DSA-2024-405: Security Update for Dell Products for Multiple Vulnerabilities
Summary: Remediation is available for multiple security vulnerabilities that could be exploited by malicious users to compromise affected systems.
This article applies to
This article does not apply to
This article is not tied to any specific product.
Not all product versions are identified in this article.
Impact
Critical
Details
| Proprietary Code CVEs |
Description |
CVSS Base Score |
CVSS Vector String |
| CVE-2024-37143 |
Dell PowerFlex appliance versions prior to IC 46.381.00 and IC 46.376.00, Dell PowerFlex rack versions prior to RCM 3.8.1.0 (for RCM 3.8.x train) and prior to RCM 3.7.6.0 (for RCM 3.7.x train), Dell PowerFlex custom node using PowerFlex Manager versions prior to 4.6.1.0, Dell InsightIQ versions prior to 5.1.1, and Dell Data Lakehouse versions prior to 1.2.0.0 contain an Improper Link Resolution Before File Access vulnerability. An unauthenticated attacker with remote access could potentially exploit this vulnerability to execute arbitrary code on the system. |
10.0 |
|
| CVE-2024-37144 |
Dell PowerFlex appliance versions prior to IC 46.381.00 and IC 46.376.00, Dell PowerFlex rack versions prior to RCM 3.8.1.0 (for RCM 3.8.x train) and prior to RCM 3.7.6.0 (for RCM 3.7.x train), Dell PowerFlex custom node using PowerFlex Manager versions prior to 4.6.1.0, Dell InsightIQ versions prior to 5.1.1, and Dell Data Lakehouse versions prior to 1.2.0.0 contain an Insecure Storage of Sensitive Information vulnerability. A high privileged attacker with local access could potentially exploit this vulnerability, leading to information disclosure. The attacker may be able to use information disclosed to gain unauthorized access to pods within the cluster. |
8.2 |
| Proprietary Code CVEs |
Description |
CVSS Base Score |
CVSS Vector String |
| CVE-2024-37143 |
Dell PowerFlex appliance versions prior to IC 46.381.00 and IC 46.376.00, Dell PowerFlex rack versions prior to RCM 3.8.1.0 (for RCM 3.8.x train) and prior to RCM 3.7.6.0 (for RCM 3.7.x train), Dell PowerFlex custom node using PowerFlex Manager versions prior to 4.6.1.0, Dell InsightIQ versions prior to 5.1.1, and Dell Data Lakehouse versions prior to 1.2.0.0 contain an Improper Link Resolution Before File Access vulnerability. An unauthenticated attacker with remote access could potentially exploit this vulnerability to execute arbitrary code on the system. |
10.0 |
|
| CVE-2024-37144 |
Dell PowerFlex appliance versions prior to IC 46.381.00 and IC 46.376.00, Dell PowerFlex rack versions prior to RCM 3.8.1.0 (for RCM 3.8.x train) and prior to RCM 3.7.6.0 (for RCM 3.7.x train), Dell PowerFlex custom node using PowerFlex Manager versions prior to 4.6.1.0, Dell InsightIQ versions prior to 5.1.1, and Dell Data Lakehouse versions prior to 1.2.0.0 contain an Insecure Storage of Sensitive Information vulnerability. A high privileged attacker with local access could potentially exploit this vulnerability, leading to information disclosure. The attacker may be able to use information disclosed to gain unauthorized access to pods within the cluster. |
8.2 |
Affected Products & Remediation
| Product |
Software/Firmware |
Affected Versions |
Remediated Versions |
Link |
| Dell PowerFlex appliance |
Intelligent Catalog (IC) |
Versions prior to 46.381.00 |
Version 46.381.00 or later |
|
| Dell PowerFlex appliance |
Intelligent Catalog (IC) |
Versions prior to 46.376.00 |
Version 46.376.00 or later |
|
| Dell PowerFlex rack |
Release Certification Matrix (RCM) |
Versions prior to 3.8.1.0 |
Version 3.8.1.0 or later |
|
| Dell PowerFlex rack |
Release Certification Matrix (RCM) |
Versions prior to 3.7.6.0 |
Version 3.7.6.0 or later |
|
| Dell PowerFlex custom node |
PowerFlex Manager |
Versions prior to 4.6.1.0 |
Version 4.6.1.0 or later |
|
| Dell InsightIQ |
Installation Package |
Versions prior to 5.1.1 |
Version 5.1.1 or later |
|
| Dell Data Lakehouse |
Bundle |
Versions prior to 1.2.0.0 |
Version 1.2.0.0 or later |
| Product |
Software/Firmware |
Affected Versions |
Remediated Versions |
Link |
| Dell PowerFlex appliance |
Intelligent Catalog (IC) |
Versions prior to 46.381.00 |
Version 46.381.00 or later |
|
| Dell PowerFlex appliance |
Intelligent Catalog (IC) |
Versions prior to 46.376.00 |
Version 46.376.00 or later |
|
| Dell PowerFlex rack |
Release Certification Matrix (RCM) |
Versions prior to 3.8.1.0 |
Version 3.8.1.0 or later |
|
| Dell PowerFlex rack |
Release Certification Matrix (RCM) |
Versions prior to 3.7.6.0 |
Version 3.7.6.0 or later |
|
| Dell PowerFlex custom node |
PowerFlex Manager |
Versions prior to 4.6.1.0 |
Version 4.6.1.0 or later |
|
| Dell InsightIQ |
Installation Package |
Versions prior to 5.1.1 |
Version 5.1.1 or later |
|
| Dell Data Lakehouse |
Bundle |
Versions prior to 1.2.0.0 |
Version 1.2.0.0 or later |
Workarounds & Mitigations
| CVE ID |
Workaround and Mitigation |
| CVE-2024-37143 |
For remediation for PowerFlex Manager versions prior to 4.6.1 (RCMs prior to 3.7.6.0/3.8.1.0 or ICs prior to 46.376.00/46.381.00), reference KB Article 000231116 Mitigation for Powerflex Manager CVE-2024-37143 (customer login required). |
Revision History
|
Revision |
Date |
Description |
|
1.0 |
2024-12-09 |
Initial Release |
|
2.0 |
2024-12-10 |
Updated Affected Products section at bottom of advisory |
Related Information
Legal Disclaimer
Affected Products
PowerFlex rack, PowerFlex Appliance, Dell Data Lakehouse, Isilon InsightIQ, PowerFlex appliance Intelligent Catalog Software, PowerFlex custom node, PowerFlex custom node R650, PowerFlex custom node R6525, PowerFlex custom node R660
, PowerFlex custom node R6625, PowerFlex custom node R750, PowerFlex custom node R760, PowerFlex custom node R7625, PowerFlex rack RCM Software, PowerScale InsightIQ
...
Article Properties
Article Number: 000258342
Article Type: Dell Security Advisory
Last Modified: 10 Dec 2024
Find answers to your questions from other Dell users
Support Services
Check if your device is covered by Support Services.