Bienvenue
Bienvenue dans l’univers Dell
Mon compte
- Passer des commandes rapidement et facilement
- Afficher les commandes et suivre l’état de votre expédition
- Profitez de récompenses et de remises réservées aux membres
- Créez et accédez à une liste de vos produits
- Gérer vos sites, vos produits et vos contacts au niveau des produits Dell EMC à l’aide de la rubrique Gestion des informations de l’entreprise.
Numéro d’article: 000201283
DSA-2022-159: Dell PowerStore Family Security Update for Multiple Vulnerabilities
Résumé: Dell PowerStore Family remediation is available for multiple security vulnerabilities that maybe exploited by malicious users to compromise the affected system.
Contenu de l’article
Impact
Critical
Détails
| Proprietary Code CVEs | Description | CVSS Base Score | CVSS Vector String |
| CVE-2022-31234 | Dell PowerStore contains an Improper Restriction of Excessive Authentication Attempts Vulnerability in PowerStore Manager GUI. A remote unauthenticated attacker may potentially exploit this vulnerability, leading to password brute-forcing. Account takeover is possible if weak passwords are used by users. | 8.1 | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H  |
| CVE-2022-22555 | Dell PowerStore contains an OS command injection vulnerability. A locally authenticated attacker may potentially exploit this vulnerability, leading to the execution of arbitrary OS commands on the PowerStore underlying OS, with the privileges of the vulnerable application. Exploitation may lead to an elevation of privilege. | 6.0 | CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H |
| CVE-2022-32498 | Dell PowerStore CLI for Windows has the potential for a DLL highjacking exploit. Exploitation may lead to the execution of arbitrary code. | 5.5 | CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:L/A:L |
| CVE-2022-33923 | Dell PowerStore contains an OS Command Injection vulnerability in the PowerStore T environment. A locally authenticated attacker may potentially exploit this vulnerability, leading to the execution of arbitrary OS commands on the PowerStore underlying OS. Exploiting may lead to a system takeover by an attacker. | 6.4 | CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H |
| Third-party Component | CVEs | More Information |
| Ansible | CVE-2019-10156 | See NVD (http://nvd.nist.gov/ ) for individual scores of each CVE. |
| Apache Shiro | CVE-2021-41303 | |
| Highcharts JS | CVE-2021-29489 | |
| Jinja2 | CVE-2019-10906 | |
| CVE-2016-10745 | ||
| CVE-2020-28493 | ||
| libsndfile | CVE-2021-3246 | |
| libX11 libX11-data |
CVE-2021-31535 | |
| libexpat | CVE-2022-22822 | |
| CVE-2022-22823 | ||
| CVE-2022-22824 | ||
| CVE-2022-23852 | ||
| CVE-2022-23990 | ||
| CVE-2022-25235 | ||
| CVE-2022-25236 | ||
| CVE-2022-25315 | ||
| Log4j | CVE-2020-9488 | |
| CVE-2021-45105 | ||
| CVE-2021-44832 | ||
| lxml | CVE-2021-43818 | |
| CVE-2021-28957 | ||
| CVE-2020-27783 | ||
| netty | CVE-2021-43797 | |
| NSS NSPR libfreebl3 libfreebl3-hmac libsoftokn3 libsoftokn3-hmac mozilla-nss mozilla-nss-certs mozilla-nss-tools mozilla-nspr |
CVE-2020-12403 | |
| CVE-2021-43527 | ||
| numpy | CVE-2021-41496 | |
| openssl | CVE-2021-3711 | |
| pip | CVE-2019-20916 | |
| postgres | CVE-2021-32027 | |
| CVE-2021-32028 | ||
| CVE-2021-3393 | ||
| CVE-2021-3677 | ||
| CVE-2021-23222 | ||
| CVE-2021-23214 | ||
| Python-3 | CVE-2021-25315 | |
| CVE-2020-25592 | ||
| CVE-2020-11651 | ||
| CVE-2020-11652 | ||
| CVE-2018-15751 | ||
| pyyaml | CVE-2020-14343 | |
| CVE-2017-18342 | ||
| ruby | CVE-2020-25613 | |
| xterm xterm-bin |
CVE-2021-27135 |
| Proprietary Code CVEs | Description | CVSS Base Score | CVSS Vector String |
| CVE-2022-31234 | Dell PowerStore contains an Improper Restriction of Excessive Authentication Attempts Vulnerability in PowerStore Manager GUI. A remote unauthenticated attacker may potentially exploit this vulnerability, leading to password brute-forcing. Account takeover is possible if weak passwords are used by users. | 8.1 | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H |
| CVE-2022-22555 | Dell PowerStore contains an OS command injection vulnerability. A locally authenticated attacker may potentially exploit this vulnerability, leading to the execution of arbitrary OS commands on the PowerStore underlying OS, with the privileges of the vulnerable application. Exploitation may lead to an elevation of privilege. | 6.0 | CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H |
| CVE-2022-32498 | Dell PowerStore CLI for Windows has the potential for a DLL highjacking exploit. Exploitation may lead to the execution of arbitrary code. | 5.5 | CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:L/A:L |
| CVE-2022-33923 | Dell PowerStore contains an OS Command Injection vulnerability in the PowerStore T environment. A locally authenticated attacker may potentially exploit this vulnerability, leading to the execution of arbitrary OS commands on the PowerStore underlying OS. Exploiting may lead to a system takeover by an attacker. | 6.4 | CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H |
| Third-party Component | CVEs | More Information |
| Ansible | CVE-2019-10156 | See NVD (http://nvd.nist.gov/ ) for individual scores of each CVE. |
| Apache Shiro | CVE-2021-41303 | |
| Highcharts JS | CVE-2021-29489 | |
| Jinja2 | CVE-2019-10906 | |
| CVE-2016-10745 | ||
| CVE-2020-28493 | ||
| libsndfile | CVE-2021-3246 | |
| libX11 libX11-data |
CVE-2021-31535 | |
| libexpat | CVE-2022-22822 | |
| CVE-2022-22823 | ||
| CVE-2022-22824 | ||
| CVE-2022-23852 | ||
| CVE-2022-23990 | ||
| CVE-2022-25235 | ||
| CVE-2022-25236 | ||
| CVE-2022-25315 | ||
| Log4j | CVE-2020-9488 | |
| CVE-2021-45105 | ||
| CVE-2021-44832 | ||
| lxml | CVE-2021-43818 | |
| CVE-2021-28957 | ||
| CVE-2020-27783 | ||
| netty | CVE-2021-43797 | |
| NSS NSPR libfreebl3 libfreebl3-hmac libsoftokn3 libsoftokn3-hmac mozilla-nss mozilla-nss-certs mozilla-nss-tools mozilla-nspr |
CVE-2020-12403 | |
| CVE-2021-43527 | ||
| numpy | CVE-2021-41496 | |
| openssl | CVE-2021-3711 | |
| pip | CVE-2019-20916 | |
| postgres | CVE-2021-32027 | |
| CVE-2021-32028 | ||
| CVE-2021-3393 | ||
| CVE-2021-3677 | ||
| CVE-2021-23222 | ||
| CVE-2021-23214 | ||
| Python-3 | CVE-2021-25315 | |
| CVE-2020-25592 | ||
| CVE-2020-11651 | ||
| CVE-2020-11652 | ||
| CVE-2018-15751 | ||
| pyyaml | CVE-2020-14343 | |
| CVE-2017-18342 | ||
| ruby | CVE-2020-25613 | |
| xterm xterm-bin |
CVE-2021-27135 |
Produits concernés et mesure corrective
| CVEs Addressed | Products | Affected Versions | Updated Versions | Link to Update |
| All CVEs above excluding CVE-2022-32498 | PowerStore T OS | PowerStore T OS versions before PowerStore T OS Upgrade 3.0.0.0-1732745 | PowerStore T OS Upgrade 3.0.0.0-1732745 | https://www.dell.com/support/home/?app=drivers |
| CVE-2022-32498 | PowerStore Command Line Interface (CLI) tool for Windows | PowerStore Command Line Interface (CLI) tool for Linux x64 versions before 3.0.0.0-1732745 PowerStore Command Line Interface (CLI) tool for Linux x86 versions before 3.0.0.0-1732745 |
PowerStore Command Line Interface (CLI) tool for Linux x64 3.0.0.0-1732745 PowerStore Command Line Interface (CLI) tool for Linux x86 3.0.0.0-1732745 |
https://www.dell.com/support/home/?app=drivers |
| CVEs Addressed | Products | Affected Versions | Updated Versions | Link to Update |
| All CVEs above excluding CVE-2022-32498 | PowerStore T OS | PowerStore T OS versions before PowerStore T OS Upgrade 3.0.0.0-1732745 | PowerStore T OS Upgrade 3.0.0.0-1732745 | https://www.dell.com/support/home/?app=drivers |
| CVE-2022-32498 | PowerStore Command Line Interface (CLI) tool for Windows | PowerStore Command Line Interface (CLI) tool for Linux x64 versions before 3.0.0.0-1732745 PowerStore Command Line Interface (CLI) tool for Linux x86 versions before 3.0.0.0-1732745 |
PowerStore Command Line Interface (CLI) tool for Linux x64 3.0.0.0-1732745 PowerStore Command Line Interface (CLI) tool for Linux x86 3.0.0.0-1732745 |
https://www.dell.com/support/home/?app=drivers |
Solutions de contournement et mesures d’atténuation des risques
CVE-2022-31234:
Configure a long, complex password for the System management account, and change it on a regular basis. See the PowerStore Security Configuration Guide on the PowerStore Product Page at Dell Support for password requirements. The minimum number of characters is 8 however you should configure a longer than 8 password in order to make it very difficult to brute force.
CVE-2022-22555:
An attacker requires local access through external SSH; therefore, it is recommended to always leave the external SSH service interface disabled unless it must be used to perform service operations on the appliance. After performing the necessary service operations, disable the SSH interface to ensure that the appliance remains secure. See the PowerStore Security Configuration Guide on the PowerStore Product Page at Dell Support for detailed information about external SSH access.
Historique des révisions
| Revision | Date | More Information |
| 1.0 | 2022-07-07 | Initial Release |
Informations connexes
Informations légales
Propriétés de l’article
Produit concerné
PowerStore, PowerStore 1000T, PowerStore 1200T, PowerStore 3000T, PowerStore 5000T, PowerStore 500T, PowerStore 7000T, PowerStore 9000T, Product Security Information
Dernière date de publication
20 juin 2023
Version
2
Type d’article
Dell Security Advisory