DSA-2025-208: Security Update for Dell PowerScale OneFS Multiple Vulnerabilities

Riepilogo: Dell PowerScale OneFS remediation is available for multiple security vulnerabilities that could be exploited by malicious users to compromise the affected system.

Questo articolo si applica a Questo articolo non si applica a Questo articolo non è legato a un prodotto specifico. Non tutte le versioni del prodotto sono identificate in questo articolo.
Scopri le altre risorse

Impatto

Critical

Dettagli

Third-party Component CVEs More Information
Certifi CVE-2024-39689 https://nvd.nist.gov/vuln/searchThis hyperlink is taking you to a website outside of Dell Technologies.
FreeBSD CVE-2024-53580 https://nvd.nist.gov/vuln/searchThis hyperlink is taking you to a website outside of Dell Technologies.
Python CVE-2024-6923 https://nvd.nist.gov/vuln/searchThis hyperlink is taking you to a website outside of Dell Technologies.
Python-future CVE-2022-40899 https://nvd.nist.gov/vuln/searchThis hyperlink is taking you to a website outside of Dell Technologies.
OpenSSL CVE-2024-2511 https://nvd.nist.gov/vuln/searchThis hyperlink is taking you to a website outside of Dell Technologies.
SQLite CVE-2023-7104 https://nvd.nist.gov/vuln/searchThis hyperlink is taking you to a website outside of Dell Technologies.

 

Proprietary Code CVEs Description CVSS Base Score CVSS Vector String
CVE-2024-53298 Dell PowerScale OneFS versions 9.5.0.0 through 9.5.1.2, versions 9.7.0.0 through 9.7.1.7 and versions 9.8.0.0 through 9.10.0.1, contains a missing authorization vulnerability in the NFS export. An unauthenticated attacker with remote access could potentially exploit this vulnerability leading to unauthorized filesystem access. The attacker may be able to read, modify, and delete arbitrary files. This vulnerability is considered critical as it can be leveraged to fully compromise the system. Dell recommends customers to upgrade at the earliest opportunity. 9.8

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HThis hyperlink is taking you to a website outside of Dell Technologies.
CVE-2025-32753 Dell PowerScale OneFS, versions 9.5.0.0 through 9.7.1.7 and versions 9.8.0.0 through 9.10.0.1, contains an improper neutralization of special elements used in an SQL command ('SQL injection') vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to denial of service, information disclosure, and information tampering. 5.3

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:LThis hyperlink is taking you to a website outside of Dell Technologies.

 

Proprietary Code CVEs Description CVSS Base Score CVSS Vector String
CVE-2024-53298 Dell PowerScale OneFS versions 9.5.0.0 through 9.5.1.2, versions 9.7.0.0 through 9.7.1.7 and versions 9.8.0.0 through 9.10.0.1, contains a missing authorization vulnerability in the NFS export. An unauthenticated attacker with remote access could potentially exploit this vulnerability leading to unauthorized filesystem access. The attacker may be able to read, modify, and delete arbitrary files. This vulnerability is considered critical as it can be leveraged to fully compromise the system. Dell recommends customers to upgrade at the earliest opportunity. 9.8

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HThis hyperlink is taking you to a website outside of Dell Technologies.
CVE-2025-32753 Dell PowerScale OneFS, versions 9.5.0.0 through 9.7.1.7 and versions 9.8.0.0 through 9.10.0.1, contains an improper neutralization of special elements used in an SQL command ('SQL injection') vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to denial of service, information disclosure, and information tampering. 5.3

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:LThis hyperlink is taking you to a website outside of Dell Technologies.

 

Dell Technologies raccomanda a tutti i clienti di prendere in considerazione sia il punteggio base CVSS, sia ogni eventuale punteggio temporale o ambientale che possa avere effetti sul livello di gravità potenziale associato a una specifica vulnerabilità di sicurezza.

Prodotti interessati e correzione

CVEs Addressed Product Affected Versions Remediated Versions Link
CVE-2024-53298, CVE-2025-32753, CVE-2024-39689, CVE-2024-53580, CVE-2022-40899, CVE-2024-2511, CVE-2024-6923, CVE-2023-7104 PowerScale OneFS Versions 9.5.0.0 through 9.10.0.1 Version 9.10.1.0 or later PowerScale OneFS Downloads Area
CVE-2024-53298, CVE-2025-32753, CVE-2024-39689, CVE-2024-53580, CVE-2022-40899, CVE-2024-2511, CVE-2024-6923, CVE-2023-7104 PowerScale OneFS Versions 9.7.0.0 through 9.7.1.7 Version 9.7.1.8 or later PowerScale OneFS Downloads Area
CVE-2024-53298 PowerScale OneFS Versions 9.5.0.0 through 9.5.1.2 Version 9.5.1.3 or later PowerScale OneFS Downloads Area
CVE-2022-40899, CVE-2024-2511, CVE-2024-6923, CVE-2023-7104 PowerScale OneFS Versions 9.5.0.0 through 9.5.1.4 Version 9.5.1.4 or later PowerScale OneFS Downloads Area

 

CVEs Addressed Product Affected Versions Remediated Versions Link
CVE-2024-53298, CVE-2025-32753, CVE-2024-39689, CVE-2024-53580, CVE-2022-40899, CVE-2024-2511, CVE-2024-6923, CVE-2023-7104 PowerScale OneFS Versions 9.5.0.0 through 9.10.0.1 Version 9.10.1.0 or later PowerScale OneFS Downloads Area
CVE-2024-53298, CVE-2025-32753, CVE-2024-39689, CVE-2024-53580, CVE-2022-40899, CVE-2024-2511, CVE-2024-6923, CVE-2023-7104 PowerScale OneFS Versions 9.7.0.0 through 9.7.1.7 Version 9.7.1.8 or later PowerScale OneFS Downloads Area
CVE-2024-53298 PowerScale OneFS Versions 9.5.0.0 through 9.5.1.2 Version 9.5.1.3 or later PowerScale OneFS Downloads Area
CVE-2022-40899, CVE-2024-2511, CVE-2024-6923, CVE-2023-7104 PowerScale OneFS Versions 9.5.0.0 through 9.5.1.4 Version 9.5.1.4 or later PowerScale OneFS Downloads Area

 

Notes:

  1. The Affected Products and Remediation table above may not be a comprehensive list of all affected supported versions and may be updated as more information becomes available.
  2. We encourage all customers to adopt the Long-Term Support (LTS) 2025 version which is 9.10.x code line, with the latest maintenance.
  3. For more information on LTS code lines, see Dell Infrastructure Solutions Group (ISG) LTS Release Support Customer Summary and Security Update Release Schedule for Supported Versions of Dell PowerScale OneFS.

Soluzioni alternative e mitigazioni

CVE ID Workaround and Mitigation

CVE-2024-53298

The vulnerability applies to all PowerScale OneFS product versions where NFSv3 or NFSv4 is enabled and an export is configured. 

 

Mitigation 

To mitigate the vulnerability without disrupting active client connections, run the following CLI command:

isi nfs export reload --zone=zone_name

This command reloads the NFS export configuration for the specified zone, reinstating proper authorization checks and mitigating the vulnerability.

Because it is a temporary fix, the vulnerability may reoccur after zone reactivation events like IP changes, interface updates, network pool changes, or node additions/removals. Run the command again after these events to keep the system protected.

 

Impact of Applying the Mitigation 

  • Existing client connections remain active and uninterrupted.
  • New mounts may experience a brief delay (less than 1 second) before succeeding.
  • Active operations are unaffected because NFS clients automatically retry during transient unavailability.

 

Note: Customers should upgrade to a remediated version as soon as possible to permanently fix CVE-2024-53298.


    

   
  

  
 


    
Cronologia delle revisioni

    
RevisionDateDescription
1.02025-06-04Initial Release
2.02025-06-30Update to include 9.5.1.4 remediated version and CVE-2022-40899, CVE-2024-2511, CVE-2024-6923, CVE-2023-7104
3.02025-07-24Update to Workaround and Mitigation; no other changes
4.02025-08-25Updates to Workaround and Mitigation and Additional Information sections
5.02025-10-22Removed SupportAssist
6.02025-12-05Revised the Third-party components table
7.02025-12-22Update to Workaround and Mitigation; no other changes


 

    
Ringraziamenti

    

 
 
  
Dell would like to thank zzcentury from Ubisectech Sirius Team for reporting CVE-2025-32753.

 


    
Informazioni correlate

    
Dell Security Advisories and Notices
Dell Vulnerability Response Policy
CVSS Scoring Guide


        


        

        
Dichiarazione di non responsabilità

        

        
Prodotti interessati

        PowerScale OneFS







                        

                            

    

        

            

                
                    
 Proprietà dell'articolo

                
            

            

                

                        
Numero articolo: 000326339

                

                
                

                        
Tipo di articolo: Dell Security Advisory

                

                

                        
Ultima modifica: 22 dic 2025


                


            


        

    

    

        

            

                
                    
Trova risposta alle tue domande dagli altri utenti Dell

                
            

            

                

                    
                



            


        

    

    

        

            

                
                    
Support Services

                
            

            

                

                    Verifica che il dispositivo sia coperto dai Servizi di supporto.