Article Number: 000216916

DSA-2023-277: Security Update for Dell PowerScale OneFS for Improper Privilege Management Vulnerability

Summary: Dell PowerScale OneFS remediation is available for improper privilege management vulnerability that could be exploited by malicious users to compromise the affected system.

Article Content

Impact

High

Details

Proprietary Code CVE	Description	CVSS Base Score	CVSS Vector String
CVE-2023-32457	Dell PowerScale OneFS, versions 8.2.2.x-9.5.0.x, contains an improper privilege management vulnerability. A remote attacker with low privileges could potentially exploit this vulnerability, leading to escalation of privileges.	7.5	CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

Proprietary Code CVE	Description	CVSS Base Score	CVSS Vector String
CVE-2023-32457	Dell PowerScale OneFS, versions 8.2.2.x-9.5.0.x, contains an improper privilege management vulnerability. A remote attacker with low privileges could potentially exploit this vulnerability, leading to escalation of privileges.	7.5	CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

Dell Technologies recommends all customers consider both the CVSS base score and any relevant temporal and environmental scores that may impact the potential severity associated with a particular security vulnerability.

Affected Products and Remediation

CVE Addressed	Product	Affected Versions	Remediated Versions	Link
CVE-2023-32457	PowerScale OneFS	Version 9.2.1.0 through 9.2.1.22	Version 9.2.1.23 or later, Version 9.4.0.14 or later, Version 9.5.0.5 or later	https://www.dell.com/support/home/product-support/product/isilon-onefs/drivers
CVE-2023-32457	PowerScale OneFS	Version 9.4.0.0 through 9.4.0.13	Version 9.4.0.14 or later, Version 9.5.0.5 or later	https://www.dell.com/support/home/product-support/product/isilon-onefs/drivers
CVE-2023-32457	PowerScale OneFS	Version 9.5.0.0 through 9.5.0.3	Version 9.5.0.5 or later	https://www.dell.com/support/home/product-support/product/isilon-onefs/drivers

CVE Addressed	Product	Affected Versions	Remediated Versions	Link
CVE-2023-32457	PowerScale OneFS	Version 9.2.1.0 through 9.2.1.22	Version 9.2.1.23 or later, Version 9.4.0.14 or later, Version 9.5.0.5 or later	https://www.dell.com/support/home/product-support/product/isilon-onefs/drivers
CVE-2023-32457	PowerScale OneFS	Version 9.4.0.0 through 9.4.0.13	Version 9.4.0.14 or later, Version 9.5.0.5 or later	https://www.dell.com/support/home/product-support/product/isilon-onefs/drivers
CVE-2023-32457	PowerScale OneFS	Version 9.5.0.0 through 9.5.0.3	Version 9.5.0.5 or later	https://www.dell.com/support/home/product-support/product/isilon-onefs/drivers

Any version not listed in the Affected Products and Remediation section should upgrade PowerScale OneFS to a version 9.5.0.5 or later.

We encourage all customers to adopt the LTS 2023 version which is 9.5.x code line, with the latest maintenance RUP 9.5.0.5. For more information on LTS (Long Term Support) code lines, see Dell Infrastructure Solutions Group (ISG) LTS Release Support Customer Summary

Workarounds and Mitigations

CVE	Workarounds
CVE-2023-32457	This vulnerability can be mitigated by performing following steps: Check/remove membership from any roles when deleting user or group from local provider until upgrade to fixed version. Review all roles members for non-existent/unintended user or group for correction. Following command will provide the lists of roles and users membership: for zone in $(isi zone zones list -az \| awk ' { print $1 } ') ; do for role in $(isi auth roles list -az --zone $zone \| awk ' { print $1 } '); do echo "Zone: $zone\tRole: $role" ; isi auth roles members list $role -v --zone $zone \| grep -v -- --; echo; done; done In addition to upgrading your version of OneFS or downloading and installing the latest RUP, please perform step 2 to remove any past mis-mapping.

CVE

Workarounds

CVE-2023-32457

This vulnerability can be mitigated by performing following steps:

Check/remove membership from any roles when deleting user or group from local provider until upgrade to fixed version.
Review all roles members for non-existent/unintended user or group for correction. Following command will provide the lists of roles and users membership:

for zone in $(isi zone zones list -az | awk ' { print $1 } ') ; do for role in $(isi auth roles list -az --zone $zone | awk ' { print $1 } '); do echo "Zone: $zone\tRole: $role" ; isi auth roles members list $role -v --zone $zone | grep -v -- --; echo; done; done

In addition to upgrading your version of OneFS or downloading and installing the latest RUP, please perform step 2 to remove any past mis-mapping.

Revision History

Revision	Date	Description
1.0	2023-08-29	Initial Release

DSA-2023-277: Security Update for Dell PowerScale OneFS for Improper Privilege Management Vulnerability

Summary: Dell PowerScale OneFS remediation is available for improper privilege management vulnerability that could be exploited by malicious users to compromise the affected system.

Article Content

Impact

Details

Affected Products and Remediation

Workarounds and Mitigations

Revision History

Related Information

Legal Information

Article Properties

Affected Product

Last Published Date

Version

Article Type

Welcome

Welcome to Dell

DSA-2023-277: Security Update for Dell PowerScale OneFS for Improper Privilege Management Vulnerability

Summary: Dell PowerScale OneFS remediation is available for improper privilege management vulnerability that could be exploited by malicious users to compromise the affected system.

Article Content

Impact

Details

Affected Products and Remediation

Workarounds and Mitigations

Revision History

Related Information

Legal Information

Article Properties

Affected Product

Last Published Date

Version

Article Type