DSA-2025-208: Security Update for Dell PowerScale OneFS Multiple Vulnerabilities

Resumen: Dell PowerScale OneFS remediation is available for multiple security vulnerabilities that could be exploited by malicious users to compromise the affected system.

Este artículo se aplica a Este artículo no se aplica a Este artículo no está vinculado a ningún producto específico. No se identifican todas las versiones del producto en este artículo.
Consulte estos recursos

Impacto

Critical

Detalles

Third-party Component CVEs More Information
Certifi CVE-2024-39689 https://nvd.nist.gov/vuln/searchThis hyperlink is taking you to a website outside of Dell Technologies.
FreeBSD CVE-2024-53580 https://nvd.nist.gov/vuln/searchThis hyperlink is taking you to a website outside of Dell Technologies.
Python CVE-2024-6923 https://nvd.nist.gov/vuln/searchThis hyperlink is taking you to a website outside of Dell Technologies.
Python-future CVE-2022-40899 https://nvd.nist.gov/vuln/searchThis hyperlink is taking you to a website outside of Dell Technologies.
OpenSSL CVE-2024-2511 https://nvd.nist.gov/vuln/searchThis hyperlink is taking you to a website outside of Dell Technologies.
SQLite CVE-2023-7104 https://nvd.nist.gov/vuln/searchThis hyperlink is taking you to a website outside of Dell Technologies.

 

Proprietary Code CVEs Description CVSS Base Score CVSS Vector String
CVE-2024-53298 Dell PowerScale OneFS versions 9.5.0.0 through 9.5.1.2, versions 9.7.0.0 through 9.7.1.7 and versions 9.8.0.0 through 9.10.0.1, contains a missing authorization vulnerability in the NFS export. An unauthenticated attacker with remote access could potentially exploit this vulnerability leading to unauthorized filesystem access. The attacker may be able to read, modify, and delete arbitrary files. This vulnerability is considered critical as it can be leveraged to fully compromise the system. Dell recommends customers to upgrade at the earliest opportunity. 9.8

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HThis hyperlink is taking you to a website outside of Dell Technologies.
CVE-2025-32753 Dell PowerScale OneFS, versions 9.5.0.0 through 9.7.1.7 and versions 9.8.0.0 through 9.10.0.1, contains an improper neutralization of special elements used in an SQL command ('SQL injection') vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to denial of service, information disclosure, and information tampering. 5.3

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:LThis hyperlink is taking you to a website outside of Dell Technologies.

 

Proprietary Code CVEs Description CVSS Base Score CVSS Vector String
CVE-2024-53298 Dell PowerScale OneFS versions 9.5.0.0 through 9.5.1.2, versions 9.7.0.0 through 9.7.1.7 and versions 9.8.0.0 through 9.10.0.1, contains a missing authorization vulnerability in the NFS export. An unauthenticated attacker with remote access could potentially exploit this vulnerability leading to unauthorized filesystem access. The attacker may be able to read, modify, and delete arbitrary files. This vulnerability is considered critical as it can be leveraged to fully compromise the system. Dell recommends customers to upgrade at the earliest opportunity. 9.8

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HThis hyperlink is taking you to a website outside of Dell Technologies.
CVE-2025-32753 Dell PowerScale OneFS, versions 9.5.0.0 through 9.7.1.7 and versions 9.8.0.0 through 9.10.0.1, contains an improper neutralization of special elements used in an SQL command ('SQL injection') vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to denial of service, information disclosure, and information tampering. 5.3

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:LThis hyperlink is taking you to a website outside of Dell Technologies.

 

Dell Technologies recomienda que todos los clientes tengan en cuenta tanto la puntuación base como cualquier otra puntuación ambiental y temporal relevante que pueda afectar la posible gravedad asociada con la vulnerabilidad de seguridad en particular.

Corrección y productos afectados

CVEs Addressed Product Affected Versions Remediated Versions Link
CVE-2024-53298, CVE-2025-32753, CVE-2024-39689, CVE-2024-53580, CVE-2022-40899, CVE-2024-2511, CVE-2024-6923, CVE-2023-7104 PowerScale OneFS Versions 9.5.0.0 through 9.10.0.1 Version 9.10.1.0 or later PowerScale OneFS Downloads Area
CVE-2024-53298, CVE-2025-32753, CVE-2024-39689, CVE-2024-53580, CVE-2022-40899, CVE-2024-2511, CVE-2024-6923, CVE-2023-7104 PowerScale OneFS Versions 9.7.0.0 through 9.7.1.7 Version 9.7.1.8 or later PowerScale OneFS Downloads Area
CVE-2024-53298 PowerScale OneFS Versions 9.5.0.0 through 9.5.1.2 Version 9.5.1.3 or later PowerScale OneFS Downloads Area
CVE-2022-40899, CVE-2024-2511, CVE-2024-6923, CVE-2023-7104 PowerScale OneFS Versions 9.5.0.0 through 9.5.1.4 Version 9.5.1.4 or later PowerScale OneFS Downloads Area

 

CVEs Addressed Product Affected Versions Remediated Versions Link
CVE-2024-53298, CVE-2025-32753, CVE-2024-39689, CVE-2024-53580, CVE-2022-40899, CVE-2024-2511, CVE-2024-6923, CVE-2023-7104 PowerScale OneFS Versions 9.5.0.0 through 9.10.0.1 Version 9.10.1.0 or later PowerScale OneFS Downloads Area
CVE-2024-53298, CVE-2025-32753, CVE-2024-39689, CVE-2024-53580, CVE-2022-40899, CVE-2024-2511, CVE-2024-6923, CVE-2023-7104 PowerScale OneFS Versions 9.7.0.0 through 9.7.1.7 Version 9.7.1.8 or later PowerScale OneFS Downloads Area
CVE-2024-53298 PowerScale OneFS Versions 9.5.0.0 through 9.5.1.2 Version 9.5.1.3 or later PowerScale OneFS Downloads Area
CVE-2022-40899, CVE-2024-2511, CVE-2024-6923, CVE-2023-7104 PowerScale OneFS Versions 9.5.0.0 through 9.5.1.4 Version 9.5.1.4 or later PowerScale OneFS Downloads Area

 

Notes:

  1. The Affected Products and Remediation table above may not be a comprehensive list of all affected supported versions and may be updated as more information becomes available.
  2. We encourage all customers to adopt the Long-Term Support (LTS) 2025 version which is 9.10.x code line, with the latest maintenance.
  3. For more information on LTS code lines, see Dell Infrastructure Solutions Group (ISG) LTS Release Support Customer Summary and Security Update Release Schedule for Supported Versions of Dell PowerScale OneFS.

Soluciones alternativas y mitigaciones

CVE ID Workaround and Mitigation

CVE-2024-53298

The vulnerability applies to all PowerScale OneFS product versions where NFSv3 or NFSv4 is enabled and an export is configured. 

 

Mitigation 

To mitigate the vulnerability without disrupting active client connections, run the following CLI command:

isi nfs export reload --zone=zone_name

This command reloads the NFS export configuration for the specified zone, reinstating proper authorization checks and mitigating the vulnerability.

Because it is a temporary fix, the vulnerability may reoccur after zone reactivation events like IP changes, interface updates, network pool changes, or node additions/removals. Run the command again after these events to keep the system protected.

 

Impact of Applying the Mitigation 

  • Existing client connections remain active and uninterrupted.
  • New mounts may experience a brief delay (less than 1 second) before succeeding.
  • Active operations are unaffected because NFS clients automatically retry during transient unavailability.

 

Note: Customers should upgrade to a remediated version as soon as possible to permanently fix CVE-2024-53298.


    

   
  

  
 


    
Historial de revisiones

    
RevisionDateDescription
1.02025-06-04Initial Release
2.02025-06-30Update to include 9.5.1.4 remediated version and CVE-2022-40899, CVE-2024-2511, CVE-2024-6923, CVE-2023-7104
3.02025-07-24Update to Workaround and Mitigation; no other changes
4.02025-08-25Updates to Workaround and Mitigation and Additional Information sections
5.02025-10-22Removed SupportAssist
6.02025-12-05Revised the Third-party components table
7.02025-12-22Update to Workaround and Mitigation; no other changes


 

    
Reconocimientos

    

 
 
  
Dell would like to thank zzcentury from Ubisectech Sirius Team for reporting CVE-2025-32753.

 


    
Información relacionada

    
Dell Security Advisories and Notices
Dell Vulnerability Response Policy
CVSS Scoring Guide


        


        

        
Descargo de responsabilidad

        

        
Productos afectados

        PowerScale OneFS







                        

                            

    

        

            

                
                    
 Propiedades del artículo

                
            

            

                

                        
Número del artículo: 000326339

                

                
                

                        
Tipo de artículo: Dell Security Advisory

                

                

                        
Última modificación: 22 dic. 2025


                


            


        

    

    

        

            

                
                    
Encuentre respuestas a sus preguntas de otros usuarios de Dell

                
            

            

                

                    
                



            


        

    

    

        

            

                
                    
Servicios de soporte

                
            

            

                

                    Compruebe si el dispositivo está cubierto por los servicios de soporte.