DSA-2025-208: Security Update for Dell PowerScale OneFS Multiple Vulnerabilities

Zhrnutie: Dell PowerScale OneFS remediation is available for multiple security vulnerabilities that could be exploited by malicious users to compromise the affected system.

Tento článok sa vzťahuje na Tento článok sa nevzťahuje na Tento článok nie je viazaný na žiadny konkrétny produkt. V tomto článku nie sú uvedené všetky verzie produktov.
Pozrite si ďalšie zdroje

Dosah

Critical

Podrobnosti

Third-party Component CVEs More Information
Certifi CVE-2024-39689 https://nvd.nist.gov/vuln/searchThis hyperlink is taking you to a website outside of Dell Technologies.
FreeBSD CVE-2024-53580 https://nvd.nist.gov/vuln/searchThis hyperlink is taking you to a website outside of Dell Technologies.
Python CVE-2024-6923 https://nvd.nist.gov/vuln/searchThis hyperlink is taking you to a website outside of Dell Technologies.
Python-future CVE-2022-40899 https://nvd.nist.gov/vuln/searchThis hyperlink is taking you to a website outside of Dell Technologies.
OpenSSL CVE-2024-2511 https://nvd.nist.gov/vuln/searchThis hyperlink is taking you to a website outside of Dell Technologies.
SQLite CVE-2023-7104 https://nvd.nist.gov/vuln/searchThis hyperlink is taking you to a website outside of Dell Technologies.

 

Proprietary Code CVEs Description CVSS Base Score CVSS Vector String
CVE-2024-53298 Dell PowerScale OneFS versions 9.5.0.0 through 9.5.1.2, versions 9.7.0.0 through 9.7.1.7 and versions 9.8.0.0 through 9.10.0.1, contains a missing authorization vulnerability in the NFS export. An unauthenticated attacker with remote access could potentially exploit this vulnerability leading to unauthorized filesystem access. The attacker may be able to read, modify, and delete arbitrary files. This vulnerability is considered critical as it can be leveraged to fully compromise the system. Dell recommends customers to upgrade at the earliest opportunity. 9.8

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HThis hyperlink is taking you to a website outside of Dell Technologies.
CVE-2025-32753 Dell PowerScale OneFS, versions 9.5.0.0 through 9.7.1.7 and versions 9.8.0.0 through 9.10.0.1, contains an improper neutralization of special elements used in an SQL command ('SQL injection') vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to denial of service, information disclosure, and information tampering. 5.3

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:LThis hyperlink is taking you to a website outside of Dell Technologies.

 

Proprietary Code CVEs Description CVSS Base Score CVSS Vector String
CVE-2024-53298 Dell PowerScale OneFS versions 9.5.0.0 through 9.5.1.2, versions 9.7.0.0 through 9.7.1.7 and versions 9.8.0.0 through 9.10.0.1, contains a missing authorization vulnerability in the NFS export. An unauthenticated attacker with remote access could potentially exploit this vulnerability leading to unauthorized filesystem access. The attacker may be able to read, modify, and delete arbitrary files. This vulnerability is considered critical as it can be leveraged to fully compromise the system. Dell recommends customers to upgrade at the earliest opportunity. 9.8

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HThis hyperlink is taking you to a website outside of Dell Technologies.
CVE-2025-32753 Dell PowerScale OneFS, versions 9.5.0.0 through 9.7.1.7 and versions 9.8.0.0 through 9.10.0.1, contains an improper neutralization of special elements used in an SQL command ('SQL injection') vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to denial of service, information disclosure, and information tampering. 5.3

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:LThis hyperlink is taking you to a website outside of Dell Technologies.

 

Dell Technologies odporúča všetkým svojim zákazníkom, aby sa riadili nielen základným skóre CVSS, ale aj prechodným skóre a skóre závažnosti v konkrétnych prostrediach, na základe ktorého môžu vyhodnotiť celkové riziko vo vlastnom prostredí.

Dotknuté produkty a riešenie problému

CVEs Addressed Product Affected Versions Remediated Versions Link
CVE-2024-53298, CVE-2025-32753, CVE-2024-39689, CVE-2024-53580, CVE-2022-40899, CVE-2024-2511, CVE-2024-6923, CVE-2023-7104 PowerScale OneFS Versions 9.5.0.0 through 9.10.0.1 Version 9.10.1.0 or later PowerScale OneFS Downloads Area
CVE-2024-53298, CVE-2025-32753, CVE-2024-39689, CVE-2024-53580, CVE-2022-40899, CVE-2024-2511, CVE-2024-6923, CVE-2023-7104 PowerScale OneFS Versions 9.7.0.0 through 9.7.1.7 Version 9.7.1.8 or later PowerScale OneFS Downloads Area
CVE-2024-53298 PowerScale OneFS Versions 9.5.0.0 through 9.5.1.2 Version 9.5.1.3 or later PowerScale OneFS Downloads Area
CVE-2022-40899, CVE-2024-2511, CVE-2024-6923, CVE-2023-7104 PowerScale OneFS Versions 9.5.0.0 through 9.5.1.4 Version 9.5.1.4 or later PowerScale OneFS Downloads Area

 

CVEs Addressed Product Affected Versions Remediated Versions Link
CVE-2024-53298, CVE-2025-32753, CVE-2024-39689, CVE-2024-53580, CVE-2022-40899, CVE-2024-2511, CVE-2024-6923, CVE-2023-7104 PowerScale OneFS Versions 9.5.0.0 through 9.10.0.1 Version 9.10.1.0 or later PowerScale OneFS Downloads Area
CVE-2024-53298, CVE-2025-32753, CVE-2024-39689, CVE-2024-53580, CVE-2022-40899, CVE-2024-2511, CVE-2024-6923, CVE-2023-7104 PowerScale OneFS Versions 9.7.0.0 through 9.7.1.7 Version 9.7.1.8 or later PowerScale OneFS Downloads Area
CVE-2024-53298 PowerScale OneFS Versions 9.5.0.0 through 9.5.1.2 Version 9.5.1.3 or later PowerScale OneFS Downloads Area
CVE-2022-40899, CVE-2024-2511, CVE-2024-6923, CVE-2023-7104 PowerScale OneFS Versions 9.5.0.0 through 9.5.1.4 Version 9.5.1.4 or later PowerScale OneFS Downloads Area

 

Notes:

  1. The Affected Products and Remediation table above may not be a comprehensive list of all affected supported versions and may be updated as more information becomes available.
  2. We encourage all customers to adopt the Long-Term Support (LTS) 2025 version which is 9.10.x code line, with the latest maintenance.
  3. For more information on LTS code lines, see Dell Infrastructure Solutions Group (ISG) LTS Release Support Customer Summary and Security Update Release Schedule for Supported Versions of Dell PowerScale OneFS.

Alternatívne riešenia a zmiernenia

CVE ID Workaround and Mitigation

CVE-2024-53298

The vulnerability applies to all PowerScale OneFS product versions where NFSv3 or NFSv4 is enabled and an export is configured. 

 

Mitigation 

To mitigate the vulnerability without disrupting active client connections, run the following CLI command:

isi nfs export reload --zone=zone_name

This command reloads the NFS export configuration for the specified zone, reinstating proper authorization checks and mitigating the vulnerability.

Because it is a temporary fix, the vulnerability may reoccur after zone reactivation events like IP changes, interface updates, network pool changes, or node additions/removals. Run the command again after these events to keep the system protected.

 

Impact of Applying the Mitigation 

  • Existing client connections remain active and uninterrupted.
  • New mounts may experience a brief delay (less than 1 second) before succeeding.
  • Active operations are unaffected because NFS clients automatically retry during transient unavailability.

 

Note: Customers should upgrade to a remediated version as soon as possible to permanently fix CVE-2024-53298.


    

   
  

  
 


    
História revízií

    
RevisionDateDescription
1.02025-06-04Initial Release
2.02025-06-30Update to include 9.5.1.4 remediated version and CVE-2022-40899, CVE-2024-2511, CVE-2024-6923, CVE-2023-7104
3.02025-07-24Update to Workaround and Mitigation; no other changes
4.02025-08-25Updates to Workaround and Mitigation and Additional Information sections
5.02025-10-22Removed SupportAssist
6.02025-12-05Revised the Third-party components table
7.02025-12-22Update to Workaround and Mitigation; no other changes


 

    
Potvrdenia

    

 
 
  
Dell would like to thank zzcentury from Ubisectech Sirius Team for reporting CVE-2025-32753.

 


    
Súvisiace informácie

    
Dell Security Advisories and Notices
Dell Vulnerability Response Policy
CVSS Scoring Guide


        


        

        
Legal Disclaimer

        

        
Dotknuté produkty

        PowerScale OneFS







                        

                            

    

        

            

                
                    
 Vlastnosti článku

                
            

            

                

                        
Číslo článku: 000326339

                

                
                

                        
Typ článku: Dell Security Advisory

                

                

                        
Dátum poslednej úpravy: 22 dec 2025


                


            


        

    

    

        

            

                
                    
Nájdite odpovede na svoje otázky od ostatných používateľov spoločnosti Dell

                
            

            

                

                    
                



            


        

    

    

        

            

                
                    
Služby podpory

                
            

            

                

                    Skontrolujte, či sa na vaše zariadenie vzťahujú služby podpory.