this vulnerability, leading to password brute-forcing. Account takeover is possible if weak passwords are used by users. 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H This hyperlink is taking you to a website outside of Dell Technologies.
CVE-2022-22555 Dell PowerStore contains an OS command injection vulnerability. A locally authenticated attacker may potentially exploit this vulnerability, leading to the execution of arbitrary OS commands on the PowerStore underlying OS, with the privileges of the vulnerable application. Exploitation may lead to an elevation of privilege. 6.0 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H This hyperlink is taking you to a website outside of Dell Technologies.
CVE-2022-32498 Dell PowerStore CLI for Windows has the potential for a DLL highjacking exploit. Exploitation may lead to the execution of arbitrary code.   5.5 CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:L/A:L  This hyperlink is taking you to a website outside of Dell Technologies.
CVE-2022-33923 Dell PowerStore contains an OS Command Injection vulnerability in the PowerStore T environment. A locally authenticated attacker may potentially exploit this vulnerability, leading to the execution of arbitrary OS commands on the PowerStore underlying OS. Exploiting may lead to a system takeover by an attacker. 6.4 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H This hyperlink is taking you to a website outside of Dell Technologies.
 
Third-party Component CVEs More Information
Ansible CVE-2019-10156 See NVD (http://nvd.nist.gov/ This hyperlink is taking you to a website outside of Dell Technologies.) for individual scores of each CVE.
Apache Shiro CVE-2021-41303
Highcharts JS CVE-2021-29489
Jinja2 CVE-2019-10906
CVE-2016-10745
CVE-2020-28493
libsndfile CVE-2021-3246
libX11
libX11-data		 CVE-2021-31535
libexpat CVE-2022-22822
CVE-2022-22823
CVE-2022-22824
CVE-2022-23852
CVE-2022-23990
CVE-2022-25235
CVE-2022-25236
CVE-2022-25315
Log4j CVE-2020-9488
CVE-2021-45105
CVE-2021-44832
lxml CVE-2021-43818
CVE-2021-28957
CVE-2020-27783
netty CVE-2021-43797
NSS NSPR
libfreebl3
libfreebl3-hmac
libsoftokn3
libsoftokn3-hmac
mozilla-nss
mozilla-nss-certs
mozilla-nss-tools     
mozilla-nspr		 CVE-2020-12403
CVE-2021-43527
numpy CVE-2021-41496
openssl CVE-2021-3711
pip CVE-2019-20916
postgres CVE-2021-32027
CVE-2021-32028
CVE-2021-3393
CVE-2021-3677
CVE-2021-23222
CVE-2021-23214
Python-3 CVE-2021-25315
CVE-2020-25592
CVE-2020-11651
CVE-2020-11652
CVE-2018-15751
pyyaml CVE-2020-14343
CVE-2017-18342
ruby CVE-2020-25613
xterm
xterm-bin		 CVE-2021-27135
Dell Technologies recommends all customers consider both the CVSS base score and any relevant temporal and environmental scores that may impact the potential severity associated with a particular security vulnerability.

Affected Products and Remediation

CVEs Addressed Products Affected Versions Updated Versions Link to Update
All CVEs above excluding CVE-2022-32498 PowerStore T OS PowerStore T OS versions before PowerStore T OS Upgrade 3.0.0.0-1732745 PowerStore T OS Upgrade 3.0.0.0-1732745 https://www.dell.com/support/home/?app=drivers

 
CVE-2022-32498 PowerStore Command Line Interface (CLI) tool for Windows PowerStore Command Line Interface (CLI) tool for Linux x64 versions before 3.0.0.0-1732745

PowerStore Command Line Interface (CLI) tool for Linux x86 versions before 3.0.0.0-1732745		 PowerStore Command Line Interface (CLI) tool for Linux x64 3.0.0.0-1732745

PowerStore Command Line Interface (CLI) tool for Linux x86 3.0.0.0-1732745		 https://www.dell.com/support/home/?app=drivers
CVEs Addressed Products Affected Versions Updated Versions Link to Update
All CVEs above excluding CVE-2022-32498 PowerStore T OS PowerStore T OS versions before PowerStore T OS Upgrade 3.0.0.0-1732745 PowerStore T OS Upgrade 3.0.0.0-1732745 https://www.dell.com/support/home/?app=drivers

 
CVE-2022-32498 PowerStore Command Line Interface (CLI) tool for Windows PowerStore Command Line Interface (CLI) tool for Linux x64 versions before 3.0.0.0-1732745

PowerStore Command Line Interface (CLI) tool for Linux x86 versions before 3.0.0.0-1732745		 PowerStore Command Line Interface (CLI) tool for Linux x64 3.0.0.0-1732745

PowerStore Command Line Interface (CLI) tool for Linux x86 3.0.0.0-1732745		 https://www.dell.com/support/home/?app=drivers

Workarounds and Mitigations

CVE-2022-31234:
Configure a long, complex password for the System management account, and change it on a regular basis. See the PowerStore Security Configuration Guide on the PowerStore Product Page at Dell Support for password requirements. The minimum number of characters is 8 however you should configure a longer than 8 password in order to make it very difficult to brute force.    

CVE-2022-22555:
An attacker requires local access through external SSH; therefore, it is recommended to always leave the external SSH service interface disabled unless it must be used to perform service operations on the appliance. After performing the necessary service operations, disable the SSH interface to ensure that the appliance remains secure. See the PowerStore Security Configuration Guide on the PowerStore Product Page at Dell Support for detailed information about external SSH access.

Revision History

RevisionDateMore Information
1.02022-07-07Initial Release

Related Information

Dell Security Advisories and Notices
Dell Vulnerability Response Policy
CVSS Scoring Guide

Legal Information

Article Properties

Affected Product

PowerStore, PowerStore 1000T, PowerStore 1200T, PowerStore 3000T, PowerStore 5000T, PowerStore 500T, PowerStore 7000T, PowerStore 9000T, Product Security Information

Last Published Date

20 Jun 2023

Version

2

Article Type

Dell Security Advisory

Back to Top