Ga naar hoofdinhoud
  • Snel en eenvoudig bestellen
  • Bestellingen en de verzendstatus bekijken
  • Een lijst met producten maken en openen

DSA-2024-077: Security Update for Dell Secure Connect Gateway Policy Manager Vulnerabilities

Samenvatting: Dell Secure Connect Gateway Policy Manager remediation for multiple security vulnerabilities that could be exploited by malicious users to compromise the affected system.

Dit artikel is van toepassing op Dit artikel is niet van toepassing op Dit artikel is niet gebonden aan een specifiek product. Niet alle productversies worden in dit artikel vermeld.

Impact

High

Gegevens

Third-party Component CVEs More Information
Apache Tomcat CVE-2023-44487, CVE-2023-46589 See NVD link below for individual scores for each CVE.
https://nvd.nist.govThis hyperlink is taking you to a website outside of Dell Technologies.
@babel/traverse CVE-2023-45133 See NVD link below for individual scores for each CVE.
https://nvd.nist.govThis hyperlink is taking you to a website outside of Dell Technologies.
ajv CVE-2020-15366 See NVD link below for individual scores for each CVE.
https://nvd.nist.govThis hyperlink is taking you to a website outside of Dell Technologies.
json-path CVE-2023-51074 See NVD link below for individual scores for each CVE.
https://nvd.nist.govThis hyperlink is taking you to a website outside of Dell Technologies.
Java 17 CVE-2023-22025, CVE-2023-22081 See NVD link below for individual scores for each CVE.
https://nvd.nist.govThis hyperlink is taking you to a website outside of Dell Technologies.
com.fasterxml.jackson CVE-2023-35116 See NVD link below for individual scores for each CVE.
https://nvd.nist.govThis hyperlink is taking you to a website outside of Dell Technologies.
ch.qos.logback CVE-2023-6481, CVE-2023-6378 See NVD link below for individual scores for each CVE.
https://nvd.nist.govThis hyperlink is taking you to a website outside of Dell Technologies.
Spring CVE-2023-34053, CVE-2023-34055 See NVD link below for individual scores for each CVE.
https://nvd.nist.govThis hyperlink is taking you to a website outside of Dell Technologies.
SUSE Enterprise 12 SP5 CVE-2023-48795 See NVD link below for individual scores for each CVE.
https://nvd.nist.govThis hyperlink is taking you to a website outside of Dell Technologies.

Proprietary Code CVEs Description CVSS Base Score CVSS Vector String   
CVE-2024-24900 Dell Secure Connect Gateway (SCG) Policy Manager, all versions, contain an improper authorization vulnerability. An adjacent network low privileged attacker could potentially exploit this vulnerability, leading to unauthorized devices added to policies. Exploitation may lead to information disclosure and unauthorized access to the system. 5.8 CVSS:3.1/AV:A/AC:L/PR:L/UI:R/S:U/C:L/I:H/A:NThis hyperlink is taking you to a website outside of Dell Technologies.
CVE-2024-24903 Dell Secure Connect Gateway (SCG) Policy Manager, version 5.10+, contain a weak password recovery mechanism for forgotten passwords. An adjacent network low privileged attacker could potentially exploit this vulnerability, leading to unauthorized access to the application with privileges of the compromised account. The attacker could retrieve the reset password token without authorization and then perform the password change. 8.0 CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HThis hyperlink is taking you to a website outside of Dell Technologies.
CVE-2024-24907 Dell Secure Connect Gateway (SCG) Policy Manager, all versions, contain(s) a Stored Cross-Site Scripting Vulnerability in the Filters page. An adjacent network high privileged attacker could potentially exploit this vulnerability, leading to the storage of malicious HTML or JavaScript codes in a trusted application data store. When a victim user accesses the data store through their browsers, the malicious code gets executed by the web browser in the context of the vulnerable web application. Exploitation may lead to information disclosure, session theft, or client-side request forgery. 7.6 CVSS:3.1/AV:A/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:NThis hyperlink is taking you to a website outside of Dell Technologies.
CVE-2024-24904 Dell Secure Connect Gateway (SCG) Policy Manager, all versions, contain(s) a Stored Cross-Site Scripting Vulnerability. An adjacent network high privileged attacker could potentially exploit this vulnerability, leading to the storage of malicious HTML or JavaScript codes in a trusted application data store. When a victim user accesses the data store through their browsers, the malicious code gets executed by the web browser in the context of the vulnerable web application. Exploitation may lead to information disclosure, session theft, or client-side request forgery. 7.6 CVSS:3.1/AV:A/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:NThis hyperlink is taking you to a website outside of Dell Technologies.
CVE-2024-24905 Dell Secure Connect Gateway (SCG) Policy Manager, all versions, contain(s) a Stored Cross-Site Scripting Vulnerability. An adjacent network high privileged attacker could potentially exploit this vulnerability, leading to the storage of malicious HTML or JavaScript codes in a trusted application data store. When a victim user accesses the data store through their browsers, the malicious code gets executed by the web browser in the context of the vulnerable web application. Exploitation may lead to information disclosure, session theft, or client-side request forgery. 7.6 CVSS:3.1/AV:A/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:NThis hyperlink is taking you to a website outside of Dell Technologies.
CVE-2024-24906 Dell Secure Connect Gateway (SCG) Policy Manager, all versions, contain(s) a Stored Cross-Site Scripting Vulnerability in Policy page. An adjacent network high privileged attacker could potentially exploit this vulnerability, leading to the storage of malicious HTML or JavaScript codes in a trusted application data store. When a victim user accesses the data store through their browsers, the malicious code gets executed by the web browser in the context of the vulnerable web application. Exploitation may lead to information disclosure, session theft, or client-side request forgery. 7.6 CVSS:3.1/AV:A/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:NThis hyperlink is taking you to a website outside of Dell Technologies.
Proprietary Code CVEs Description CVSS Base Score CVSS Vector String   
CVE-2024-24900 Dell Secure Connect Gateway (SCG) Policy Manager, all versions, contain an improper authorization vulnerability. An adjacent network low privileged attacker could potentially exploit this vulnerability, leading to unauthorized devices added to policies. Exploitation may lead to information disclosure and unauthorized access to the system. 5.8 CVSS:3.1/AV:A/AC:L/PR:L/UI:R/S:U/C:L/I:H/A:NThis hyperlink is taking you to a website outside of Dell Technologies.
CVE-2024-24903 Dell Secure Connect Gateway (SCG) Policy Manager, version 5.10+, contain a weak password recovery mechanism for forgotten passwords. An adjacent network low privileged attacker could potentially exploit this vulnerability, leading to unauthorized access to the application with privileges of the compromised account. The attacker could retrieve the reset password token without authorization and then perform the password change. 8.0 CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HThis hyperlink is taking you to a website outside of Dell Technologies.
CVE-2024-24907 Dell Secure Connect Gateway (SCG) Policy Manager, all versions, contain(s) a Stored Cross-Site Scripting Vulnerability in the Filters page. An adjacent network high privileged attacker could potentially exploit this vulnerability, leading to the storage of malicious HTML or JavaScript codes in a trusted application data store. When a victim user accesses the data store through their browsers, the malicious code gets executed by the web browser in the context of the vulnerable web application. Exploitation may lead to information disclosure, session theft, or client-side request forgery. 7.6 CVSS:3.1/AV:A/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:NThis hyperlink is taking you to a website outside of Dell Technologies.
CVE-2024-24904 Dell Secure Connect Gateway (SCG) Policy Manager, all versions, contain(s) a Stored Cross-Site Scripting Vulnerability. An adjacent network high privileged attacker could potentially exploit this vulnerability, leading to the storage of malicious HTML or JavaScript codes in a trusted application data store. When a victim user accesses the data store through their browsers, the malicious code gets executed by the web browser in the context of the vulnerable web application. Exploitation may lead to information disclosure, session theft, or client-side request forgery. 7.6 CVSS:3.1/AV:A/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:NThis hyperlink is taking you to a website outside of Dell Technologies.
CVE-2024-24905 Dell Secure Connect Gateway (SCG) Policy Manager, all versions, contain(s) a Stored Cross-Site Scripting Vulnerability. An adjacent network high privileged attacker could potentially exploit this vulnerability, leading to the storage of malicious HTML or JavaScript codes in a trusted application data store. When a victim user accesses the data store through their browsers, the malicious code gets executed by the web browser in the context of the vulnerable web application. Exploitation may lead to information disclosure, session theft, or client-side request forgery. 7.6 CVSS:3.1/AV:A/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:NThis hyperlink is taking you to a website outside of Dell Technologies.
CVE-2024-24906 Dell Secure Connect Gateway (SCG) Policy Manager, all versions, contain(s) a Stored Cross-Site Scripting Vulnerability in Policy page. An adjacent network high privileged attacker could potentially exploit this vulnerability, leading to the storage of malicious HTML or JavaScript codes in a trusted application data store. When a victim user accesses the data store through their browsers, the malicious code gets executed by the web browser in the context of the vulnerable web application. Exploitation may lead to information disclosure, session theft, or client-side request forgery. 7.6 CVSS:3.1/AV:A/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:NThis hyperlink is taking you to a website outside of Dell Technologies.
Dell Technologies raadt aan dat alle klanten rekening houden met zowel de basisscore van CVSS als alle relevante tijdelijke en omgevingsscores die gevolgen kunnen hebben voor de mogelijke ernst van de specifieke beveiligingsproblemen.

Getroffen producten en herstel

CVEs Addressed Product Affected Versions Remediated Versions Link
CVE-2023-6378, CVE-2023-34053, CVE-2023-34055, CVE-2023-51074, CVE-2023-35116, CVE-2023-22081, CVE-2023-22025, CVE-2020-15366, CVE-2023-6481, CVE-2023-44487, CVE-2023-46589, CVE-2023-45133, CVE-2023-48795 Dell Policy Manager for Secure Connect Gateway Version 5.20.00.10 Version 5.22.00.16 https://www.dell.com/support/home/en-us/product-support/product/secure-connect-gateway-ve/drivers
 
CVE-2024-24900, CVE-2024-24904, CVE-2024-24905, CVE-2024-24906, CVE-2024-24907 Dell Policy Manager for Secure Connect Gateway Versions prior to 5.22.00.16 Version 5.22.00.16 https://www.dell.com/support/home/en-us/product-support/product/secure-connect-gateway-ve/drivers
 
CVE-2024-24903 Dell Policy Manager for Secure Connect Gateway Versions 5.10 through 5.20.00.16 Version 5.22.00.16 https://www.dell.com/support/home/en-us/product-support/product/secure-connect-gateway-ve/drivers
 
CVEs Addressed Product Affected Versions Remediated Versions Link
CVE-2023-6378, CVE-2023-34053, CVE-2023-34055, CVE-2023-51074, CVE-2023-35116, CVE-2023-22081, CVE-2023-22025, CVE-2020-15366, CVE-2023-6481, CVE-2023-44487, CVE-2023-46589, CVE-2023-45133, CVE-2023-48795 Dell Policy Manager for Secure Connect Gateway Version 5.20.00.10 Version 5.22.00.16 https://www.dell.com/support/home/en-us/product-support/product/secure-connect-gateway-ve/drivers
 
CVE-2024-24900, CVE-2024-24904, CVE-2024-24905, CVE-2024-24906, CVE-2024-24907 Dell Policy Manager for Secure Connect Gateway Versions prior to 5.22.00.16 Version 5.22.00.16 https://www.dell.com/support/home/en-us/product-support/product/secure-connect-gateway-ve/drivers
 
CVE-2024-24903 Dell Policy Manager for Secure Connect Gateway Versions 5.10 through 5.20.00.16 Version 5.22.00.16 https://www.dell.com/support/home/en-us/product-support/product/secure-connect-gateway-ve/drivers
 

Tijdelijke oplossingen en risicobeperking

None

Revisiegeschiedenis

RevisionDateDescription
1.02024-02-29Initial Release

Bevestigingen

CVE-2024-24904: Dell Technologies would like to thank kosmosec for reporting this issue.
CVE-2024-24905: Dell Technologies would like to thank kosmosec for reporting this issue.
CVE-2024-24903: Dell Technologies would like to thank kosmosec for reporting this issue.
CVE-2024-24900: Dell Technologies would like to thank juust4 for reporting this issue.
CVE-2024-24906: Dell Technologies would like to thank juust4 for reporting this issue.
CVE-2024-24907: Dell Technologies would like to thank juust4 for reporting this issue.
 

Verwante informatie

Getroffen producten

Secure Connect Gateway, Secure Connect Gateway, Secure Connect Gateway - Virtual Edition
Artikeleigenschappen
Artikelnummer: 000222330
Artikeltype: Dell Security Advisory
Laatst aangepast: 29 feb. 2024
Vind antwoorden op uw vragen via andere Dell gebruikers
Support Services
Controleer of uw apparaat wordt gedekt door Support Services.