DSA-2023-141: Dell Unity, Unity VSA and Unity XT Security Update for Multiple Vulnerability
Resumen: Dell Unity, Unity VSA and Unity XT remediation is available for multiple security vulnerabilities that may be exploited by malicious users to compromise the affected system.
Este artículo se aplica a
Este artículo no se aplica a
Este artículo no está vinculado a ningún producto específico.
No se identifican todas las versiones del producto en este artículo.
Impacto
Critical
Detalles
| Proprietary Code CVEs | Description | CVSS Base Score | CVSS Vector String |
|---|---|---|---|
| CVE-2023-43074 | Dell Unity 5.3 contain(s) an Arbitrary File Creation vulnerability. A remote unauthenticated attacker could potentially exploit this vulnerability by crafting arbitrary files through a request to the server. | 5.2 | CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:H/A:L |
| CVE-2023-43065 | Dell Unity prior to 5.3 contains a Cross-site scripting vulnerability. A low-privileged authenticated attacker can exploit these issues to obtain escalated privileges. | 5.5 | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:L/A:L |
| CVE-2023-43066 | Dell Unity prior to 5.3 contains a Restricted Shell Bypass vulnerability. This could allow an authenticated, local attacker to exploit this vulnerability by authenticating to the device CLI and issuing certain commands. | 5.1 | CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:L |
| CVE-2023-43067 | Dell Unity prior to 5.3 contains an XML External Entity injection vulnerability. An XXE attack could potentially exploit this vulnerability disclosing local files in the file system. | 4.9 | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H |
| CVE-2023-43082 | Dell Unity prior to 5.3 contains a 'man in the middle' vulnerability in the vmadapter component. If a customer has a certificate signed by a third-party public Certificate Authority, the vCenter CA could be spoofed by an attacker who can obtain a CA-signed certificate. | 8.6 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N |
| CVE-2024-22229 | Dell Unity, versions prior to 5.4, contain a vulnerability whereby log messages can be spoofed by an authenticated attacker. An attacker could exploit this vulnerability to forge log entries, create false alarms, and inject malicious content into logs that compromise logs integrity. A malicious attacker could also prevent the product from logging information while malicious actions are performed or implicate an arbitrary user for malicious activities. | 3.1 | CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N |
| Proprietary Code CVEs | Description | CVSS Base Score | CVSS Vector String |
|---|---|---|---|
| CVE-2023-43074 | Dell Unity 5.3 contain(s) an Arbitrary File Creation vulnerability. A remote unauthenticated attacker could potentially exploit this vulnerability by crafting arbitrary files through a request to the server. | 5.2 | CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:H/A:L |
| CVE-2023-43065 | Dell Unity prior to 5.3 contains a Cross-site scripting vulnerability. A low-privileged authenticated attacker can exploit these issues to obtain escalated privileges. | 5.5 | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:L/A:L |
| CVE-2023-43066 | Dell Unity prior to 5.3 contains a Restricted Shell Bypass vulnerability. This could allow an authenticated, local attacker to exploit this vulnerability by authenticating to the device CLI and issuing certain commands. | 5.1 | CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:L |
| CVE-2023-43067 | Dell Unity prior to 5.3 contains an XML External Entity injection vulnerability. An XXE attack could potentially exploit this vulnerability disclosing local files in the file system. | 4.9 | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H |
| CVE-2023-43082 | Dell Unity prior to 5.3 contains a 'man in the middle' vulnerability in the vmadapter component. If a customer has a certificate signed by a third-party public Certificate Authority, the vCenter CA could be spoofed by an attacker who can obtain a CA-signed certificate. | 8.6 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N |
| CVE-2024-22229 | Dell Unity, versions prior to 5.4, contain a vulnerability whereby log messages can be spoofed by an authenticated attacker. An attacker could exploit this vulnerability to forge log entries, create false alarms, and inject malicious content into logs that compromise logs integrity. A malicious attacker could also prevent the product from logging information while malicious actions are performed or implicate an arbitrary user for malicious activities. | 3.1 | CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N |
Corrección y productos afectados
| Product | Affected Versions | Remediated Versions | Link |
|---|---|---|---|
| Dell Unity Operating Environment (OE) | Versions prior to 5.3.0.0.5.120 | Version 5.3.0.0.5.120 | https://www.dell.com/support/home/product-support/product/unity-all-flash-family/drivers |
| Dell UnityVSA Operating Environment (OE) | Versions prior to 5.3.0.0.5.120 | Version 5.3.0.0.5.120 | https://www.dell.com/support/home/product-support/product/unity-all-flash-family/drivers |
| Dell Unity XT Operating Environment (OE) | Versions prior to 5.3.0.0.5.120 | Version 5.3.0.0.5.120 | https://www.dell.com/support/home/product-support/product/unity-all-flash-family/drivers |
| Product | Affected Versions | Remediated Versions | Link |
|---|---|---|---|
| Dell Unity Operating Environment (OE) | Versions prior to 5.3.0.0.5.120 | Version 5.3.0.0.5.120 | https://www.dell.com/support/home/product-support/product/unity-all-flash-family/drivers |
| Dell UnityVSA Operating Environment (OE) | Versions prior to 5.3.0.0.5.120 | Version 5.3.0.0.5.120 | https://www.dell.com/support/home/product-support/product/unity-all-flash-family/drivers |
| Dell Unity XT Operating Environment (OE) | Versions prior to 5.3.0.0.5.120 | Version 5.3.0.0.5.120 | https://www.dell.com/support/home/product-support/product/unity-all-flash-family/drivers |
Historial de revisiones
|
Revision |
Date |
Description |
|---|---|---|
|
1.0 |
2023-05-08 |
Initial Release |
| 2.0 | 2023-09-01 | Updated for enhanced presentation with no changes to content. |
| 3.0 | 2023-10-23 | Added 4 new CVEs, CVE-2023-43074, CVE-2023-43065, CVE-2023-43066, CVE-2023-43067 under "PROPRIERTARY CODE" section |
| 4.0 | 2023-11-22 | Added 1 new CVE-2023-43082 under "PROPRIERTARY CODE" section |
| 5.0 | 2024-01-24 | Added 1 new CVE-2024-22229 under "PROPRIERTARY CODE" section |
Información relacionada
Descargo de responsabilidad
Productos afectados
Dell EMC Unity, Dell Unity 300, Dell EMC Unity 300F, Dell EMC Unity 350F, Dell EMC Unity 400, Dell EMC Unity 400F, Dell Unity Operating Environment (OE), Dell EMC UnityVSA Professional Edition/Unity Cloud EditionPropiedades del artículo
Número del artículo: 000213152
Tipo de artículo: Dell Security Advisory
Última modificación: 09 sept 2025
Encuentre respuestas a sus preguntas de otros usuarios de Dell
Servicios de soporte
Compruebe si el dispositivo está cubierto por los servicios de soporte.