DSA-2024-062: Security Update for Dell PowerScale OneFS for Proprietary Code Vulnerabilities

Summary: Dell PowerScale OneFS remediation is available for proprietary code vulnerabilities that could be exploited by malicious users to compromise the affected system.

This article applies to This article does not apply to This article is not tied to any specific product. Not all product versions are identified in this article.
Check out other resources

Impact

High

Details

Proprietary Code CVE Description CVSS Base Score CVSS Vector String
CVE-2024-22463  Dell PowerScale OneFS 8.2.x through 9.6.0.x contains a use of a broken or risky cryptographic algorithm vulnerability. A remote unprivileged attacker could potentially exploit this vulnerability, leading to compromise of confidentiality and integrity of sensitive information 7.4 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N This hyperlink is taking you to a website outside of Dell Technologies.
CVE-2024-25964 Dell PowerScale OneFS 9.5.0.x through 9.7.0.x contain a covert timing channel vulnerability. A remote unauthenticated attacker could potentially exploit this vulnerability, leading to denial of service. 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L This hyperlink is taking you to a website outside of Dell Technologies.
CVE-2024-24901 Dell PowerScale OneFS 8.2.x through 9.6.0.x contain an insufficient logging vulnerability. A local malicious user with high privileges could potentially exploit this vulnerability, causing audit messages lost and not recorded for a specific time period. 3.0 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:L/A:L This hyperlink is taking you to a website outside of Dell Technologies.
Proprietary Code CVE Description CVSS Base Score CVSS Vector String
CVE-2024-22463  Dell PowerScale OneFS 8.2.x through 9.6.0.x contains a use of a broken or risky cryptographic algorithm vulnerability. A remote unprivileged attacker could potentially exploit this vulnerability, leading to compromise of confidentiality and integrity of sensitive information 7.4 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N This hyperlink is taking you to a website outside of Dell Technologies.
CVE-2024-25964 Dell PowerScale OneFS 9.5.0.x through 9.7.0.x contain a covert timing channel vulnerability. A remote unauthenticated attacker could potentially exploit this vulnerability, leading to denial of service. 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L This hyperlink is taking you to a website outside of Dell Technologies.
CVE-2024-24901 Dell PowerScale OneFS 8.2.x through 9.6.0.x contain an insufficient logging vulnerability. A local malicious user with high privileges could potentially exploit this vulnerability, causing audit messages lost and not recorded for a specific time period. 3.0 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:L/A:L This hyperlink is taking you to a website outside of Dell Technologies.
Dell Technologies recommends all customers consider both the CVSS base score and any relevant temporal and environmental scores that may impact the potential severity associated with a particular security vulnerability.

Affected Products & Remediation

CVEs Addressed Product Affected Versions Remediated Versions Link
CVE-2024-24901 PowerScale OneFS Versions 8.2.0 through 9.2.1.24 Version 9.2.1.25 or later PowerScale OneFS Downloads Area
CVE-2024-24901 PowerScale OneFS Versions 9.3.0.0 through 9.4.0.16 Version 9.4.0.17 or later PowerScale OneFS Downloads Area
CVE-2024-24901, CVE-2024-25964 PowerScale OneFS Versions 9.5.0.0 through 9.5.0.6 Version 9.5.0.7 or later PowerScale OneFS Downloads Area
CVE-2024-24901 CVE-2024-22463 PowerScale OneFS Version 9.6.1.0 Version 9.7.0.0 or later PowerScale OneFS Downloads Area
CVE-2024-25964 PowerScale OneFS Version 9.6.1.0 through 9.7.0.0 Version 9.7.0.1 or later PowerScale OneFS Downloads Area
CVE-2024-22463  PowerScale OneFS Versions 8.2.0 through 9.4.0.16 Version 9.4.0.17 or later PowerScale OneFS Downloads Area
CVE-2024-22463 PowerScale OneFS Versions 9.5.0.0 through 9.5.0.5 Version 9.5.0.6 or later PowerScale OneFS Downloads Area
CVEs Addressed Product Affected Versions Remediated Versions Link
CVE-2024-24901 PowerScale OneFS Versions 8.2.0 through 9.2.1.24 Version 9.2.1.25 or later PowerScale OneFS Downloads Area
CVE-2024-24901 PowerScale OneFS Versions 9.3.0.0 through 9.4.0.16 Version 9.4.0.17 or later PowerScale OneFS Downloads Area
CVE-2024-24901, CVE-2024-25964 PowerScale OneFS Versions 9.5.0.0 through 9.5.0.6 Version 9.5.0.7 or later PowerScale OneFS Downloads Area
CVE-2024-24901 CVE-2024-22463 PowerScale OneFS Version 9.6.1.0 Version 9.7.0.0 or later PowerScale OneFS Downloads Area
CVE-2024-25964 PowerScale OneFS Version 9.6.1.0 through 9.7.0.0 Version 9.7.0.1 or later PowerScale OneFS Downloads Area
CVE-2024-22463  PowerScale OneFS Versions 8.2.0 through 9.4.0.16 Version 9.4.0.17 or later PowerScale OneFS Downloads Area
CVE-2024-22463 PowerScale OneFS Versions 9.5.0.0 through 9.5.0.5 Version 9.5.0.6 or later PowerScale OneFS Downloads Area
Any version not listed in the Affected Products and Remediation section should upgrade Dell PowerScale OneFS to a version 9.5.0.7 or later.

We encourage all customers to adopt the LTS 2023 version which is 9.5.x code line, with the latest maintenance RUP 9.5.0.7. 
For more information on LTS (Long Term Support) code lines, see Dell Infrastructure Solutions Group (ISG) LTS Release Support Customer Summary

Workarounds & Mitigations

CVE Workaround/Mitigations
CVE-2024-22463 This vulnerability can be mitigated on Dell PowerScale OneFS version 9.5 or later by updating following ciphers manually in http-config and web-config by root. 
# isi_gconfig -t http-config cipher_suites=ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256
# isi_gconfig -t web-config cipher_suites=ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256
In Compliance Mode: 
% sudo isi_gconfig -t http-config cipher_suites=ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256
% sudo isi_gconfig -t web-config cipher_suites=ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256

Revision History

RevisionDateDescription
1.02024-03-04Initial Release
2.02024-03-25Added CVE-2024-25964 to the DSA

Related Information

Dell Security Advisories and Notices
Dell Vulnerability Response Policy
CVSS Scoring Guide

Legal Disclaimer

Affected Products

PowerScale OneFS
Article Properties
Article Number: 000222691
Article Type: Dell Security Advisory
Last Modified: 19 Sep 2025
Find answers to your questions from other Dell users
Support Services
Check if your device is covered by Support Services.