CVE-2023-48795

Hi,

Thanks for your question.

We are waiting on an update from the Engineering team. There is not a fix yet.

Let us know if you have any additional questions.

Any update?

We are also affected by this

I don’t see it listed in either of the updates released today. https://dell.to/3SpAoNm and https://dell.to/3SjDYIN You can check the latest here. https://dell.to/3SeOWiI

I would recommend a support case be opened for this topic about how Dell plans to address this CVE.  ie.  The issue in this CVE is tied to specific ciphers that are used by OpenSSH.  Dell Support should be able to assist in disabling the problematic ciphers for ssh.

An acceptable workarount/mitigation might be to simply disable the problematic ciphers on the PowerScale so ssh clients can't use them when connecting to the PowerScale.

# isi_gconfig -t ssh-config | grep cipher

ciphers (char*) = aes192-ctr,aes256-ctr,aes256-gcm@openssh.com,chacha20-poly1305@openssh.com

# isi_gconfig -t ssh-config ciphers=aes192-ctr,aes256-ctr,aes256-gcm@openssh.com

# isi_for_array -s killall -HUP sshd

Once the problemantic cipher is removed on the PowerScale a client can't use the given cipher to.

# ssh -c <Private data removed from public view. DELL Admin>

Unable to negotiate with 1<Private data removed from public view. DELL Admin>

I am also seeing this CVE showing on our vulnerability reports. I opened an SR and the reply I received was this.

The update for the OpenSSH is in v9.6 of OpenSSH and is slated for our 9.8 release, hopefully coming out in the next few months.

Sadly this isn't something I can hold off for a few months. 

Thanks Steven 

Article Number: 000221558
https://www.dell.com/support/kbdoc/en-us/000221558/dsa-2024-021-idrac-8-and-idrac-9-security-update-for-cve-2023-48795
DSA-2024-021: iDRAC 8 and iDRAC 9 Security Update for CVE-2023-48795
Summary: Dell iDRAC 8 and Dell iDRAC 9 security update for an OpenSSH vulnerability.