DSA-2024-115: Security Update for Dell PowerScale OneFS for Multiple Security Vulnerabilities

Summary: Dell PowerScale OneFS remediation is available for multiple security vulnerabilities that could be exploited by malicious users to compromise the affected system.

This article applies to This article does not apply to This article is not tied to any specific product. Not all product versions are identified in this article.
Check out other resources

Impact

Critical

Details

Third-Party Component CVEs More information
FreeBSD C library (libc) CVE-2023-5941 https://nvd.nist.gov/vuln/detail/CVE-2023-5941 This hyperlink is taking you to a website outside of Dell Technologies.
PCRE CVE-2017-7246, CVE-2017-11164, CVE-2017-7244, CVE-2020-14155 See NVD link below for individual scores for each CVE. 
http://nvd.nist.gov/ This hyperlink is taking you to a website outside of Dell Technologies.
follow-redirects CVE-2023-26159 https://nvd.nist.gov/vuln/detail/CVE-2023-26159 This hyperlink is taking you to a website outside of Dell Technologies.
OpenSSH CVE-2023-48795, CVE-2023-51385, CVE-2023-51384 See NVD link below for individual scores for each CVE. 
https://nvd.nist.gov/This hyperlink is taking you to a website outside of Dell Technologies.

Proprietary Code CVEs Description CVSS Base Score CVSS Vector String
CVE-2024-25959 Dell PowerScale OneFS versions 9.4.0.x through 9.7.0.x contains an insertion of sensitive information into log file vulnerability. A low privileged local attacker could potentially exploit this vulnerability, leading to sensitive information disclosure, escalation of privileges. 7.9 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L This hyperlink is taking you to a website outside of Dell Technologies.
CVE-2024-25960 Dell PowerScale OneFS versions 8.2.2.x through 9.7.0.x contains a cleartext transmission of sensitive information vulnerability. A local low privileged attacker could potentially exploit this vulnerability, leading to escalation of privileges. 7.3  CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H This hyperlink is taking you to a website outside of Dell Technologies.
CVE-2024-25961 Dell PowerScale OneFS versions 8.2.2.x through 9.7.0.x contains an improper privilege management vulnerability. A local high privileged attacker could potentially exploit this vulnerability, leading to escalation of privileges. 6.0 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H This hyperlink is taking you to a website outside of Dell Technologies.
CVE-2024-25952 Dell PowerScale OneFS versions 8.2.2.x through 9.7.0.x contains an UNIX symbolic link (symlink) following vulnerability. A local high privileged attacker could potentially exploit this vulnerability, leading to denial of service, information tampering. 6.0  CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H This hyperlink is taking you to a website outside of Dell Technologies.
CVE-2024-25953 Dell PowerScale OneFS versions 9.4.0.x through 9.7.0.x contains an UNIX symbolic link (symlink) following vulnerability. A local high privileged attacker could potentially exploit this vulnerability, leading to denial of service, information tampering. 6.0 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H This hyperlink is taking you to a website outside of Dell Technologies.
CVE-2024-25963 Dell PowerScale OneFS, versions 8.2.2.x through 9.5.0.x contains a use of a broken cryptographic algorithm vulnerability. A remote unauthenticated attacker could potentially exploit this vulnerability, leading to information disclosure. 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N This hyperlink is taking you to a website outside of Dell Technologies.
CVE-2024-25954 Dell PowerScale OneFS, versions 9.5.0.x through 9.7.0.x, contain an insufficient session expiration vulnerability. A remote unauthenticated attacker could potentially exploit this vulnerability, leading to denial of service. 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L This hyperlink is taking you to a website outside of Dell Technologies.
Proprietary Code CVEs Description CVSS Base Score CVSS Vector String
CVE-2024-25959 Dell PowerScale OneFS versions 9.4.0.x through 9.7.0.x contains an insertion of sensitive information into log file vulnerability. A low privileged local attacker could potentially exploit this vulnerability, leading to sensitive information disclosure, escalation of privileges. 7.9 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L This hyperlink is taking you to a website outside of Dell Technologies.
CVE-2024-25960 Dell PowerScale OneFS versions 8.2.2.x through 9.7.0.x contains a cleartext transmission of sensitive information vulnerability. A local low privileged attacker could potentially exploit this vulnerability, leading to escalation of privileges. 7.3  CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H This hyperlink is taking you to a website outside of Dell Technologies.
CVE-2024-25961 Dell PowerScale OneFS versions 8.2.2.x through 9.7.0.x contains an improper privilege management vulnerability. A local high privileged attacker could potentially exploit this vulnerability, leading to escalation of privileges. 6.0 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H This hyperlink is taking you to a website outside of Dell Technologies.
CVE-2024-25952 Dell PowerScale OneFS versions 8.2.2.x through 9.7.0.x contains an UNIX symbolic link (symlink) following vulnerability. A local high privileged attacker could potentially exploit this vulnerability, leading to denial of service, information tampering. 6.0  CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H This hyperlink is taking you to a website outside of Dell Technologies.
CVE-2024-25953 Dell PowerScale OneFS versions 9.4.0.x through 9.7.0.x contains an UNIX symbolic link (symlink) following vulnerability. A local high privileged attacker could potentially exploit this vulnerability, leading to denial of service, information tampering. 6.0 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H This hyperlink is taking you to a website outside of Dell Technologies.
CVE-2024-25963 Dell PowerScale OneFS, versions 8.2.2.x through 9.5.0.x contains a use of a broken cryptographic algorithm vulnerability. A remote unauthenticated attacker could potentially exploit this vulnerability, leading to information disclosure. 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N This hyperlink is taking you to a website outside of Dell Technologies.
CVE-2024-25954 Dell PowerScale OneFS, versions 9.5.0.x through 9.7.0.x, contain an insufficient session expiration vulnerability. A remote unauthenticated attacker could potentially exploit this vulnerability, leading to denial of service. 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L This hyperlink is taking you to a website outside of Dell Technologies.
Dell Technologies recommends all customers consider both the CVSS base score and any relevant temporal and environmental scores that may impact the potential severity associated with a particular security vulnerability.

Affected Products & Remediation

CVEs Addressed Product Affected Versions Remediated Versions Link
CVE-2023-5941, CVE-2017-7246, CVE-2017-11164, CVE-2017-7244, CVE-2020-14155, CVE-2024-25960, CVE-2023-26159, CVE-2024-25961, CVE-2024-25952, CVE-2023-48795, CVE-2023-51385, CVE-2023-51384, CVE-2024-25963 PowerScale OneFS Version 8.2.2 through 9.3.0.0 Version 9.5.0.8 or later PowerScale OneFS Downloads Area
CVE-2024-25960, CVE-2023-26159, CVE-2024-25961, CVE-2024-25952, CVE-2023-48795, CVE-2023-51385, CVE-2023-51384, CVE-2024-25953, CVE-2024-25963 PowerScale OneFS Version 9.4.0.0 through 9.4.0.16 Version 9.5.0.8 or later PowerScale OneFS Downloads Area
CVE-2017-7246, CVE-2017-11164, CVE-2017-7244, CVE-2020-14155, CVE-2023-5941, CVE-2024-25960, CVE-2024-25959 PowerScale OneFS Version 9.4.0.0 through 9.4.0.16 Version 9.4.0.17 or later PowerScale OneFS Downloads Area
CVE-2023-5941, CVE-2024-25959, CVE-2017-7246, CVE-2017-11164, CVE-2017-7244, CVE-2020-14155, CVE-2024-25960, CVE-2023-26159, CVE-2024-25961, CVE-2024-25952, CVE-2024-25953, CVE-2023-48795, CVE-2023-51385, CVE-2023-51384, CVE-2024-25954, CVE-2024-25963 PowerScale OneFS Version 9.5.0.0 through 9.5.0.7 Version 9.5.0.8 or later PowerScale OneFS Downloads Area
CVE-2023-5941, CVE-2024-25959, CVE-2017-7246, CVE-2017-11164, CVE-2017-7244, CVE-2020-14155, CVE-2024-25960, CVE-2023-26159, CVE-2024-25961, CVE-2024-25952, CVE-2024-25953, CVE-2023-48795, CVE-2023-51385, CVE-2023-51384, CVE-2024-25954, CVE-2024-25963 PowerScale OneFS Version 9.6.1.0 through 9.7.0.0 Version 9.7.0.2 or later PowerScale OneFS Downloads Area
CVE-2024-25959, CVE-2024-25960, CVE-2024-25961, CVE-2024-25952, CVE-2024-25953, CVE-2024-25954 PowerScale OneFS Version 9.7.0.0 through 9.7.0.1 Version 9.7.0.2 or later PowerScale OneFS Downloads Area
CVE-2023-26159, CVE-2023-48795, CVE-2023-51385, CVE-2023-51384 PowerScale OneFS Version 9.7.0.0 through 9.7.0.2 Version 9.7.0.3 or later PowerScale OneFS Downloads Area
CVEs Addressed Product Affected Versions Remediated Versions Link
CVE-2023-5941, CVE-2017-7246, CVE-2017-11164, CVE-2017-7244, CVE-2020-14155, CVE-2024-25960, CVE-2023-26159, CVE-2024-25961, CVE-2024-25952, CVE-2023-48795, CVE-2023-51385, CVE-2023-51384, CVE-2024-25963 PowerScale OneFS Version 8.2.2 through 9.3.0.0 Version 9.5.0.8 or later PowerScale OneFS Downloads Area
CVE-2024-25960, CVE-2023-26159, CVE-2024-25961, CVE-2024-25952, CVE-2023-48795, CVE-2023-51385, CVE-2023-51384, CVE-2024-25953, CVE-2024-25963 PowerScale OneFS Version 9.4.0.0 through 9.4.0.16 Version 9.5.0.8 or later PowerScale OneFS Downloads Area
CVE-2017-7246, CVE-2017-11164, CVE-2017-7244, CVE-2020-14155, CVE-2023-5941, CVE-2024-25960, CVE-2024-25959 PowerScale OneFS Version 9.4.0.0 through 9.4.0.16 Version 9.4.0.17 or later PowerScale OneFS Downloads Area
CVE-2023-5941, CVE-2024-25959, CVE-2017-7246, CVE-2017-11164, CVE-2017-7244, CVE-2020-14155, CVE-2024-25960, CVE-2023-26159, CVE-2024-25961, CVE-2024-25952, CVE-2024-25953, CVE-2023-48795, CVE-2023-51385, CVE-2023-51384, CVE-2024-25954, CVE-2024-25963 PowerScale OneFS Version 9.5.0.0 through 9.5.0.7 Version 9.5.0.8 or later PowerScale OneFS Downloads Area
CVE-2023-5941, CVE-2024-25959, CVE-2017-7246, CVE-2017-11164, CVE-2017-7244, CVE-2020-14155, CVE-2024-25960, CVE-2023-26159, CVE-2024-25961, CVE-2024-25952, CVE-2024-25953, CVE-2023-48795, CVE-2023-51385, CVE-2023-51384, CVE-2024-25954, CVE-2024-25963 PowerScale OneFS Version 9.6.1.0 through 9.7.0.0 Version 9.7.0.2 or later PowerScale OneFS Downloads Area
CVE-2024-25959, CVE-2024-25960, CVE-2024-25961, CVE-2024-25952, CVE-2024-25953, CVE-2024-25954 PowerScale OneFS Version 9.7.0.0 through 9.7.0.1 Version 9.7.0.2 or later PowerScale OneFS Downloads Area
CVE-2023-26159, CVE-2023-48795, CVE-2023-51385, CVE-2023-51384 PowerScale OneFS Version 9.7.0.0 through 9.7.0.2 Version 9.7.0.3 or later PowerScale OneFS Downloads Area
Note: 
  • Any version not listed in the Affected Products and Remediation section should upgrade PowerScale OneFS to a version 9.5.0.8 or later.
  • We encourage all customers to adopt the version which is 9.5.x code line, with the latest maintenance RUP 9.5.0.8.
  • For more information LTS 2023 on LTS (Long Term Support) code lines, see Dell Infrastructure Solutions Group (ISG) LTS Release Support Customer Summary
  • CVE-2024-25954: This vulnerability is only impacted when httpd server for data path is started. By default, this httpd server is disabled on PowerScale OneFS.
  • Unless specified as impacted, the term “or Later” encompasses all PowerScale OneFS releases, under standard support, that are of a higher minor or major version than the specified release.

Workarounds & Mitigations

CVEs Workaround and Mitigation
CVE-2024-25960, CVE-2024-25961, CVE-2024-25952, CVE-2024-25953  This vulnerability only applies when customers are given ISI_PRIV_LOGIN_SSH or ISI_PRIV_LOGIN_CONSOLE to users.

Mitigations:
This vulnerability can be mitigated on new version of PowerScale OneFS i.e. 9.5 or later by enabling the restricted shell for users.
More information regarding restricted shell can be found at: OneFS Restricted Shell | Dell Technologies Info Hub
CVE-2023-48795

This vulnerability can be mitigated by removing the chacha20-poly1305@openssh.com from
the default ciphers using the below command:

isi ssh settings modify --ciphers=aes192-ctr,aes256-ctr,aes256-gcm@openssh.com

Revision History

RevisionDateDescription
1.02024-03-28Initial Release
2.02024-04-29Updated for enhanced presentation with no changes to content
3.02024-04-29Updated for enhanced presentation with no changes to content
4.02024-04-29Updated CVE Identifier, Third Party Components, and Affected Products and Remediation sections: Added CVE-2023-51384 and CVE-2023-51385; Added Workaround details for CVE-2023-48795
5.02024-06-06Updated Affected Products and Remediation section: Remediated Version 9.7.0.3 or later
6.02024-10-03Updated for enhanced presentation with no changes to content
7.02024-10-03Updated for enhanced presentation with no changes to content

Related Information

Dell Security Advisories and Notices
Dell Vulnerability Response Policy
CVSS Scoring Guide

Legal Disclaimer

Affected Products

PowerScale OneFS
Article Properties
Article Number: 000223366
Article Type: Dell Security Advisory
Last Modified: 19 Sep 2025
Find answers to your questions from other Dell users
Support Services
Check if your device is covered by Support Services.