Skip to main content
  • Place orders quickly and easily
  • View orders and track your shipping status
  • Enjoy members-only rewards and discounts
  • Create and access a list of your products
  • Manage your Dell EMC sites, products, and product-level contacts using Company Administration.

Article Number: 000201283


DSA-2022-159: Dell PowerStore Family Security Update for Multiple Vulnerabilities

Summary: Dell PowerStore Family remediation is available for multiple security vulnerabilities that maybe exploited by malicious users to compromise the affected system.

Article Content


Impact

Critical

Details

Proprietary Code CVEs Description CVSS Base Score CVSS Vector String
CVE-2022-31234 Dell PowerStore contains an Improper Restriction of Excessive Authentication Attempts Vulnerability in PowerStore Manager GUI. A remote unauthenticated attacker may potentially exploit this vulnerability, leading to password brute-forcing. Account takeover is possible if weak passwords are used by users. 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
CVE-2022-22555 Dell PowerStore contains an OS command injection vulnerability. A locally authenticated attacker may potentially exploit this vulnerability, leading to the execution of arbitrary OS commands on the PowerStore underlying OS, with the privileges of the vulnerable application. Exploitation may lead to an elevation of privilege. 6.0 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H
CVE-2022-32498 Dell PowerStore CLI for Windows has the potential for a DLL highjacking exploit. Exploitation may lead to the execution of arbitrary code.   5.5 CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:L/A:L 
CVE-2022-33923 Dell PowerStore contains an OS Command Injection vulnerability in the PowerStore T environment. A locally authenticated attacker may potentially exploit this vulnerability, leading to the execution of arbitrary OS commands on the PowerStore underlying OS. Exploiting may lead to a system takeover by an attacker. 6.4 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H
 
Third-party Component CVEs More Information
Ansible CVE-2019-10156 See NVD (http://nvd.nist.gov/) for individual scores of each CVE.
Apache Shiro CVE-2021-41303
Highcharts JS CVE-2021-29489
Jinja2 CVE-2019-10906
CVE-2016-10745
CVE-2020-28493
libsndfile CVE-2021-3246
libX11
libX11-data
CVE-2021-31535
libexpat CVE-2022-22822
CVE-2022-22823
CVE-2022-22824
CVE-2022-23852
CVE-2022-23990
CVE-2022-25235
CVE-2022-25236
CVE-2022-25315
Log4j CVE-2020-9488
CVE-2021-45105
CVE-2021-44832
lxml CVE-2021-43818
CVE-2021-28957
CVE-2020-27783
netty CVE-2021-43797
NSS NSPR
libfreebl3
libfreebl3-hmac
libsoftokn3
libsoftokn3-hmac
mozilla-nss
mozilla-nss-certs
mozilla-nss-tools     
mozilla-nspr
CVE-2020-12403
CVE-2021-43527
numpy CVE-2021-41496
openssl CVE-2021-3711
pip CVE-2019-20916
postgres CVE-2021-32027
CVE-2021-32028
CVE-2021-3393
CVE-2021-3677
CVE-2021-23222
CVE-2021-23214
Python-3 CVE-2021-25315
CVE-2020-25592
CVE-2020-11651
CVE-2020-11652
CVE-2018-15751
pyyaml CVE-2020-14343
CVE-2017-18342
ruby CVE-2020-25613
xterm
xterm-bin
CVE-2021-27135
Proprietary Code CVEs Description CVSS Base Score CVSS Vector String
CVE-2022-31234 Dell PowerStore contains an Improper Restriction of Excessive Authentication Attempts Vulnerability in PowerStore Manager GUI. A remote unauthenticated attacker may potentially exploit this vulnerability, leading to password brute-forcing. Account takeover is possible if weak passwords are used by users. 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
CVE-2022-22555 Dell PowerStore contains an OS command injection vulnerability. A locally authenticated attacker may potentially exploit this vulnerability, leading to the execution of arbitrary OS commands on the PowerStore underlying OS, with the privileges of the vulnerable application. Exploitation may lead to an elevation of privilege. 6.0 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H
CVE-2022-32498 Dell PowerStore CLI for Windows has the potential for a DLL highjacking exploit. Exploitation may lead to the execution of arbitrary code.   5.5 CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:L/A:L 
CVE-2022-33923 Dell PowerStore contains an OS Command Injection vulnerability in the PowerStore T environment. A locally authenticated attacker may potentially exploit this vulnerability, leading to the execution of arbitrary OS commands on the PowerStore underlying OS. Exploiting may lead to a system takeover by an attacker. 6.4 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H
 
Third-party Component CVEs More Information
Ansible CVE-2019-10156 See NVD (http://nvd.nist.gov/) for individual scores of each CVE.
Apache Shiro CVE-2021-41303
Highcharts JS CVE-2021-29489
Jinja2 CVE-2019-10906
CVE-2016-10745
CVE-2020-28493
libsndfile CVE-2021-3246
libX11
libX11-data
CVE-2021-31535
libexpat CVE-2022-22822
CVE-2022-22823
CVE-2022-22824
CVE-2022-23852
CVE-2022-23990
CVE-2022-25235
CVE-2022-25236
CVE-2022-25315
Log4j CVE-2020-9488
CVE-2021-45105
CVE-2021-44832
lxml CVE-2021-43818
CVE-2021-28957
CVE-2020-27783
netty CVE-2021-43797
NSS NSPR
libfreebl3
libfreebl3-hmac
libsoftokn3
libsoftokn3-hmac
mozilla-nss
mozilla-nss-certs
mozilla-nss-tools     
mozilla-nspr
CVE-2020-12403
CVE-2021-43527
numpy CVE-2021-41496
openssl CVE-2021-3711
pip CVE-2019-20916
postgres CVE-2021-32027
CVE-2021-32028
CVE-2021-3393
CVE-2021-3677
CVE-2021-23222
CVE-2021-23214
Python-3 CVE-2021-25315
CVE-2020-25592
CVE-2020-11651
CVE-2020-11652
CVE-2018-15751
pyyaml CVE-2020-14343
CVE-2017-18342
ruby CVE-2020-25613
xterm
xterm-bin
CVE-2021-27135

Dell Technologies recommends all customers consider both the CVSS base score and any relevant temporal and environmental scores that may impact the potential severity associated with a particular security vulnerability.

Affected Products and Remediation

CVEs Addressed Products Affected Versions Updated Versions Link to Update
All CVEs above excluding CVE-2022-32498 PowerStore T OS PowerStore T OS versions before PowerStore T OS Upgrade 3.0.0.0-1732745 PowerStore T OS Upgrade 3.0.0.0-1732745 https://www.dell.com/support/home/?app=drivers

 
CVE-2022-32498 PowerStore Command Line Interface (CLI) tool for Windows PowerStore Command Line Interface (CLI) tool for Linux x64 versions before 3.0.0.0-1732745

PowerStore Command Line Interface (CLI) tool for Linux x86 versions before 3.0.0.0-1732745
PowerStore Command Line Interface (CLI) tool for Linux x64 3.0.0.0-1732745

PowerStore Command Line Interface (CLI) tool for Linux x86 3.0.0.0-1732745
https://www.dell.com/support/home/?app=drivers
CVEs Addressed Products Affected Versions Updated Versions Link to Update
All CVEs above excluding CVE-2022-32498 PowerStore T OS PowerStore T OS versions before PowerStore T OS Upgrade 3.0.0.0-1732745 PowerStore T OS Upgrade 3.0.0.0-1732745 https://www.dell.com/support/home/?app=drivers

 
CVE-2022-32498 PowerStore Command Line Interface (CLI) tool for Windows PowerStore Command Line Interface (CLI) tool for Linux x64 versions before 3.0.0.0-1732745

PowerStore Command Line Interface (CLI) tool for Linux x86 versions before 3.0.0.0-1732745
PowerStore Command Line Interface (CLI) tool for Linux x64 3.0.0.0-1732745

PowerStore Command Line Interface (CLI) tool for Linux x86 3.0.0.0-1732745
https://www.dell.com/support/home/?app=drivers

Workarounds and Mitigations

CVE-2022-31234:
Configure a long, complex password for the System management account, and change it on a regular basis. See PowerStore Security Configuration Guide (https://dl.dell.com/content/manual52196227-dell-emc-powerstore-security-configuration-guide.pdf) for password requirements. The minimum number of characters is 8 however you should configure a longer than 8 password in order to make it very difficult to brute force.    

CVE-2022-22555:
An attacker requires local access through external SSH; therefore, it is recommended to always leave the external SSH service interface disabled unless it must be used to perform service operations on the appliance. After performing the necessary service operations, disable the SSH interface to ensure that the appliance remains secure. See PowerStore Security Configuration Guide (https://dl.dell.com/content/manual52196227-dell-emc-powerstore-security-configuration-guide.pdf) for detailed information about external SSH access.

Revision History

RevisionDateMore Information
1.02022-07-07Initial Release

Related Information

Dell Security Advisories and Notices
Dell Vulnerability Response Policy
CVSS Scoring Guide


Article Properties


Affected Product

PowerStore, PowerStore 1000T, PowerStore 1200T, PowerStore 3000T, PowerStore 5000T, PowerStore 500T, PowerStore 7000T, PowerStore 9000T, Product Security Information

Last Published Date

07 Jul 2022

Version

1

Article Type

Dell Security Advisory