DSA-2024-115: Security Update for Dell PowerScale OneFS for Multiple Security Vulnerabilities
요약: Dell PowerScale OneFS remediation is available for multiple security vulnerabilities that could be exploited by malicious users to compromise the affected system.
이 문서는 다음에 적용됩니다.
이 문서는 다음에 적용되지 않습니다.
이 문서는 특정 제품과 관련이 없습니다.
모든 제품 버전이 이 문서에 나와 있는 것은 아닙니다.
영향
Critical
세부 정보
| Third-Party Component | CVEs | More information |
|---|---|---|
| FreeBSD C library (libc) | CVE-2023-5941 | https://nvd.nist.gov/vuln/detail/CVE-2023-5941  |
| PCRE | CVE-2017-7246, CVE-2017-11164, CVE-2017-7244, CVE-2020-14155 | See NVD link below for individual scores for each CVE. http://nvd.nist.gov/ |
| follow-redirects | CVE-2023-26159 | https://nvd.nist.gov/vuln/detail/CVE-2023-26159 |
| OpenSSH | CVE-2023-48795, CVE-2023-51385, CVE-2023-51384 | See NVD link below for individual scores for each CVE. https://nvd.nist.gov/ |
| Proprietary Code CVEs | Description | CVSS Base Score | CVSS Vector String |
|---|---|---|---|
| CVE-2024-25959 | Dell PowerScale OneFS versions 9.4.0.x through 9.7.0.x contains an insertion of sensitive information into log file vulnerability. A low privileged local attacker could potentially exploit this vulnerability, leading to sensitive information disclosure, escalation of privileges. | 7.9 | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L |
| CVE-2024-25960 | Dell PowerScale OneFS versions 8.2.2.x through 9.7.0.x contains a cleartext transmission of sensitive information vulnerability. A local low privileged attacker could potentially exploit this vulnerability, leading to escalation of privileges. | 7.3 | CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H |
| CVE-2024-25961 | Dell PowerScale OneFS versions 8.2.2.x through 9.7.0.x contains an improper privilege management vulnerability. A local high privileged attacker could potentially exploit this vulnerability, leading to escalation of privileges. | 6.0 | CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H |
| CVE-2024-25952 | Dell PowerScale OneFS versions 8.2.2.x through 9.7.0.x contains an UNIX symbolic link (symlink) following vulnerability. A local high privileged attacker could potentially exploit this vulnerability, leading to denial of service, information tampering. | 6.0 | CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H |
| CVE-2024-25953 | Dell PowerScale OneFS versions 9.4.0.x through 9.7.0.x contains an UNIX symbolic link (symlink) following vulnerability. A local high privileged attacker could potentially exploit this vulnerability, leading to denial of service, information tampering. | 6.0 | CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H |
| CVE-2024-25963 | Dell PowerScale OneFS, versions 8.2.2.x through 9.5.0.x contains a use of a broken cryptographic algorithm vulnerability. A remote unauthenticated attacker could potentially exploit this vulnerability, leading to information disclosure. | 5.9 | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N |
| CVE-2024-25954 | Dell PowerScale OneFS, versions 9.5.0.x through 9.7.0.x, contain an insufficient session expiration vulnerability. A remote unauthenticated attacker could potentially exploit this vulnerability, leading to denial of service. | 5.3 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L |
| Proprietary Code CVEs | Description | CVSS Base Score | CVSS Vector String |
|---|---|---|---|
| CVE-2024-25959 | Dell PowerScale OneFS versions 9.4.0.x through 9.7.0.x contains an insertion of sensitive information into log file vulnerability. A low privileged local attacker could potentially exploit this vulnerability, leading to sensitive information disclosure, escalation of privileges. | 7.9 | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L |
| CVE-2024-25960 | Dell PowerScale OneFS versions 8.2.2.x through 9.7.0.x contains a cleartext transmission of sensitive information vulnerability. A local low privileged attacker could potentially exploit this vulnerability, leading to escalation of privileges. | 7.3 | CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H |
| CVE-2024-25961 | Dell PowerScale OneFS versions 8.2.2.x through 9.7.0.x contains an improper privilege management vulnerability. A local high privileged attacker could potentially exploit this vulnerability, leading to escalation of privileges. | 6.0 | CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H |
| CVE-2024-25952 | Dell PowerScale OneFS versions 8.2.2.x through 9.7.0.x contains an UNIX symbolic link (symlink) following vulnerability. A local high privileged attacker could potentially exploit this vulnerability, leading to denial of service, information tampering. | 6.0 | CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H |
| CVE-2024-25953 | Dell PowerScale OneFS versions 9.4.0.x through 9.7.0.x contains an UNIX symbolic link (symlink) following vulnerability. A local high privileged attacker could potentially exploit this vulnerability, leading to denial of service, information tampering. | 6.0 | CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H |
| CVE-2024-25963 | Dell PowerScale OneFS, versions 8.2.2.x through 9.5.0.x contains a use of a broken cryptographic algorithm vulnerability. A remote unauthenticated attacker could potentially exploit this vulnerability, leading to information disclosure. | 5.9 | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N |
| CVE-2024-25954 | Dell PowerScale OneFS, versions 9.5.0.x through 9.7.0.x, contain an insufficient session expiration vulnerability. A remote unauthenticated attacker could potentially exploit this vulnerability, leading to denial of service. | 5.3 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L |
영향을 받는 제품 및 문제 해결
| CVEs Addressed | Product | Affected Versions | Remediated Versions | Link |
|---|---|---|---|---|
| CVE-2023-5941, CVE-2017-7246, CVE-2017-11164, CVE-2017-7244, CVE-2020-14155, CVE-2024-25960, CVE-2023-26159, CVE-2024-25961, CVE-2024-25952, CVE-2023-48795, CVE-2023-51385, CVE-2023-51384, CVE-2024-25963 | PowerScale OneFS | Version 8.2.2 through 9.3.0.0 | Version 9.5.0.8 or later | PowerScale OneFS Downloads Area |
| CVE-2024-25960, CVE-2023-26159, CVE-2024-25961, CVE-2024-25952, CVE-2023-48795, CVE-2023-51385, CVE-2023-51384, CVE-2024-25953, CVE-2024-25963 | PowerScale OneFS | Version 9.4.0.0 through 9.4.0.16 | Version 9.5.0.8 or later | PowerScale OneFS Downloads Area |
| CVE-2017-7246, CVE-2017-11164, CVE-2017-7244, CVE-2020-14155, CVE-2023-5941, CVE-2024-25960, CVE-2024-25959 | PowerScale OneFS | Version 9.4.0.0 through 9.4.0.16 | Version 9.4.0.17 or later | PowerScale OneFS Downloads Area |
| CVE-2023-5941, CVE-2024-25959, CVE-2017-7246, CVE-2017-11164, CVE-2017-7244, CVE-2020-14155, CVE-2024-25960, CVE-2023-26159, CVE-2024-25961, CVE-2024-25952, CVE-2024-25953, CVE-2023-48795, CVE-2023-51385, CVE-2023-51384, CVE-2024-25954, CVE-2024-25963 | PowerScale OneFS | Version 9.5.0.0 through 9.5.0.7 | Version 9.5.0.8 or later | PowerScale OneFS Downloads Area |
| CVE-2023-5941, CVE-2024-25959, CVE-2017-7246, CVE-2017-11164, CVE-2017-7244, CVE-2020-14155, CVE-2024-25960, CVE-2023-26159, CVE-2024-25961, CVE-2024-25952, CVE-2024-25953, CVE-2023-48795, CVE-2023-51385, CVE-2023-51384, CVE-2024-25954, CVE-2024-25963 | PowerScale OneFS | Version 9.6.1.0 through 9.7.0.0 | Version 9.7.0.2 or later | PowerScale OneFS Downloads Area |
| CVE-2024-25959, CVE-2024-25960, CVE-2024-25961, CVE-2024-25952, CVE-2024-25953, CVE-2024-25954 | PowerScale OneFS | Version 9.7.0.0 through 9.7.0.1 | Version 9.7.0.2 or later | PowerScale OneFS Downloads Area |
| CVE-2023-26159, CVE-2023-48795, CVE-2023-51385, CVE-2023-51384 | PowerScale OneFS | Version 9.7.0.0 through 9.7.0.2 | Version 9.7.0.3 or later | PowerScale OneFS Downloads Area |
| CVEs Addressed | Product | Affected Versions | Remediated Versions | Link |
|---|---|---|---|---|
| CVE-2023-5941, CVE-2017-7246, CVE-2017-11164, CVE-2017-7244, CVE-2020-14155, CVE-2024-25960, CVE-2023-26159, CVE-2024-25961, CVE-2024-25952, CVE-2023-48795, CVE-2023-51385, CVE-2023-51384, CVE-2024-25963 | PowerScale OneFS | Version 8.2.2 through 9.3.0.0 | Version 9.5.0.8 or later | PowerScale OneFS Downloads Area |
| CVE-2024-25960, CVE-2023-26159, CVE-2024-25961, CVE-2024-25952, CVE-2023-48795, CVE-2023-51385, CVE-2023-51384, CVE-2024-25953, CVE-2024-25963 | PowerScale OneFS | Version 9.4.0.0 through 9.4.0.16 | Version 9.5.0.8 or later | PowerScale OneFS Downloads Area |
| CVE-2017-7246, CVE-2017-11164, CVE-2017-7244, CVE-2020-14155, CVE-2023-5941, CVE-2024-25960, CVE-2024-25959 | PowerScale OneFS | Version 9.4.0.0 through 9.4.0.16 | Version 9.4.0.17 or later | PowerScale OneFS Downloads Area |
| CVE-2023-5941, CVE-2024-25959, CVE-2017-7246, CVE-2017-11164, CVE-2017-7244, CVE-2020-14155, CVE-2024-25960, CVE-2023-26159, CVE-2024-25961, CVE-2024-25952, CVE-2024-25953, CVE-2023-48795, CVE-2023-51385, CVE-2023-51384, CVE-2024-25954, CVE-2024-25963 | PowerScale OneFS | Version 9.5.0.0 through 9.5.0.7 | Version 9.5.0.8 or later | PowerScale OneFS Downloads Area |
| CVE-2023-5941, CVE-2024-25959, CVE-2017-7246, CVE-2017-11164, CVE-2017-7244, CVE-2020-14155, CVE-2024-25960, CVE-2023-26159, CVE-2024-25961, CVE-2024-25952, CVE-2024-25953, CVE-2023-48795, CVE-2023-51385, CVE-2023-51384, CVE-2024-25954, CVE-2024-25963 | PowerScale OneFS | Version 9.6.1.0 through 9.7.0.0 | Version 9.7.0.2 or later | PowerScale OneFS Downloads Area |
| CVE-2024-25959, CVE-2024-25960, CVE-2024-25961, CVE-2024-25952, CVE-2024-25953, CVE-2024-25954 | PowerScale OneFS | Version 9.7.0.0 through 9.7.0.1 | Version 9.7.0.2 or later | PowerScale OneFS Downloads Area |
| CVE-2023-26159, CVE-2023-48795, CVE-2023-51385, CVE-2023-51384 | PowerScale OneFS | Version 9.7.0.0 through 9.7.0.2 | Version 9.7.0.3 or later | PowerScale OneFS Downloads Area |
Note:
- Any version not listed in the Affected Products and Remediation section should upgrade PowerScale OneFS to a version 9.5.0.8 or later.
- We encourage all customers to adopt the version which is 9.5.x code line, with the latest maintenance RUP 9.5.0.8.
- For more information LTS 2023 on LTS (Long Term Support) code lines, see Dell Infrastructure Solutions Group (ISG) LTS Release Support Customer Summary
- CVE-2024-25954: This vulnerability is only impacted when httpd server for data path is started. By default, this httpd server is disabled on PowerScale OneFS.
- Unless specified as impacted, the term “or Later” encompasses all PowerScale OneFS releases, under standard support, that are of a higher minor or major version than the specified release.
해결 방법 및 완화 방안
| CVEs | Workaround and Mitigation |
|---|---|
| CVE-2024-25960, CVE-2024-25961, CVE-2024-25952, CVE-2024-25953 | This vulnerability only applies when customers are given ISI_PRIV_LOGIN_SSH or ISI_PRIV_LOGIN_CONSOLE to users. Mitigations: This vulnerability can be mitigated on new version of PowerScale OneFS i.e. 9.5 or later by enabling the restricted shell for users. More information regarding restricted shell can be found at: OneFS Restricted Shell | Dell Technologies Info Hub |
| CVE-2023-48795 |
This vulnerability can be mitigated by removing the chacha20-poly1305@openssh.com from isi ssh settings modify --ciphers=aes192-ctr,aes256-ctr,aes256-gcm@openssh.com |
개정 내역
| Revision | Date | Description |
|---|---|---|
| 1.0 | 2024-03-28 | Initial Release |
| 2.0 | 2024-04-29 | Updated for enhanced presentation with no changes to content |
| 3.0 | 2024-04-29 | Updated for enhanced presentation with no changes to content |
| 4.0 | 2024-04-29 | Updated CVE Identifier, Third Party Components, and Affected Products and Remediation sections: Added CVE-2023-51384 and CVE-2023-51385; Added Workaround details for CVE-2023-48795 |
| 5.0 | 2024-06-06 | Updated Affected Products and Remediation section: Remediated Version 9.7.0.3 or later |
| 6.0 | 2024-10-03 | Updated for enhanced presentation with no changes to content |
| 7.0 | 2024-10-03 | Updated for enhanced presentation with no changes to content |
관련 정보
법적 고지 사항
해당 제품
PowerScale OneFS문서 속성
문서 번호: 000223366
문서 유형: Dell Security Advisory
마지막 수정 시간: 19 9월 2025
다른 Dell 사용자에게 질문에 대한 답변 찾기
지원 서비스
디바이스에 지원 서비스가 적용되는지 확인하십시오.