DSA-2024-414: Security Update for Dell PowerFlex Rack Multiple Third-Party Component Vulnerabilities
Resumen: Dell PowerFlex Rack remediation is available for multiple security vulnerabilities that could be exploited by malicious users to compromise the affected system.
Impacto
Critical
Detalles
|
Third-party Component |
CVEs |
More Information |
|
Dell PowerEdge Server BIOS |
CVE-2023-32666, CVE-2023-38575, CVE-2023-39368, CVE-2023-22655, CVE-2023-35191, CVE-2024-0162, CVE-2024-0163, CVE-2024-0154. CVE-2024-0173, CVE-2023-31346, CVE-2023-31347, CVE-2024-0161, CVE-2021-26344, CVE-2021-26387, CVE-2021-46772, CVE-2021-46746, CVE-2023-20518, CVE-2023-20578, CVE-2023-20584, CVE-2023-20591, CVE-2023-31356, CVE-2024-21981 |
DSA-2024-005, DSA-2024-004, DSA-2024-003, DSA-2024-034, DSA-2024-002, DSA-2024-006, DSA-2024-350 |
|
iDRAC |
CVE-2023-29499, CVE-2024-25943, CVE-2023-48795, CVE-2024-38433, CVE-2024-6387 |
DSA-2024-286, DSA-2024-099, DSA-2024-021, DSA-2024-223, DSA-2024-342 |
|
OpenSSH |
CVE-2020-15778 |
See NVD link below for individual scores for each CVE. http://nvd.nist.gov/  |
|
Intel |
CVE-2024-21828 |
|
|
Cisco Switches |
CVE-2024-20399 |
|
|
VMWare |
CVE-2024-22273, CVE-2024-22274, CVE-2024-22275, CVE-2024-37079, CVE-2024-37080, CVE-2024-37081, CVE-2024-37086, CVE-2024-37087 |
| Proprietary Code CVEs | Description | CVSS Base Score | CVSS Vector String |
| CVE-2024-39588 | Dell PowerFlex Gateway 3.5.1.9 contains a Cross-Site Request Forgery Vulnerability. A remote unauthenticated attacker could potentially exploit this vulnerability, leading to an authenticated victim application user being tricked into sending state-changing requests to the vulnerable application, causing unintended server operations | 4.3 | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N |
| CVE-2024-49598 | Dell PowerFlex Rack versions prior to 3.6.3, contains a Use of a Broken or Risky Cryptographic Algorithm vulnerability, in the Storage Nodes component. An unauthenticated attacker on the adjacent network could potentially exploit this in a man-in-the-middle attack leading to information disclosure. | 6.5 | CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
| Proprietary Code CVEs | Description | CVSS Base Score | CVSS Vector String |
| CVE-2024-39588 | Dell PowerFlex Gateway 3.5.1.9 contains a Cross-Site Request Forgery Vulnerability. A remote unauthenticated attacker could potentially exploit this vulnerability, leading to an authenticated victim application user being tricked into sending state-changing requests to the vulnerable application, causing unintended server operations | 4.3 | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N |
| CVE-2024-49598 | Dell PowerFlex Rack versions prior to 3.6.3, contains a Use of a Broken or Risky Cryptographic Algorithm vulnerability, in the Storage Nodes component. An unauthenticated attacker on the adjacent network could potentially exploit this in a man-in-the-middle attack leading to information disclosure. | 6.5 | CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
Corrección y productos afectados
|
Product |
Software/Firmware |
Affected Versions |
Remediated Versions |
Link |
|
PowerFlex rack |
RCM |
Versions prior to 3.6.7.0 |
Version 3.6.7.0 or later |
|
Product |
Software/Firmware |
Affected Versions |
Remediated Versions |
Link |
|
PowerFlex rack |
RCM |
Versions prior to 3.6.7.0 |
Version 3.6.7.0 or later |
In the case of manual upgrade for PowerFlex rack, please see this link: https://www.dell.com/support/home/en-us/product-support/product/powerflex-rack-rcm-sw/drivers
Historial de revisiones
|
Revision |
Date |
Description |
|
1.0 |
2024-11-06 |
Initial Release |
|
2.0 |
2025-02-12 |
Major update: added Proprietary Code table with CVE-2024-39588 & CVE-2024-49598 |