Artikelnummer: 000225667

DSA-2024-210: Security Update for Dell PowerScale OneFS for Multiple Security Vulnerabilities

Samenvatting: Dell PowerScale OneFS remediation is available for multiple security vulnerabilities that could be exploited by malicious users to compromise the affected system.

Article content

Impact

High

Gegevens

Third-Party Component	CVEs	More information
Sudo	CVE-2023-42465	https://nvd.nist.gov/vuln/detail/CVE-2023-42465
pyca/cryptography	CVE-2023-23931, CVE-2020-25659	See the NVD link below for individual scores for each CVE.https://nvd.nist.gov/

Proprietary Code CVE	Description	CVSS Base Score	CVSS Vector String
CVE-2024-29170	Dell PowerScale OneFS versions 8.2.x through 9.8.0.x contain a use of hard coded credentials vulnerability. An adjacent network unauthenticated attacker could potentially exploit this vulnerability, leading to information disclosure of network traffic and denial of service.	8.1	CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H

Proprietary Code CVE	Description	CVSS Base Score	CVSS Vector String
CVE-2024-29170	Dell PowerScale OneFS versions 8.2.x through 9.8.0.x contain a use of hard coded credentials vulnerability. An adjacent network unauthenticated attacker could potentially exploit this vulnerability, leading to information disclosure of network traffic and denial of service.	8.1	CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H

Dell Technologies raadt aan dat alle klanten rekening houden met zowel de basisscore van CVSS als alle relevante tijdelijke en omgevingsscores die gevolgen kunnen hebben voor de mogelijke ernst van de specifieke beveiligingsproblemen.

Getroffen producten en herstel

CVEs Addressed	Product	Affected Versions	Remediated Versions	Links
CVE-2023-42465	PowerScale OneFS	Version 8.2.x through 9.4.0.17	Version 9.4.0.18 or later	PowerScale OneFS Downloads Area
CVE-2023-23931, CVE-2020-25659	PowerScale OneFS	Version 8.2.x through 9.4.0.17	Version 9.7.1.0 or later	PowerScale OneFS Downloads Area
CVE-2023-42465, CVE-2023-23931, CVE-2020-25659	PowerScale OneFS	Version 9.5.0.0 through 9.7.0.1	Version 9.7.1.0 or later	PowerScale OneFS Downloads Area
CVE-2023-23931, CVE-2020-25659	PowerScale OneFS	Version 9.7.0.2	Version 9.7.1.0 or later	PowerScale OneFS Downloads Area
CVE-2024-29170	PowerScale OneFS	Version 8.2.x through 9.8.0.x	N/A	PowerScale OneFS Security Configuration Guide

CVEs Addressed	Product	Affected Versions	Remediated Versions	Links
CVE-2023-42465	PowerScale OneFS	Version 8.2.x through 9.4.0.17	Version 9.4.0.18 or later	PowerScale OneFS Downloads Area
CVE-2023-23931, CVE-2020-25659	PowerScale OneFS	Version 8.2.x through 9.4.0.17	Version 9.7.1.0 or later	PowerScale OneFS Downloads Area
CVE-2023-42465, CVE-2023-23931, CVE-2020-25659	PowerScale OneFS	Version 9.5.0.0 through 9.7.0.1	Version 9.7.1.0 or later	PowerScale OneFS Downloads Area
CVE-2023-23931, CVE-2020-25659	PowerScale OneFS	Version 9.7.0.2	Version 9.7.1.0 or later	PowerScale OneFS Downloads Area
CVE-2024-29170	PowerScale OneFS	Version 8.2.x through 9.8.0.x	N/A	PowerScale OneFS Security Configuration Guide

Any version not listed in the Affected Products and Remediation section should upgrade PowerScale OneFS to version 9.7.1.0 or later.

We encourage all customers to adopt the Long Term Support (LTS) 2024 version, the 9.7.x code line with the latest maintenance MR 9.7.1.0. For more information about LTS code lines, see Dell Infrastructure Solutions Group (ISG) LTS Release Support Customer Summary.

Tijdelijke oplossingen en beperkingen

CVEs	Mitigations
CVE-2023-42465	This vulnerability only applies when customers are given ISI_PRIV_LOGIN_SSH or ISI_PRIV_LOGIN_CONSOLE to users. This vulnerability can be mitigated in non-compliance mode cluster and PowerScale OneFS version 9.5 or later by enabling the restricted shell for users. More information regarding restricted shell can be found at: OneFS Restricted Shell \| Dell Technologies Info Hub.
CVE-2024-29170	Please refer the section "Change password on backend switches” in the “Security Configuration Guide” document listed under "Administering Your Cluster" at https://www.dell.com/support/kbdoc/000220353

CVEs

Mitigations

CVE-2023-42465

This vulnerability only applies when customers are given ISI_PRIV_LOGIN_SSH or ISI_PRIV_LOGIN_CONSOLE to users.

This vulnerability can be mitigated in non-compliance mode cluster and PowerScale OneFS version 9.5 or later by enabling the restricted shell for users.

More information regarding restricted shell can be found at: OneFS Restricted Shell | Dell Technologies Info Hub.

CVE-2024-29170

Please refer the section "Change password on backend switches” in the “Security Configuration Guide” document listed under "Administering Your Cluster" at https://www.dell.com/support/kbdoc/000220353

Revisiegeschiedenis

Revision	Date	Description
1.0	2024-06-03	Initial Release
2.0	2024-06-12	Updated Workarounds and Mitigations section: CVE-2024-29170 mitigation details

DSA-2024-210: Security Update for Dell PowerScale OneFS for Multiple Security Vulnerabilities

Samenvatting: Dell PowerScale OneFS remediation is available for multiple security vulnerabilities that could be exploited by malicious users to compromise the affected system.

Article content

Impact

Gegevens

Getroffen producten en herstel

Tijdelijke oplossingen en beperkingen

Revisiegeschiedenis

Verwante informatie

Juridische informatie

Artikeleigenschappen

Datum laatst gepubliceerd

Artikeltype

Welkom

Welkom bij Dell

DSA-2024-210: Security Update for Dell PowerScale OneFS for Multiple Security Vulnerabilities

Samenvatting: Dell PowerScale OneFS remediation is available for multiple security vulnerabilities that could be exploited by malicious users to compromise the affected system.

Article content

Impact

Gegevens

Getroffen producten en herstel

Tijdelijke oplossingen en beperkingen

Revisiegeschiedenis

Verwante informatie

Juridische informatie

Artikeleigenschappen

Datum laatst gepubliceerd

Artikeltype