Skip to main content
  • Place orders quickly and easily
  • View orders and track your shipping status
  • Enjoy members-only rewards and discounts
  • Create and access a list of your products
  • Manage your Dell EMC sites, products, and product-level contacts using Company Administration.

Article Number: 000221707


DSA-2024-028: Security Update for Dell PowerScale OneFS for Multiple Security Vulnerabilities

Summary: Dell PowerScale OneFS remediation is available for multiple security vulnerabilities that could be exploited by malicious users to compromise the affected system.

Article Content


Impact

High

Details

Third-Party Component CVEs More information
Python CVE-2022-48566 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H This hyperlink is taking you to a website outside of Dell Technologies.
Python CVE-2022-48560, CVE-2023-41105, CVE-2022-48564, CVE-2023-40217, CVE-2022-45061 See NVD link below for individual scores for each CVE. 
http://nvd.nist.gov/ This hyperlink is taking you to a website outside of Dell Technologies.
GNU Screen CVE-2023-24626, CVE-2015-6806, CVE-2009-1214, CVE-2009-1215 See NVD link below for individual scores for each CVE. 
http://nvd.nist.gov/ This hyperlink is taking you to a website outside of Dell Technologies.
Curl CVE-2023-38545, CVE-2023-38546 See NVD link below for individual scores for each CVE. 
http://nvd.nist.gov/ This hyperlink is taking you to a website outside of Dell Technologies.
OpenSSL CVE-2023-3446 https://nvd.nist.gov/vuln/detail/CVE-2023-3446 This hyperlink is taking you to a website outside of Dell Technologies.
python-certifi CVE-2023-37920 https://nvd.nist.gov/vuln/detail/CVE-2023-37920 This hyperlink is taking you to a website outside of Dell Technologies.

Proprietary Code CVEs Description CVSS Base Score CVSS Vector String
CVE-2024-22449 Dell PowerScale OneFS versions 9.0.0.x through 9.6.0.x contains a missing authentication for critical function vulnerability. A low privileged local malicious user could potentially exploit this vulnerability to gain elevated access. 6.6 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H This hyperlink is taking you to a website outside of Dell Technologies.
CVE-2024-22430  Dell PowerScale OneFS versions 8.2.x through 9.6.0.x contains an incorrect default permissions vulnerability. A local low privileges malicious user could potentially exploit this vulnerability, leading to denial of service. 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H This hyperlink is taking you to a website outside of Dell Technologies.
 
 
Proprietary Code CVEs Description CVSS Base Score CVSS Vector String
CVE-2024-22449 Dell PowerScale OneFS versions 9.0.0.x through 9.6.0.x contains a missing authentication for critical function vulnerability. A low privileged local malicious user could potentially exploit this vulnerability to gain elevated access. 6.6 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H This hyperlink is taking you to a website outside of Dell Technologies.
CVE-2024-22430  Dell PowerScale OneFS versions 8.2.x through 9.6.0.x contains an incorrect default permissions vulnerability. A local low privileges malicious user could potentially exploit this vulnerability, leading to denial of service. 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H This hyperlink is taking you to a website outside of Dell Technologies.
 
 
Dell Technologies recommends all customers consider both the CVSS base score and any relevant temporal and environmental scores that may impact the potential severity associated with a particular security vulnerability.

Affected Products and Remediation

CVEs Addressed Product Affected Version Remediated Version Link
CVE-2023-24626, CVE-2015-6806, CVE-2009-1214, CVE-2009-1215, CVE-2024-22430, CVE-2023-3446, CVE-2023-37920  PowerScale OneFS Versions 8.2.0 through 8.2.2 Version 9.5.0.7 or later PowerScale OneFS Downloads Area
CVE-2024-22449, CVE-2024-22430, CVE-2023-38545, CVE-2023-38546, CVE-2023-3446, CVE-2023-24626, CVE-2015-6806, CVE-2009-1215, CVE-2009-1214 PowerScale OneFS Versions 9.0.0.0 through 9.4.0.0 Version 9.5.0.7 or later PowerScale OneFS Downloads Area
CVE-2024-22449, CVE-2024-22430, CVE-2023-41105, CVE-2023-40217, CVE-2023-38546, CVE-2023-38545, CVE-2023-3446, CVE-2023-24626, CVE-2023-37920, CVE-2022-48566, CVE-2022-48564, CVE-2022-48560, CVE-2015-6806, CVE-2009-1215, CVE-2009-1214, CVE-2022-45061 PowerScale OneFS Versions 9.5.0.0 through 9.5.0.6 Version 9.5.0.7 or later, Version 9.7.0.0 or later PowerScale OneFS Downloads Area
CVE-2024-22449, CVE-2024-22430, CVE-2023-41105, CVE-2023-40217, CVE-2023-38546, CVE-2023-38545, CVE-2023-3446, CVE-2023-24626, CVE-2023-37920, CVE-2022-48566, CVE-2022-48564, CVE-2022-48560, CVE-2015-6806, CVE-2009-1215, CVE-2009-1214 PowerScale OneFS Version 9.6.1.0 Version 9.7.0.0 or later PowerScale OneFS Downloads Area
CVEs Addressed Product Affected Version Remediated Version Link
CVE-2023-24626, CVE-2015-6806, CVE-2009-1214, CVE-2009-1215, CVE-2024-22430, CVE-2023-3446, CVE-2023-37920  PowerScale OneFS Versions 8.2.0 through 8.2.2 Version 9.5.0.7 or later PowerScale OneFS Downloads Area
CVE-2024-22449, CVE-2024-22430, CVE-2023-38545, CVE-2023-38546, CVE-2023-3446, CVE-2023-24626, CVE-2015-6806, CVE-2009-1215, CVE-2009-1214 PowerScale OneFS Versions 9.0.0.0 through 9.4.0.0 Version 9.5.0.7 or later PowerScale OneFS Downloads Area
CVE-2024-22449, CVE-2024-22430, CVE-2023-41105, CVE-2023-40217, CVE-2023-38546, CVE-2023-38545, CVE-2023-3446, CVE-2023-24626, CVE-2023-37920, CVE-2022-48566, CVE-2022-48564, CVE-2022-48560, CVE-2015-6806, CVE-2009-1215, CVE-2009-1214, CVE-2022-45061 PowerScale OneFS Versions 9.5.0.0 through 9.5.0.6 Version 9.5.0.7 or later, Version 9.7.0.0 or later PowerScale OneFS Downloads Area
CVE-2024-22449, CVE-2024-22430, CVE-2023-41105, CVE-2023-40217, CVE-2023-38546, CVE-2023-38545, CVE-2023-3446, CVE-2023-24626, CVE-2023-37920, CVE-2022-48566, CVE-2022-48564, CVE-2022-48560, CVE-2015-6806, CVE-2009-1215, CVE-2009-1214 PowerScale OneFS Version 9.6.1.0 Version 9.7.0.0 or later PowerScale OneFS Downloads Area

Workarounds and Mitigations

CVE Workaround and Mitigation
CVE-2024-22430 This vulnerability only applies when customers are given ISI_PRIV_LOGIN_SSH or ISI_PRIV_LOGIN_CONSOLE to users.
This vulnerability can be mitigated on new version of PowerScale OneFS i.e. 9.5 or later by enabling the restricted shell for users. 
More information regarding restricted shell can be found at: OneFS Restricted Shell | Dell Technologies Info Hub
The following workaround is only applicable to a non-compliance mode cluster.
If there are users with restricted shell is not enabled, then root user should restrict the permissions for isi_upgrade_force and isi_upgrade_message on every node as follows:
#chmod 500 /usr/sbin/isi_upgrade_force
#chmod 500 /usr/sbin/isi_upgrade_message
Or execute below command on any one node:
#isi_for_array chmod 500 /usr/sbin/isi_upgrade_force
#isi_for_array chmod 500 /usr/sbin/isi_upgrade_message
CVE-2024-22449 This vulnerability only applies when customers are given ISI_PRIV_LOGIN_SSH or ISI_PRIV_LOGIN_CONSOLE to users.
This vulnerability can be mitigated on new version of PowerScale OneFS i.e. 9.5 or later by enabling the restricted shell for users.
More information regarding restricted shell can be found at: OneFS Restricted Shell | Dell Technologies Info Hub

Revision History

RevisionDateDescription
1.02024-02-01Initial Release

Related Information


Article Properties


Affected Product

PowerScale OneFS

Last Published Date

01 Feb 2024

Version

1

Article Type

Dell Security Advisory