Skip to main content
  • Place orders quickly and easily
  • View orders and track your shipping status
  • Enjoy members-only rewards and discounts
  • Create and access a list of your products
  • Manage your Dell EMC sites, products, and product-level contacts using Company Administration.

Article Number: 000222691


DSA-2024-062: Security Update for Dell PowerScale OneFS for Proprietary Code Vulnerabilities

Summary: Dell PowerScale OneFS remediation is available for proprietary code vulnerabilities that could be exploited by malicious users to compromise the affected system.

Article Content


Impact

High

Details

Proprietary Code CVE Description CVSS Base Score CVSS Vector String
CVE-2024-22463  Dell PowerScale OneFS 8.2.x through 9.6.0.x contains a use of a broken or risky cryptographic algorithm vulnerability. A remote unprivileged attacker could potentially exploit this vulnerability, leading to compromise of confidentiality and integrity of sensitive information 7.4 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N This hyperlink is taking you to a website outside of Dell Technologies.
CVE-2024-25964 Dell PowerScale OneFS 9.5.0.x through 9.7.0.x contain a covert timing channel vulnerability. A remote unauthenticated attacker could potentially exploit this vulnerability, leading to denial of service. 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L This hyperlink is taking you to a website outside of Dell Technologies.
CVE-2024-24901 Dell PowerScale OneFS 8.2.x through 9.6.0.x contain an insufficient logging vulnerability. A local malicious user with high privileges could potentially exploit this vulnerability, causing audit messages lost and not recorded for a specific time period. 3.0 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:L/A:L This hyperlink is taking you to a website outside of Dell Technologies.
Proprietary Code CVE Description CVSS Base Score CVSS Vector String
CVE-2024-22463  Dell PowerScale OneFS 8.2.x through 9.6.0.x contains a use of a broken or risky cryptographic algorithm vulnerability. A remote unprivileged attacker could potentially exploit this vulnerability, leading to compromise of confidentiality and integrity of sensitive information 7.4 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N This hyperlink is taking you to a website outside of Dell Technologies.
CVE-2024-25964 Dell PowerScale OneFS 9.5.0.x through 9.7.0.x contain a covert timing channel vulnerability. A remote unauthenticated attacker could potentially exploit this vulnerability, leading to denial of service. 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L This hyperlink is taking you to a website outside of Dell Technologies.
CVE-2024-24901 Dell PowerScale OneFS 8.2.x through 9.6.0.x contain an insufficient logging vulnerability. A local malicious user with high privileges could potentially exploit this vulnerability, causing audit messages lost and not recorded for a specific time period. 3.0 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:L/A:L This hyperlink is taking you to a website outside of Dell Technologies.
Dell Technologies recommends all customers consider both the CVSS base score and any relevant temporal and environmental scores that may impact the potential severity associated with a particular security vulnerability.

Affected Products and Remediation

CVEs Addressed Product Affected Versions Remediated Versions Link
CVE-2024-24901 PowerScale OneFS Versions 8.2.0 through 9.2.1.24 Version 9.2.1.25 or later PowerScale OneFS Downloads Area
CVE-2024-24901 PowerScale OneFS Versions 9.3.0.0 through 9.4.0.16 Version 9.4.0.17 or later PowerScale OneFS Downloads Area
CVE-2024-24901, CVE-2024-25964 PowerScale OneFS Versions 9.5.0.0 through 9.5.0.6 Version 9.5.0.7 or later PowerScale OneFS Downloads Area
CVE-2024-24901 CVE-2024-22463 PowerScale OneFS Version 9.6.1.0 Version 9.7.0.0 or later PowerScale OneFS Downloads Area
CVE-2024-25964 PowerScale OneFS Version 9.6.1.0 through 9.7.0.0 Version 9.7.0.1 or later PowerScale OneFS Downloads Area
CVE-2024-22463  PowerScale OneFS Versions 8.2.0 through 9.4.0.16 Version 9.4.0.17 or later PowerScale OneFS Downloads Area
CVE-2024-22463 PowerScale OneFS Versions 9.5.0.0 through 9.5.0.5 Version 9.5.0.6 or later PowerScale OneFS Downloads Area
CVEs Addressed Product Affected Versions Remediated Versions Link
CVE-2024-24901 PowerScale OneFS Versions 8.2.0 through 9.2.1.24 Version 9.2.1.25 or later PowerScale OneFS Downloads Area
CVE-2024-24901 PowerScale OneFS Versions 9.3.0.0 through 9.4.0.16 Version 9.4.0.17 or later PowerScale OneFS Downloads Area
CVE-2024-24901, CVE-2024-25964 PowerScale OneFS Versions 9.5.0.0 through 9.5.0.6 Version 9.5.0.7 or later PowerScale OneFS Downloads Area
CVE-2024-24901 CVE-2024-22463 PowerScale OneFS Version 9.6.1.0 Version 9.7.0.0 or later PowerScale OneFS Downloads Area
CVE-2024-25964 PowerScale OneFS Version 9.6.1.0 through 9.7.0.0 Version 9.7.0.1 or later PowerScale OneFS Downloads Area
CVE-2024-22463  PowerScale OneFS Versions 8.2.0 through 9.4.0.16 Version 9.4.0.17 or later PowerScale OneFS Downloads Area
CVE-2024-22463 PowerScale OneFS Versions 9.5.0.0 through 9.5.0.5 Version 9.5.0.6 or later PowerScale OneFS Downloads Area
Any version not listed in the Affected Products and Remediation section should upgrade Dell PowerScale OneFS to a version 9.5.0.7 or later.

We encourage all customers to adopt the LTS 2023 version which is 9.5.x code line, with the latest maintenance RUP 9.5.0.7. 
For more information on LTS (Long Term Support) code lines, see Dell Infrastructure Solutions Group (ISG) LTS Release Support Customer Summary

Workarounds and Mitigations

CVE Workaround/Mitigations
CVE-2024-22463 This vulnerability can be mitigated on Dell PowerScale OneFS version 9.5 or later by updating following ciphers manually in http-config and web-config by root.
# isi_gconfig -t http-config cipher_suites=ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256
# isi_gconfig -t web-config cipher_suites=ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256
In Compliance Mode:
% sudo isi_gconfig -t http-config cipher_suites=ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256
% sudo isi_gconfig -t web-config cipher_suites=ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256

Revision History

RevisionDateDescription
1.02024-03-04Initial Release
2.02024-03-25Added CVE-2024-25964 to the DSA

Related Information


Article Properties


Affected Product

PowerScale OneFS

Last Published Date

25 Mar 2024

Version

2

Article Type

Dell Security Advisory