Skip to main content
Sign Out

Welcome to Dell

My Account
  • Place orders quickly and easily
  • View orders and track your shipping status
  • Enjoy members-only rewards and discounts
  • Create and access a list of your products
  • Manage your Dell EMC sites, products, and product-level contacts using Company Administration.
Sign In Create an Account Dell Financial Services Premier Sign In Partner Program Sign In
Contact Us

Your Dell.com Carts

Article Number: 000216717

DSA-2023-269: Security Update for Dell PowerScale OneFS for Multiple Security Vulnerabilities

Summary: Dell PowerScale OneFS remediation is available for multiple security vulnerabilities that could be exploited by malicious users to compromise the affected system.

Article Content

Impact

High

Details

Third-Party Component CVEs CVSS Vector String
Apache HTTP Server CVE-2022-37436, CVE-2006-20001 See NVD link below for CVSS score for CVE. 
http://nvd.nist.gov/
Python py-certifi  module CVE-2022-23491 https://nvd.nist.gov/vuln/detail/CVE-2022-23491

Proprietary Code CVEs Description CVSS Base Score CVSS Vector String
CVE-2023-32495 Dell PowerScale OneFS, 8.2.x-9.5.x, contains a exposure of sensitive information to an unauthorized Actor vulnerability. An authorized local attacker could potentially exploit this vulnerability, leading to escalation of privileges. 7.8  CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CVE-2023-32487 Dell PowerScale OneFS, 8.2.x - 9.5.0.x, contains an elevation of privilege vulnerability. A low privileged local attacker could potentially exploit this vulnerability, leading to denial of service, code execution and information disclosure.  7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CVE-2023-32493 Dell PowerScale OneFS, 9.5.0.x, contains a protection mechanism bypass vulnerability. An unprivileged, remote attacker could potentially exploit this vulnerability, leading to denial of service, information disclosure and remote execution. 7.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
CVE-2023-32494 Dell PowerScale OneFS, 8.0.x-9.5.x, contains an improper handling of insufficient privileges vulnerability. A local  privileged attacker could potentially exploit this vulnerability, leading to elevation of privilege and affect in compliance mode also. 6.7 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
CVE-2023-32486 Dell PowerScale OneFS 9.5.x version contain a privilege escalation vulnerability. A low privilege local attacker could potentially exploit this vulnerability, leading to escalation of privileges. 6.7 CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H
CVE-2023-32489 Dell PowerScale OneFS 8.2x -9.5x contains a privilege escalation vulnerability. A local attacker with high privileges could potentially exploit this vulnerability, to bypass mode protections and gain elevated privileges.   6.7 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
CVE-2023-32490 Dell PowerScale OneFS 8.2x -9.5x contains an improper privilege management vulnerability. A high privilege local attacker could potentially exploit this vulnerability, leading to system takeover.  6.7 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
CVE-2023-32491 Dell PowerScale OneFS 9.5.0.x, contains an insertion of sensitive information into log file vulnerability in SNMPv3. A low privileges user could potentially exploit this vulnerability, leading to information disclosure. 6.3 CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
CVE-2023-32488 Dell PowerScale OneFS, 8.2.x-9.5.0.x, contains an information disclosure vulnerability in NFS. A low privileged attacker could potentially exploit this vulnerability, leading to information disclosure. 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
CVE-2023-32492 Dell PowerScale OneFS 9.5.0.x contains an incorrect default permissions vulnerability. A low-privileged local attacker could potentially exploit this vulnerability, leading to information disclosure or allowing to modify files. 5.3 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
Proprietary Code CVEs Description CVSS Base Score CVSS Vector String
CVE-2023-32495 Dell PowerScale OneFS, 8.2.x-9.5.x, contains a exposure of sensitive information to an unauthorized Actor vulnerability. An authorized local attacker could potentially exploit this vulnerability, leading to escalation of privileges. 7.8  CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CVE-2023-32487 Dell PowerScale OneFS, 8.2.x - 9.5.0.x, contains an elevation of privilege vulnerability. A low privileged local attacker could potentially exploit this vulnerability, leading to denial of service, code execution and information disclosure.  7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CVE-2023-32493 Dell PowerScale OneFS, 9.5.0.x, contains a protection mechanism bypass vulnerability. An unprivileged, remote attacker could potentially exploit this vulnerability, leading to denial of service, information disclosure and remote execution. 7.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
CVE-2023-32494 Dell PowerScale OneFS, 8.0.x-9.5.x, contains an improper handling of insufficient privileges vulnerability. A local  privileged attacker could potentially exploit this vulnerability, leading to elevation of privilege and affect in compliance mode also. 6.7 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
CVE-2023-32486 Dell PowerScale OneFS 9.5.x version contain a privilege escalation vulnerability. A low privilege local attacker could potentially exploit this vulnerability, leading to escalation of privileges. 6.7 CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H
CVE-2023-32489 Dell PowerScale OneFS 8.2x -9.5x contains a privilege escalation vulnerability. A local attacker with high privileges could potentially exploit this vulnerability, to bypass mode protections and gain elevated privileges.   6.7 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
CVE-2023-32490 Dell PowerScale OneFS 8.2x -9.5x contains an improper privilege management vulnerability. A high privilege local attacker could potentially exploit this vulnerability, leading to system takeover.  6.7 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
CVE-2023-32491 Dell PowerScale OneFS 9.5.0.x, contains an insertion of sensitive information into log file vulnerability in SNMPv3. A low privileges user could potentially exploit this vulnerability, leading to information disclosure. 6.3 CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
CVE-2023-32488 Dell PowerScale OneFS, 8.2.x-9.5.0.x, contains an information disclosure vulnerability in NFS. A low privileged attacker could potentially exploit this vulnerability, leading to information disclosure. 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
CVE-2023-32492 Dell PowerScale OneFS 9.5.0.x contains an incorrect default permissions vulnerability. A low-privileged local attacker could potentially exploit this vulnerability, leading to information disclosure or allowing to modify files. 5.3 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
Dell Technologies recommends all customers consider both the CVSS base score and any relevant temporal and environmental scores that may impact the potential severity associated with a particular security vulnerability.

Affected Products and Remediation

CVEs Addressed Product Affected Versions Remediated Versions Link
CVE-2023-32494, CVE-2023-32495, CVE-2023-32487, CVE-2023-32488, CVE-2023-32489, CVE-2023-32490 PowerScale OneFS Version 9.2.1.0 through 9.2.1.22 Version 9.2.1.23 or later, Version 9.4.0.14 or later, Version 9.5.0.5 or later PowerScale OneFS Downloads Area
CVE-2023-32494, CVE-2023-32495, CVE-2023-32487, CVE-2023-32488, CVE-2023-32489, CVE-2023-32490 PowerScale OneFS Version 9.4.0.0 through 9.4.0.13 Version 9.4.0.14 or later, Version 9.5.0.5 or later PowerScale OneFS Downloads Area
CVE-2023-32494, CVE-2023-32495, CVE-2023-32487, CVE-2023-32488, CVE-2023-32489, CVE-2023-32490, CVE-2023-32486, CVE-2023-32491, CVE-2023-32492, CVE-2023-32493, CVE-2022-23491, CVE-2022-37436, CVE-2006-20001 PowerScale OneFS Version 9.5.0.0 through 9.5.0.3 Version 9.5.0.5 or later PowerScale OneFS Downloads Area
CVEs Addressed Product Affected Versions Remediated Versions Link
CVE-2023-32494, CVE-2023-32495, CVE-2023-32487, CVE-2023-32488, CVE-2023-32489, CVE-2023-32490 PowerScale OneFS Version 9.2.1.0 through 9.2.1.22 Version 9.2.1.23 or later, Version 9.4.0.14 or later, Version 9.5.0.5 or later PowerScale OneFS Downloads Area
CVE-2023-32494, CVE-2023-32495, CVE-2023-32487, CVE-2023-32488, CVE-2023-32489, CVE-2023-32490 PowerScale OneFS Version 9.4.0.0 through 9.4.0.13 Version 9.4.0.14 or later, Version 9.5.0.5 or later PowerScale OneFS Downloads Area
CVE-2023-32494, CVE-2023-32495, CVE-2023-32487, CVE-2023-32488, CVE-2023-32489, CVE-2023-32490, CVE-2023-32486, CVE-2023-32491, CVE-2023-32492, CVE-2023-32493, CVE-2022-23491, CVE-2022-37436, CVE-2006-20001 PowerScale OneFS Version 9.5.0.0 through 9.5.0.3 Version 9.5.0.5 or later PowerScale OneFS Downloads Area
CVE-2023-32487, CVE-2023-32489, CVE-2023-32490 and CVE-2023-32494 breaks the compliance mode guaranty in compliance mode cluster so it is marked as business critical.

Any version not listed in the Affected Products and Remediation section should upgrade PowerScale OneFS to a version 9.5.0.5 or later.

We encourage all customers to adopt the LTS 2023 version which is 9.5.x code line, with the latest maintenance RUP 9.5.0.5. For more information on LTS (Long Term Support) code lines, see Dell Infrastructure Solutions Group (ISG) LTS Release Support Customer Summary (https://www.dell.com/support/kbdoc/en-us/000206599)

Workarounds and Mitigations

CVE  Workarounds
CVE-2023-32486 This vulnerability only applies when customers are given ISI_PRIV_LOGIN_SSH or ISI_PRIV_LOGIN_CONSOLE to users.
This vulnerability can be mitigated on new version of PowerScale OneFS i.e. 9.5 or later by enabling the restricted shell for users.
More information regarding restricted shell can be found at: OneFS Restricted Shell | Dell Technologies Info Hub
CVE-2023-32488 Please reload the export using following command
isi nfs exports reload
CVE-2023-32490 This vulnerability only applies when customers are given ISI_PRIV_LOGIN_SSH or ISI_PRIV_LOGIN_CONSOLE to users..
This vulnerability can be mitigated on new version of PowerScale OneFS i.e. 9.5 or later by enabling the restricted shell for users.
More information regarding restricted shell can be found at: OneFS Restricted Shell | Dell Technologies Info Hub
CVE-2023-32492 This workaround is only applicable to a non-compliance mode cluster.
Please manually change the ownership and permissions of /ifs/netlog directory to more secure values as follows:
chmod -R 750 /ifs/netlog
chmod 770 /ifs/netlog/bundled
chmod 440 /ifs/netlog/bundled/*.bz2
chown -R root:wheel /ifs/netlog

In addition to upgrading your version of OneFS or downloading and installing the latest RUP, please manually change the permission of files using following command:
chmod 440 /ifs/netlog/bundled/*.bz2
CVE-2023-32494 This vulnerability only applies when customers are given ISI_PRIV_LOGIN_SSH or ISI_PRIV_LOGIN_CONSOLE to users.
This vulnerability can be mitigated on new version of PowerScale OneFS i.e. 9.5 or later by enabling the restricted shell for users.
More information regarding restricted shell can be found at: OneFS Restricted Shell | Dell Technologies Info Hub
Additionally, the severity of this CVE is lowered if customer changes the password hash from the default of NTHASH to a more secure salted SHA256 or SHA512 hash.

Revision History

RevisionDateDescription
1.02023-08-14Initial Release
2.02024-02-01Updated Workarounds and Mitigations section

Related Information

Dell Security Advisories and Notices
Dell Vulnerability Response Policy
CVSS Scoring Guide

Legal Information

Article Properties

Affected Product

PowerScale OneFS

Last Published Date

01 Feb 2024

Version

4

Article Type

Dell Security Advisory

Back to Top