Skip to main content
  • Place orders quickly and easily
  • View orders and track your shipping status
  • Enjoy members-only rewards and discounts
  • Create and access a list of your products
  • Manage your Dell EMC sites, products, and product-level contacts using Company Administration.

Article Number: 000223366


DSA-2024-115: Security Update for Dell PowerScale OneFS for Multiple Security Vulnerabilities

Summary: Dell PowerScale OneFS remediation is available for multiple security vulnerabilities that could be exploited by malicious users to compromise the affected system.

Article Content


Impact

Critical

Details

Third-Party Component CVEs More information
FreeBSD C library (libc) CVE-2023-5941 https://nvd.nist.gov/vuln/detail/CVE-2023-5941 This hyperlink is taking you to a website outside of Dell Technologies.
PCRE CVE-2017-7246, CVE-2017-11164, CVE-2017-7244, CVE-2020-14155 See NVD link below for individual scores for each CVE. 
http://nvd.nist.gov/ This hyperlink is taking you to a website outside of Dell Technologies.
follow-redirects CVE-2023-26159 https://nvd.nist.gov/vuln/detail/CVE-2023-26159 This hyperlink is taking you to a website outside of Dell Technologies.
OpenSSH CVE-2023-48795, CVE-2023-51385, CVE-2023-51384 See NVD link below for individual scores for each CVE. 
https://nvd.nist.gov/This hyperlink is taking you to a website outside of Dell Technologies.

Proprietary Code CVEs Description CVSS Base Score CVSS Vector String
CVE-2024-25959 Dell PowerScale OneFS versions 9.4.0.x through 9.7.0.x contains an insertion of sensitive information into log file vulnerability. A low privileged local attacker could potentially exploit this vulnerability, leading to sensitive information disclosure, escalation of privileges. 7.9 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L This hyperlink is taking you to a website outside of Dell Technologies.
CVE-2024-25960 Dell PowerScale OneFS versions 8.2.2.x through 9.7.0.x contains a cleartext transmission of sensitive information vulnerability. A local low privileged attacker could potentially exploit this vulnerability, leading to escalation of privileges. 7.3  CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H This hyperlink is taking you to a website outside of Dell Technologies.
CVE-2024-25961 Dell PowerScale OneFS versions 8.2.2.x through 9.7.0.x contains an improper privilege management vulnerability. A local high privileged attacker could potentially exploit this vulnerability, leading to escalation of privileges. 6.0 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H This hyperlink is taking you to a website outside of Dell Technologies.
CVE-2024-25952 Dell PowerScale OneFS versions 8.2.2.x through 9.7.0.x contains an UNIX symbolic link (symlink) following vulnerability. A local high privileged attacker could potentially exploit this vulnerability, leading to denial of service, information tampering. 6.0  CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H This hyperlink is taking you to a website outside of Dell Technologies.
CVE-2024-25953 Dell PowerScale OneFS versions 9.4.0.x through 9.7.0.x contains an UNIX symbolic link (symlink) following vulnerability. A local high privileged attacker could potentially exploit this vulnerability, leading to denial of service, information tampering. 6.0 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H This hyperlink is taking you to a website outside of Dell Technologies.
CVE-2024-25963 Dell PowerScale OneFS, versions 8.2.2.x through 9.5.0.x contains a use of a broken cryptographic algorithm vulnerability. A remote unauthenticated attacker could potentially exploit this vulnerability, leading to information disclosure. 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N This hyperlink is taking you to a website outside of Dell Technologies.
CVE-2024-25954 Dell PowerScale OneFS, versions 9.5.0.x through 9.7.0.x, contain an insufficient session expiration vulnerability. A remote unauthenticated attacker could potentially exploit this vulnerability, leading to denial of service. 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L This hyperlink is taking you to a website outside of Dell Technologies.
Proprietary Code CVEs Description CVSS Base Score CVSS Vector String
CVE-2024-25959 Dell PowerScale OneFS versions 9.4.0.x through 9.7.0.x contains an insertion of sensitive information into log file vulnerability. A low privileged local attacker could potentially exploit this vulnerability, leading to sensitive information disclosure, escalation of privileges. 7.9 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L This hyperlink is taking you to a website outside of Dell Technologies.
CVE-2024-25960 Dell PowerScale OneFS versions 8.2.2.x through 9.7.0.x contains a cleartext transmission of sensitive information vulnerability. A local low privileged attacker could potentially exploit this vulnerability, leading to escalation of privileges. 7.3  CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H This hyperlink is taking you to a website outside of Dell Technologies.
CVE-2024-25961 Dell PowerScale OneFS versions 8.2.2.x through 9.7.0.x contains an improper privilege management vulnerability. A local high privileged attacker could potentially exploit this vulnerability, leading to escalation of privileges. 6.0 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H This hyperlink is taking you to a website outside of Dell Technologies.
CVE-2024-25952 Dell PowerScale OneFS versions 8.2.2.x through 9.7.0.x contains an UNIX symbolic link (symlink) following vulnerability. A local high privileged attacker could potentially exploit this vulnerability, leading to denial of service, information tampering. 6.0  CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H This hyperlink is taking you to a website outside of Dell Technologies.
CVE-2024-25953 Dell PowerScale OneFS versions 9.4.0.x through 9.7.0.x contains an UNIX symbolic link (symlink) following vulnerability. A local high privileged attacker could potentially exploit this vulnerability, leading to denial of service, information tampering. 6.0 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H This hyperlink is taking you to a website outside of Dell Technologies.
CVE-2024-25963 Dell PowerScale OneFS, versions 8.2.2.x through 9.5.0.x contains a use of a broken cryptographic algorithm vulnerability. A remote unauthenticated attacker could potentially exploit this vulnerability, leading to information disclosure. 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N This hyperlink is taking you to a website outside of Dell Technologies.
CVE-2024-25954 Dell PowerScale OneFS, versions 9.5.0.x through 9.7.0.x, contain an insufficient session expiration vulnerability. A remote unauthenticated attacker could potentially exploit this vulnerability, leading to denial of service. 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L This hyperlink is taking you to a website outside of Dell Technologies.
Dell Technologies recommends all customers consider both the CVSS base score and any relevant temporal and environmental scores that may impact the potential severity associated with a particular security vulnerability.

Affected Products and Remediation

CVEs Addressed Product Affected Version Remediated Version Link
CVE-2023-5941, CVE-2017-7246, CVE-2017-11164, CVE-2017-7244, CVE-2020-14155, CVE-2024-25960, CVE-2023-26159, CVE-2024-25961, CVE-2024-25952, CVE-2023-48795, CVE-2023-51385, CVE-2023-51384, CVE-2024-25963 PowerScale OneFS Version 8.2.2 through 9.3.0.0 Version 9.5.0.8 or later PowerScale OneFS Downloads Area
CVE-2024-25960, CVE-2023-26159, CVE-2024-25961, CVE-2024-25952, CVE-2023-48795, CVE-2023-51385, CVE-2023-51384, CVE-2024-25953, CVE-2024-25963 PowerScale OneFS Version 9.4.0.0 through 9.4.0.16 Version 9.5.0.8 or later PowerScale OneFS Downloads Area
CVE-2017-7246, CVE-2017-11164, CVE-2017-7244, CVE-2020-14155, CVE-2023-5941, CVE-2024-25960, CVE-2024-25959 PowerScale OneFS Version 9.4.0.0 through 9.4.0.16 Version 9.4.0.17 or later PowerScale OneFS Downloads Area
CVE-2023-5941, CVE-2024-25959, CVE-2017-7246, CVE-2017-11164, CVE-2017-7244, CVE-2020-14155, CVE-2024-25960, CVE-2023-26159, CVE-2024-25961, CVE-2024-25952, CVE-2024-25953, CVE-2023-48795, CVE-2023-51385, CVE-2023-51384, CVE-2024-25954, CVE-2024-25963 PowerScale OneFS Version 9.5.0.0 through 9.5.0.7 Version 9.5.0.8 or later PowerScale OneFS Downloads Area
CVE-2023-5941, CVE-2024-25959, CVE-2017-7246, CVE-2017-11164, CVE-2017-7244, CVE-2020-14155, CVE-2024-25960, CVE-2023-26159, CVE-2024-25961, CVE-2024-25952, CVE-2024-25953, CVE-2023-48795, CVE-2023-51385, CVE-2023-51384, CVE-2024-25954, CVE-2024-25963 PowerScale OneFS Version 9.6.1.0 through 9.7.0.0 Version 9.7.0.2 or later PowerScale OneFS Downloads Area
CVE-2024-25959, CVE-2024-25960, CVE-2024-25961, CVE-2024-25952, CVE-2024-25953, CVE-2024-25954 PowerScale OneFS Version 9.7.0.0 through 9.7.0.1 Version 9.7.0.2 or later PowerScale OneFS Downloads Area
CVE-2023-26159, CVE-2023-48795, CVE-2023-51385, CVE-2023-51384 PowerScale OneFS Version 9.7.0.0 through 9.7.0.2 Expected RUP in April 2024 PowerScale OneFS Downloads Area
CVEs Addressed Product Affected Version Remediated Version Link
CVE-2023-5941, CVE-2017-7246, CVE-2017-11164, CVE-2017-7244, CVE-2020-14155, CVE-2024-25960, CVE-2023-26159, CVE-2024-25961, CVE-2024-25952, CVE-2023-48795, CVE-2023-51385, CVE-2023-51384, CVE-2024-25963 PowerScale OneFS Version 8.2.2 through 9.3.0.0 Version 9.5.0.8 or later PowerScale OneFS Downloads Area
CVE-2024-25960, CVE-2023-26159, CVE-2024-25961, CVE-2024-25952, CVE-2023-48795, CVE-2023-51385, CVE-2023-51384, CVE-2024-25953, CVE-2024-25963 PowerScale OneFS Version 9.4.0.0 through 9.4.0.16 Version 9.5.0.8 or later PowerScale OneFS Downloads Area
CVE-2017-7246, CVE-2017-11164, CVE-2017-7244, CVE-2020-14155, CVE-2023-5941, CVE-2024-25960, CVE-2024-25959 PowerScale OneFS Version 9.4.0.0 through 9.4.0.16 Version 9.4.0.17 or later PowerScale OneFS Downloads Area
CVE-2023-5941, CVE-2024-25959, CVE-2017-7246, CVE-2017-11164, CVE-2017-7244, CVE-2020-14155, CVE-2024-25960, CVE-2023-26159, CVE-2024-25961, CVE-2024-25952, CVE-2024-25953, CVE-2023-48795, CVE-2023-51385, CVE-2023-51384, CVE-2024-25954, CVE-2024-25963 PowerScale OneFS Version 9.5.0.0 through 9.5.0.7 Version 9.5.0.8 or later PowerScale OneFS Downloads Area
CVE-2023-5941, CVE-2024-25959, CVE-2017-7246, CVE-2017-11164, CVE-2017-7244, CVE-2020-14155, CVE-2024-25960, CVE-2023-26159, CVE-2024-25961, CVE-2024-25952, CVE-2024-25953, CVE-2023-48795, CVE-2023-51385, CVE-2023-51384, CVE-2024-25954, CVE-2024-25963 PowerScale OneFS Version 9.6.1.0 through 9.7.0.0 Version 9.7.0.2 or later PowerScale OneFS Downloads Area
CVE-2024-25959, CVE-2024-25960, CVE-2024-25961, CVE-2024-25952, CVE-2024-25953, CVE-2024-25954 PowerScale OneFS Version 9.7.0.0 through 9.7.0.1 Version 9.7.0.2 or later PowerScale OneFS Downloads Area
CVE-2023-26159, CVE-2023-48795, CVE-2023-51385, CVE-2023-51384 PowerScale OneFS Version 9.7.0.0 through 9.7.0.2 Expected RUP in April 2024 PowerScale OneFS Downloads Area
Any version not listed in the Affected Products and Remediation section should upgrade PowerScale OneFS to a version 9.5.0.8 or later.

We encourage all customers to adopt the version which is 9.5.x code line, with the latest maintenance RUP 9.5.0.8. For more information LTS 2023 on LTS (Long Term Support) code lines, see Dell Infrastructure Solutions Group (ISG) LTS Release Support Customer Summary

CVE-2024-25954: This vulnerability is only impacted when httpd server for data path is started. By default, this httpd server is disabled on PowerScale OneFS.

Unless specified as impacted, the term “or Later” encompasses all PowerScale OneFS releases, under standard support, that are of a higher minor or major version than the specified release.

Workarounds and Mitigations

CVEs Workaround
CVE-2024-25960, CVE-2024-25961, CVE-2024-25952, CVE-2024-25953  This vulnerability only applies when customers are given ISI_PRIV_LOGIN_SSH or ISI_PRIV_LOGIN_CONSOLE to users.

Mitigations:
This vulnerability can be mitigated on new version of PowerScale OneFS i.e. 9.5 or later by enabling the restricted shell for users.
More information regarding restricted shell can be found at: OneFS Restricted Shell | Dell Technologies Info Hub
CVE-2023-48795

This vulnerability can be mitigated by removing the chacha20-poly1305@openssh.com from
the default ciphers using the below command:

isi ssh settings modify --ciphers=aes192-ctr,aes256-ctr,aes256-gcm@openssh.com

Revision History

RevisionDateDescription
1.02024-03-28Initial Release
2.02024-04-29Updated for enhanced presentation with no changes to content
3.02024-04-29Updated for enhanced presentation with no changes to content
4.02024-04-29Updated CVE Identifier, Third Party Components, and Affected Products and Remediation sections: Added CVE-2023-51384 and CVE-2023-51385; Added Workaround details for CVE-2023-48795

Related Information


Article Properties


Last Published Date

29 Apr 2024

Version

4

Article Type

Dell Security Advisory