DSA-2024-115: Security Update for Dell PowerScale OneFS for Multiple Security Vulnerabilities
Zhrnutie: Dell PowerScale OneFS remediation is available for multiple security vulnerabilities that could be exploited by malicious users to compromise the affected system.
Tento článok sa vzťahuje na
Tento článok sa nevzťahuje na
Tento článok nie je viazaný na žiadny konkrétny produkt.
V tomto článku nie sú uvedené všetky verzie produktov.
Dosah
Critical
Podrobnosti
| Third-Party Component | CVEs | More information |
|---|---|---|
| FreeBSD C library (libc) | CVE-2023-5941 | https://nvd.nist.gov/vuln/detail/CVE-2023-5941  |
| PCRE | CVE-2017-7246, CVE-2017-11164, CVE-2017-7244, CVE-2020-14155 | See NVD link below for individual scores for each CVE. http://nvd.nist.gov/ |
| follow-redirects | CVE-2023-26159 | https://nvd.nist.gov/vuln/detail/CVE-2023-26159 |
| OpenSSH | CVE-2023-48795, CVE-2023-51385, CVE-2023-51384 | See NVD link below for individual scores for each CVE. https://nvd.nist.gov/ |
| Proprietary Code CVEs | Description | CVSS Base Score | CVSS Vector String |
|---|---|---|---|
| CVE-2024-25959 | Dell PowerScale OneFS versions 9.4.0.x through 9.7.0.x contains an insertion of sensitive information into log file vulnerability. A low privileged local attacker could potentially exploit this vulnerability, leading to sensitive information disclosure, escalation of privileges. | 7.9 | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L |
| CVE-2024-25960 | Dell PowerScale OneFS versions 8.2.2.x through 9.7.0.x contains a cleartext transmission of sensitive information vulnerability. A local low privileged attacker could potentially exploit this vulnerability, leading to escalation of privileges. | 7.3 | CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H |
| CVE-2024-25961 | Dell PowerScale OneFS versions 8.2.2.x through 9.7.0.x contains an improper privilege management vulnerability. A local high privileged attacker could potentially exploit this vulnerability, leading to escalation of privileges. | 6.0 | CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H |
| CVE-2024-25952 | Dell PowerScale OneFS versions 8.2.2.x through 9.7.0.x contains an UNIX symbolic link (symlink) following vulnerability. A local high privileged attacker could potentially exploit this vulnerability, leading to denial of service, information tampering. | 6.0 | CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H |
| CVE-2024-25953 | Dell PowerScale OneFS versions 9.4.0.x through 9.7.0.x contains an UNIX symbolic link (symlink) following vulnerability. A local high privileged attacker could potentially exploit this vulnerability, leading to denial of service, information tampering. | 6.0 | CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H |
| CVE-2024-25963 | Dell PowerScale OneFS, versions 8.2.2.x through 9.5.0.x contains a use of a broken cryptographic algorithm vulnerability. A remote unauthenticated attacker could potentially exploit this vulnerability, leading to information disclosure. | 5.9 | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N |
| CVE-2024-25954 | Dell PowerScale OneFS, versions 9.5.0.x through 9.7.0.x, contain an insufficient session expiration vulnerability. A remote unauthenticated attacker could potentially exploit this vulnerability, leading to denial of service. | 5.3 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L |
| Proprietary Code CVEs | Description | CVSS Base Score | CVSS Vector String |
|---|---|---|---|
| CVE-2024-25959 | Dell PowerScale OneFS versions 9.4.0.x through 9.7.0.x contains an insertion of sensitive information into log file vulnerability. A low privileged local attacker could potentially exploit this vulnerability, leading to sensitive information disclosure, escalation of privileges. | 7.9 | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L |
| CVE-2024-25960 | Dell PowerScale OneFS versions 8.2.2.x through 9.7.0.x contains a cleartext transmission of sensitive information vulnerability. A local low privileged attacker could potentially exploit this vulnerability, leading to escalation of privileges. | 7.3 | CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H |
| CVE-2024-25961 | Dell PowerScale OneFS versions 8.2.2.x through 9.7.0.x contains an improper privilege management vulnerability. A local high privileged attacker could potentially exploit this vulnerability, leading to escalation of privileges. | 6.0 | CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H |
| CVE-2024-25952 | Dell PowerScale OneFS versions 8.2.2.x through 9.7.0.x contains an UNIX symbolic link (symlink) following vulnerability. A local high privileged attacker could potentially exploit this vulnerability, leading to denial of service, information tampering. | 6.0 | CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H |
| CVE-2024-25953 | Dell PowerScale OneFS versions 9.4.0.x through 9.7.0.x contains an UNIX symbolic link (symlink) following vulnerability. A local high privileged attacker could potentially exploit this vulnerability, leading to denial of service, information tampering. | 6.0 | CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H |
| CVE-2024-25963 | Dell PowerScale OneFS, versions 8.2.2.x through 9.5.0.x contains a use of a broken cryptographic algorithm vulnerability. A remote unauthenticated attacker could potentially exploit this vulnerability, leading to information disclosure. | 5.9 | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N |
| CVE-2024-25954 | Dell PowerScale OneFS, versions 9.5.0.x through 9.7.0.x, contain an insufficient session expiration vulnerability. A remote unauthenticated attacker could potentially exploit this vulnerability, leading to denial of service. | 5.3 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L |
Dotknuté produkty a riešenie problému
| CVEs Addressed | Product | Affected Versions | Remediated Versions | Link |
|---|---|---|---|---|
| CVE-2023-5941, CVE-2017-7246, CVE-2017-11164, CVE-2017-7244, CVE-2020-14155, CVE-2024-25960, CVE-2023-26159, CVE-2024-25961, CVE-2024-25952, CVE-2023-48795, CVE-2023-51385, CVE-2023-51384, CVE-2024-25963 | PowerScale OneFS | Version 8.2.2 through 9.3.0.0 | Version 9.5.0.8 or later | PowerScale OneFS Downloads Area |
| CVE-2024-25960, CVE-2023-26159, CVE-2024-25961, CVE-2024-25952, CVE-2023-48795, CVE-2023-51385, CVE-2023-51384, CVE-2024-25953, CVE-2024-25963 | PowerScale OneFS | Version 9.4.0.0 through 9.4.0.16 | Version 9.5.0.8 or later | PowerScale OneFS Downloads Area |
| CVE-2017-7246, CVE-2017-11164, CVE-2017-7244, CVE-2020-14155, CVE-2023-5941, CVE-2024-25960, CVE-2024-25959 | PowerScale OneFS | Version 9.4.0.0 through 9.4.0.16 | Version 9.4.0.17 or later | PowerScale OneFS Downloads Area |
| CVE-2023-5941, CVE-2024-25959, CVE-2017-7246, CVE-2017-11164, CVE-2017-7244, CVE-2020-14155, CVE-2024-25960, CVE-2023-26159, CVE-2024-25961, CVE-2024-25952, CVE-2024-25953, CVE-2023-48795, CVE-2023-51385, CVE-2023-51384, CVE-2024-25954, CVE-2024-25963 | PowerScale OneFS | Version 9.5.0.0 through 9.5.0.7 | Version 9.5.0.8 or later | PowerScale OneFS Downloads Area |
| CVE-2023-5941, CVE-2024-25959, CVE-2017-7246, CVE-2017-11164, CVE-2017-7244, CVE-2020-14155, CVE-2024-25960, CVE-2023-26159, CVE-2024-25961, CVE-2024-25952, CVE-2024-25953, CVE-2023-48795, CVE-2023-51385, CVE-2023-51384, CVE-2024-25954, CVE-2024-25963 | PowerScale OneFS | Version 9.6.1.0 through 9.7.0.0 | Version 9.7.0.2 or later | PowerScale OneFS Downloads Area |
| CVE-2024-25959, CVE-2024-25960, CVE-2024-25961, CVE-2024-25952, CVE-2024-25953, CVE-2024-25954 | PowerScale OneFS | Version 9.7.0.0 through 9.7.0.1 | Version 9.7.0.2 or later | PowerScale OneFS Downloads Area |
| CVE-2023-26159, CVE-2023-48795, CVE-2023-51385, CVE-2023-51384 | PowerScale OneFS | Version 9.7.0.0 through 9.7.0.2 | Version 9.7.0.3 or later | PowerScale OneFS Downloads Area |
| CVEs Addressed | Product | Affected Versions | Remediated Versions | Link |
|---|---|---|---|---|
| CVE-2023-5941, CVE-2017-7246, CVE-2017-11164, CVE-2017-7244, CVE-2020-14155, CVE-2024-25960, CVE-2023-26159, CVE-2024-25961, CVE-2024-25952, CVE-2023-48795, CVE-2023-51385, CVE-2023-51384, CVE-2024-25963 | PowerScale OneFS | Version 8.2.2 through 9.3.0.0 | Version 9.5.0.8 or later | PowerScale OneFS Downloads Area |
| CVE-2024-25960, CVE-2023-26159, CVE-2024-25961, CVE-2024-25952, CVE-2023-48795, CVE-2023-51385, CVE-2023-51384, CVE-2024-25953, CVE-2024-25963 | PowerScale OneFS | Version 9.4.0.0 through 9.4.0.16 | Version 9.5.0.8 or later | PowerScale OneFS Downloads Area |
| CVE-2017-7246, CVE-2017-11164, CVE-2017-7244, CVE-2020-14155, CVE-2023-5941, CVE-2024-25960, CVE-2024-25959 | PowerScale OneFS | Version 9.4.0.0 through 9.4.0.16 | Version 9.4.0.17 or later | PowerScale OneFS Downloads Area |
| CVE-2023-5941, CVE-2024-25959, CVE-2017-7246, CVE-2017-11164, CVE-2017-7244, CVE-2020-14155, CVE-2024-25960, CVE-2023-26159, CVE-2024-25961, CVE-2024-25952, CVE-2024-25953, CVE-2023-48795, CVE-2023-51385, CVE-2023-51384, CVE-2024-25954, CVE-2024-25963 | PowerScale OneFS | Version 9.5.0.0 through 9.5.0.7 | Version 9.5.0.8 or later | PowerScale OneFS Downloads Area |
| CVE-2023-5941, CVE-2024-25959, CVE-2017-7246, CVE-2017-11164, CVE-2017-7244, CVE-2020-14155, CVE-2024-25960, CVE-2023-26159, CVE-2024-25961, CVE-2024-25952, CVE-2024-25953, CVE-2023-48795, CVE-2023-51385, CVE-2023-51384, CVE-2024-25954, CVE-2024-25963 | PowerScale OneFS | Version 9.6.1.0 through 9.7.0.0 | Version 9.7.0.2 or later | PowerScale OneFS Downloads Area |
| CVE-2024-25959, CVE-2024-25960, CVE-2024-25961, CVE-2024-25952, CVE-2024-25953, CVE-2024-25954 | PowerScale OneFS | Version 9.7.0.0 through 9.7.0.1 | Version 9.7.0.2 or later | PowerScale OneFS Downloads Area |
| CVE-2023-26159, CVE-2023-48795, CVE-2023-51385, CVE-2023-51384 | PowerScale OneFS | Version 9.7.0.0 through 9.7.0.2 | Version 9.7.0.3 or later | PowerScale OneFS Downloads Area |
Note:
- Any version not listed in the Affected Products and Remediation section should upgrade PowerScale OneFS to a version 9.5.0.8 or later.
- We encourage all customers to adopt the version which is 9.5.x code line, with the latest maintenance RUP 9.5.0.8.
- For more information LTS 2023 on LTS (Long Term Support) code lines, see Dell Infrastructure Solutions Group (ISG) LTS Release Support Customer Summary
- CVE-2024-25954: This vulnerability is only impacted when httpd server for data path is started. By default, this httpd server is disabled on PowerScale OneFS.
- Unless specified as impacted, the term “or Later” encompasses all PowerScale OneFS releases, under standard support, that are of a higher minor or major version than the specified release.
Alternatívne riešenia a zmiernenia
| CVEs | Workaround and Mitigation |
|---|---|
| CVE-2024-25960, CVE-2024-25961, CVE-2024-25952, CVE-2024-25953 | This vulnerability only applies when customers are given ISI_PRIV_LOGIN_SSH or ISI_PRIV_LOGIN_CONSOLE to users. Mitigations: This vulnerability can be mitigated on new version of PowerScale OneFS i.e. 9.5 or later by enabling the restricted shell for users. More information regarding restricted shell can be found at: OneFS Restricted Shell | Dell Technologies Info Hub |
| CVE-2023-48795 |
This vulnerability can be mitigated by removing the chacha20-poly1305@openssh.com from isi ssh settings modify --ciphers=aes192-ctr,aes256-ctr,aes256-gcm@openssh.com |
História revízií
| Revision | Date | Description |
|---|---|---|
| 1.0 | 2024-03-28 | Initial Release |
| 2.0 | 2024-04-29 | Updated for enhanced presentation with no changes to content |
| 3.0 | 2024-04-29 | Updated for enhanced presentation with no changes to content |
| 4.0 | 2024-04-29 | Updated CVE Identifier, Third Party Components, and Affected Products and Remediation sections: Added CVE-2023-51384 and CVE-2023-51385; Added Workaround details for CVE-2023-48795 |
| 5.0 | 2024-06-06 | Updated Affected Products and Remediation section: Remediated Version 9.7.0.3 or later |
| 6.0 | 2024-10-03 | Updated for enhanced presentation with no changes to content |
| 7.0 | 2024-10-03 | Updated for enhanced presentation with no changes to content |
Súvisiace informácie
Legal Disclaimer
Dotknuté produkty
PowerScale OneFSVlastnosti článku
Číslo článku: 000223366
Typ článku: Dell Security Advisory
Dátum poslednej úpravy: 19 sep 2025
Nájdite odpovede na svoje otázky od ostatných používateľov spoločnosti Dell
Služby podpory
Skontrolujte, či sa na vaše zariadenie vzťahujú služby podpory.