DSA-2023-347: Dell SmartFabric Storage Software Security Update for Multiple Vulnerabilities

Сводка: Dell SmartFabric Storage Software remediation is available for multiple security vulnerabilities that could be exploited by malicious users to compromise the affected system.

Данная статья применяется к Данная статья не применяется к Эта статья не привязана к какому-либо конкретному продукту. В этой статье указаны не все версии продуктов.
Ознакомьтесь с другими ресурсами

Влияние

High

Подробные сведения

Proprietary Code CVEs Description CVSS Base Score CVSS Vector String
CVE-2023-4401 This hyperlink is taking you to a website outside of Dell Technologies. Dell SmartFabric Storage Software v1.4 (and earlier) contains an OS Command Injection Vulnerability in the CLI use of the ‘more’ command. A local or remote authenticated attacker could potentially exploit this vulnerability, leading to the ability to gain root-level access. 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H This hyperlink is taking you to a website outside of Dell Technologies.
CVE-2023-43068 This hyperlink is taking you to a website outside of Dell Technologies. Dell SmartFabric Storage Software v1.4 (and earlier) contains an OS Command Injection Vulnerability in the restricted shell in SSH. An authenticated remote attacker could potentially exploit this vulnerability, leading to execute arbitrary commands. 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H This hyperlink is taking you to a website outside of Dell Technologies.
CVE-2023-43069 This hyperlink is taking you to a website outside of Dell Technologies. Dell SmartFabric Storage Software v1.4 (and earlier) contain(s) an OS Command Injection Vulnerability in the CLI. An authenticated local attacker could potentially exploit this vulnerability, leading to possible injection of parameters to curl or docker. 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H This hyperlink is taking you to a website outside of Dell Technologies.
CVE-2023-43070 This hyperlink is taking you to a website outside of Dell Technologies. Dell SmartFabric Storage Software v1.4 (and earlier) contains a Path Traversal Vulnerability in the HTTP interface. A remote authenticated attacker could potentially exploit this vulnerability, leading to modify or write arbitrary files to arbitrary locations in the license container. 6.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L This hyperlink is taking you to a website outside of Dell Technologies.
CVE-2023-43071 This hyperlink is taking you to a website outside of Dell Technologies. Dell SmartFabric Storage Software v1.4 (and earlier) contains possible vulnerabilities for HTML injection or CVS formula injection which might escalate to cross-site scripting attacks in HTML pages in the GUI. A remote authenticated attacker could potentially exploit these issues, leading to various injection type attacks. 4.4 CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N This hyperlink is taking you to a website outside of Dell Technologies.
CVE-2023-43072 This hyperlink is taking you to a website outside of Dell Technologies. Dell SmartFabric Storage Software v1.4 (and earlier) contains an improper access control vulnerability in the CLI. A local possibly unauthenticated attacker could potentially exploit this vulnerability, leading to ability to execute arbritrary shell commands. 4.4 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L This hyperlink is taking you to a website outside of Dell Technologies.
CVE-2023-43073 This hyperlink is taking you to a website outside of Dell Technologies. Dell SmartFabric Storage Software v1.4 (and earlier) contains an Improper Input Validation vulnerability in RADIUS configuration. An authenticated remote attacker could potentially exploit this vulnerability, leading to gaining unauthorized access to data. 4.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N This hyperlink is taking you to a website outside of Dell Technologies.
Proprietary Code CVEs Description CVSS Base Score CVSS Vector String
CVE-2023-4401 This hyperlink is taking you to a website outside of Dell Technologies. Dell SmartFabric Storage Software v1.4 (and earlier) contains an OS Command Injection Vulnerability in the CLI use of the ‘more’ command. A local or remote authenticated attacker could potentially exploit this vulnerability, leading to the ability to gain root-level access. 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H This hyperlink is taking you to a website outside of Dell Technologies.
CVE-2023-43068 This hyperlink is taking you to a website outside of Dell Technologies. Dell SmartFabric Storage Software v1.4 (and earlier) contains an OS Command Injection Vulnerability in the restricted shell in SSH. An authenticated remote attacker could potentially exploit this vulnerability, leading to execute arbitrary commands. 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H This hyperlink is taking you to a website outside of Dell Technologies.
CVE-2023-43069 This hyperlink is taking you to a website outside of Dell Technologies. Dell SmartFabric Storage Software v1.4 (and earlier) contain(s) an OS Command Injection Vulnerability in the CLI. An authenticated local attacker could potentially exploit this vulnerability, leading to possible injection of parameters to curl or docker. 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H This hyperlink is taking you to a website outside of Dell Technologies.
CVE-2023-43070 This hyperlink is taking you to a website outside of Dell Technologies. Dell SmartFabric Storage Software v1.4 (and earlier) contains a Path Traversal Vulnerability in the HTTP interface. A remote authenticated attacker could potentially exploit this vulnerability, leading to modify or write arbitrary files to arbitrary locations in the license container. 6.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L This hyperlink is taking you to a website outside of Dell Technologies.
CVE-2023-43071 This hyperlink is taking you to a website outside of Dell Technologies. Dell SmartFabric Storage Software v1.4 (and earlier) contains possible vulnerabilities for HTML injection or CVS formula injection which might escalate to cross-site scripting attacks in HTML pages in the GUI. A remote authenticated attacker could potentially exploit these issues, leading to various injection type attacks. 4.4 CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N This hyperlink is taking you to a website outside of Dell Technologies.
CVE-2023-43072 This hyperlink is taking you to a website outside of Dell Technologies. Dell SmartFabric Storage Software v1.4 (and earlier) contains an improper access control vulnerability in the CLI. A local possibly unauthenticated attacker could potentially exploit this vulnerability, leading to ability to execute arbritrary shell commands. 4.4 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L This hyperlink is taking you to a website outside of Dell Technologies.
CVE-2023-43073 This hyperlink is taking you to a website outside of Dell Technologies. Dell SmartFabric Storage Software v1.4 (and earlier) contains an Improper Input Validation vulnerability in RADIUS configuration. An authenticated remote attacker could potentially exploit this vulnerability, leading to gaining unauthorized access to data. 4.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N This hyperlink is taking you to a website outside of Dell Technologies.
Dell рекомендует всем клиентам учитывать как базовую оценку CVSS, так и любые временные и обусловленные средой оценки, которые могут повлиять на потенциальную степень серьезности конкретной уязвимости.

Затронутые продукты и исправление

CVEs Addressed Product Affected Versions Updated Versions Link
CVE-2023-4401, CVE-2023-43068, CVE-2023-43069, CVE-2023-43070, CVE-2023-43071, CVE-2023-43072, CVE-2023-43073 SmartFabric Storage Software Debian package v1.4.1 
for upgrading SmartFabric Storage Software VM
 deployed on either ESXi or linux KVM		  v1.4.0 and prior  v1.4.1

 

Debian Package v1.4.1 upgrade SmartFabric Storage Software VM (applicable to ESXi or Linux KVM)
CVE-2023-4401, CVE-2023-43068, CVE-2023-43069, CVE-2023-43070, CVE-2023-43071, CVE-2023-43072, CVE-2023-43073 SmartFabric Storage Software package v1.4.1 for ESXi. v1.4.0 and prior v1.4.1 SmartFabric Storage Software package v1.4.1 for ESXi
CVE-2023-4401, CVE-2023-43068, CVE-2023-43069, CVE-2023-43070, CVE-2023-43071, CVE-2023-43072, CVE-2023-43073 SmartFabric Storage Software package v1.4.1 for Linux KVM. v1.4.0 and prior v1.4.1 SmartFabric Storage Software package v1.4.1 for Linux KVM
CVEs Addressed Product Affected Versions Updated Versions Link
CVE-2023-4401, CVE-2023-43068, CVE-2023-43069, CVE-2023-43070, CVE-2023-43071, CVE-2023-43072, CVE-2023-43073 SmartFabric Storage Software Debian package v1.4.1 
for upgrading SmartFabric Storage Software VM
 deployed on either ESXi or linux KVM		  v1.4.0 and prior  v1.4.1

 

Debian Package v1.4.1 upgrade SmartFabric Storage Software VM (applicable to ESXi or Linux KVM)
CVE-2023-4401, CVE-2023-43068, CVE-2023-43069, CVE-2023-43070, CVE-2023-43071, CVE-2023-43072, CVE-2023-43073 SmartFabric Storage Software package v1.4.1 for ESXi. v1.4.0 and prior v1.4.1 SmartFabric Storage Software package v1.4.1 for ESXi
CVE-2023-4401, CVE-2023-43068, CVE-2023-43069, CVE-2023-43070, CVE-2023-43071, CVE-2023-43072, CVE-2023-43073 SmartFabric Storage Software package v1.4.1 for Linux KVM. v1.4.0 and prior v1.4.1 SmartFabric Storage Software package v1.4.1 for Linux KVM

Временные решения и снижение риска

None

История изменений

RevisionDateDescription
1.02023-09-28Initial Revision
2.02023-10-05Major Revision: added CVE links and modified some minor formatting
3.02023-10-13Major Revision: added legally required external redirect icon.Embedded external hyperlinks to the CVSS strings.

Связанная информация

Dell Security Advisories and Notices
Dell Vulnerability Response Policy
CVSS Scoring Guide

Правовая оговорка

Затронутые продукты

SmartFabric Storage Software for NVMe/TCP SAN, SmartFabric Storage Software Download for NVMe/TCP SAN
Свойства статьи
Номер статьи: 000218107
Тип статьи: Dell Security Advisory
Последнее изменение: 13 Oct 2023
Получите ответы на свои вопросы от других пользователей Dell
Услуги технической поддержки
Проверьте, распространяются ли на ваше устройство услуги технической поддержки.