DSA-2023-071: Dell VxRail Security Update for Multiple Third-Party Component Vulnerabilities – 7.0.450
Summary: Dell VxRail remediation is available for multiple security vulnerabilities that could be exploited by malicious users to compromise the affected system.
This article applies to
This article does not apply to
This article is not tied to any specific product.
Not all product versions are identified in this article.
Impact
Critical
Details
| Third-party Component | CVEs | More Information |
|---|---|---|
| VMware ESXi | CVE-2023-1017, CVE-2023-1018 | For more information, see VMware’s release notes. |
| Dell PowerEdge BIOS | CVE-2022-34406, CVE-2022-34407, CVE-2022-34408, CVE-2022-34409, CVE-2022-34410, CVE-2022-34411, CVE-2022-34412, CVE-2022-34413, CVE-2022-34414, CVE-2022-34415, CVE-2022-34416, CVE-2022-34417, CVE-2022-34418, CVE-2022-34419, CVE-2022-34420, CVE-2022-34421, CVE-2022-34422, CVE-2022-34423, CVE-2022-34376, CVE-2022-34377 | DSA-2022-204 |
| Dell PowerEdge BIOS | CVE-2022-38090, CVE-2022-36794, CVE-2022-36348, CVE-2022-33972, CVE-2022-33196, CVE-2022-32231, CVE-2022-30704, CVE-2022-30539, CVE-2022-26837, CVE-2022-26343, CVE-2022-21216, CVE-2021-0187 | For more information see, DSA-2023-014 |
| Dell PowerEdge BIOS | CVE-2023-20594, CVE-2023-20597 | For more information, see DSA-2023-348 |
| iDRAC8 | CVE-2022-34436 | DSA-2022-265 |
| iDRAC9 | CVE-2022-44640 | DSA-2023-162 |
| Intel | CVE-2021-33126, CVE-2021-33128, CVE-2022-28709 | Intel-SA-00593 |
| Intel | CVE-2022-36416, CVE-2022-36797 | Intel-SA-00750 |
| Spring Framework | CVE-2022-22970, CVE-2022-22971 | See NVD link below for individual scores for each CVE. https://nvd.nist.gov/ |
| OpenSSL | CVE-2023-0215 | OpenSSL |
| Cilium | CVE-2022-29179 | See NVD link below for individual scores for each CVE. https://nvd.nist.gov/ |
| SUSE | CVE-2016-3709, CVE-2017-5601, CVE-2018-10903, CVE-2018-13405, CVE-2019-1010204, CVE-2020-10735, CVE-2020-16119, CVE-2021-20251, CVE-2021-22569, CVE-2021-28153, CVE-2021-28861, CVE-2021-3530, CVE-2021-3618, CVE-2021-3648, CVE-2021-36690, CVE-2021-36976, CVE-2021-3826, CVE-2021-3928, CVE-2021-4037, CVE-2021-45078, CVE-2021-46195, CVE-2021-46848, CVE-2022-0561, CVE-2022-1664, CVE-2022-1941, CVE-2022-20008, CVE-2022-2153, CVE-2022-21618, CVE-2022-21619, CVE-2022-21624, CVE-2022-21626, CVE-2022-21628, CVE-2022-23471, CVE-2022-23491, CVE-2022-2503, CVE-2022-2519, CVE-2022-2520, CVE-2022-2521, CVE-2022-2586, CVE-2022-2601, CVE-2022-2602, CVE-2022-27191, CVE-2022-27943, CVE-2022-2795, CVE-2022-2867, CVE-2022-2868, CVE-2022-2869, CVE-2022-28693, CVE-2022-28748, CVE-2022-2964, CVE-2022-2978, CVE-2022-2980, CVE-2022-2982, CVE-2022-3037, CVE-2022-3099, CVE-2022-3105, CVE-2022-3107, CVE-2022-3108, CVE-2022-3112, CVE-2022-3115, CVE-2022-3134, CVE-2022-3153, CVE-2022-3169, CVE-2022-3171, CVE-2022-3176, CVE-2022-32221, CVE-2022-32296, CVE-2022-3234, CVE-2022-3235, CVE-2022-3239, CVE-2022-3278, CVE-2022-3296, CVE-2022-3297, CVE-2022-3303, CVE-2022-3324, CVE-2022-3352, CVE-2022-3424, CVE-2022-34266, CVE-2022-3435, CVE-2022-34526, CVE-2022-3479, CVE-2022-3491, CVE-2022-3515, CVE-2022-3520, CVE-2022-3521, CVE-2022-3524, CVE-2022-3535, CVE-2022-3542, CVE-2022-3545, CVE-2022-3564, CVE-2022-3565, CVE-2022-3567, CVE-2022-3570, CVE-2022-35737, CVE-2022-3577, CVE-2022-3586, CVE-2022-3591, CVE-2022-3594, CVE-2022-3597, CVE-2022-3598, CVE-2022-3599, CVE-2022-3621, CVE-2022-3623, CVE-2022-3625, CVE-2022-3626, CVE-2022-3627, CVE-2022-3628, CVE-2022-3629, CVE-2022-3635, CVE-2022-3643, CVE-2022-3646, CVE-2022-3649, CVE-2022-37026, CVE-2022-3705, CVE-2022-3707, CVE-2022-37454, CVE-2022-3775, CVE-2022-37966, CVE-2022-38023, CVE-2022-38126, CVE-2022-38127, CVE-2022-38177, CVE-2022-38178, CVE-2022-38533, CVE-2022-3903, CVE-2022-39189, CVE-2022-39399, CVE-2022-3970, CVE-2022-40303, CVE-2022-40304, CVE-2022-40307, CVE-2022-40674, CVE-2022-40768, CVE-2022-4095, CVE-2022-41218, CVE-2022-41222, CVE-2022-4129, CVE-2022-4139, CVE-2022-4141, CVE-2022-41674, CVE-2022-41741, CVE-2022-41742, CVE-2022-41848, CVE-2022-41849, CVE-2022-41850, CVE-2022-41858, CVE-2022-42010, CVE-2022-42011, CVE-2022-42012, CVE-2022-42328, CVE-2022-42329, CVE-2022-42432, CVE-2022-42703, CVE-2022-42719, CVE-2022-42720, CVE-2022-42721, CVE-2022-42895, CVE-2022-42896, CVE-2022-42898, CVE-2022-4292, CVE-2022-4293, CVE-2022-4304, CVE-2022-43680, CVE-2022-43750, CVE-2022-4378, CVE-2022-43945, CVE-2022-43995, CVE-2022-4450, CVE-2022-44617, CVE-2022-45061, CVE-2022-45934, CVE-2022-46285, CVE-2022-4662, CVE-2022-47520, CVE-2022-47629, CVE-2022-47929, CVE-2022-48281, CVE-2022-4883, CVE-2023-0215, CVE-2023-0266, CVE-2023-0286, CVE-2023-0767, CVE-2023-22809, CVE-2023-23454, CVE-2023-23455 | For more information, see SUSE.com |
| Proprietary Code CVEs | Description | CVSS Base Score | CVSS Vector String |
|---|---|---|---|
| CVE-2023-23694 | Dell VxRail versions earlier than 7.0.450, contain(s) an OS command injection vulnerability in VxRail Manager. A local authenticated attacker could potentially exploit this vulnerability, leading to the execution of arbitrary OS commands on the application's underlying OS, with the privileges of the vulnerable application. Exploitation may lead to a system take over by an attacker. | 4.7 | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L |
| CVE-2023-23693 | Dell VxRail, versions prior to 7.0.450, contains an OS command injection Vulnerability in DCManager command-line utility. A local high privileged attacker could potentially exploit this vulnerability, leading to the execution of arbitrary OS commands on the application's underlying OS, with the privileges of the vulnerable application. Exploitation may lead to a system take over by an attacker. | 6.7 | CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:H |
| CVE-2023-32464 | Dell VxRail, versions prior to 7.0.450, contain an improper certificate validation vulnerability. A high privileged remote attacker may potentially exploit this vulnerability to carry out a man-in-the-middle attack by supplying a crafted certificate and intercepting the victim's traffic to view or modify a victim’s data in transit. | 2.7 | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N |
| Proprietary Code CVEs | Description | CVSS Base Score | CVSS Vector String |
|---|---|---|---|
| CVE-2023-23694 | Dell VxRail versions earlier than 7.0.450, contain(s) an OS command injection vulnerability in VxRail Manager. A local authenticated attacker could potentially exploit this vulnerability, leading to the execution of arbitrary OS commands on the application's underlying OS, with the privileges of the vulnerable application. Exploitation may lead to a system take over by an attacker. | 4.7 | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L |
| CVE-2023-23693 | Dell VxRail, versions prior to 7.0.450, contains an OS command injection Vulnerability in DCManager command-line utility. A local high privileged attacker could potentially exploit this vulnerability, leading to the execution of arbitrary OS commands on the application's underlying OS, with the privileges of the vulnerable application. Exploitation may lead to a system take over by an attacker. | 6.7 | CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:H |
| CVE-2023-32464 | Dell VxRail, versions prior to 7.0.450, contain an improper certificate validation vulnerability. A high privileged remote attacker may potentially exploit this vulnerability to carry out a man-in-the-middle attack by supplying a crafted certificate and intercepting the victim's traffic to view or modify a victim’s data in transit. | 2.7 | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N |
Affected Products & Remediation
| Product | Affected Versions | Remediated Versions | Link |
|---|---|---|---|
| Dell EMC VxRail Appliance | Versions prior to 7.0.450 | Version 7.0.450 | 7.0.450 |
| Product | Affected Versions | Remediated Versions | Link |
|---|---|---|---|
| Dell EMC VxRail Appliance | Versions prior to 7.0.450 | Version 7.0.450 | 7.0.450 |
Revision History
| Revision | Date | Description |
|---|---|---|
| 1.0 | 2023-05-04 | Initial Release |
| 2.0 | 2023-05-22 | Formatting changes made |
| 3.0 | 2023-06-14 | Added CVE-2022-29179 and CVE-2023-32464 |
| 4.0 | 2023-07-14 | Amended with CVE for iDRAC vulnerability |
| 5.0 | 2023-09-01 | Updated for enhanced presentation with no changes to content, including adding icon for external links and links to CVSS calculator. |
| 6.0 | 2023-10-11 | Amended for PowerEdge and AMD Server Vulnerabilities |
| 7.0 | 2023-10-27 | Amended to add Dell PowerEdge BIOS vulnerabilities |
Related Information
Legal Disclaimer
Affected Products
VxRail, CloudArray Virtual Edition for VxRail Appliance, VMWare Cloud on Dell EMC VxRail E560F, VMWare Cloud on Dell EMC VxRail E560N, VxRail 460 and 470 Nodes, VxRail Appliance Family, VxRail Appliance Series, VxRail G410, VxRail G Series Nodes
, VxRail D Series Nodes, VxRail D560, VxRail D560F, VxRail E Series Nodes, VxRail E460, VxRail E560, VxRail E560 VCF, VxRail E560F, VxRail E560F VCF, VxRail E560N, VxRail E560N VCF, VxRail E660, VxRail E660F, VxRail E660N, VxRail E665, VxRail E665F, VxRail E665N, VxRail G560, VxRail G560 VCF, VxRail G560F, VxRail G560F VCF, VxRail Gen2 Hardware, VxRail P Series Nodes, VxRail P470, VxRail P570, VxRail P570 VCF, VxRail P570F, VxRail P570F VCF, VxRail P580N, VxRail P580N VCF, VXRAIL P670F, VxRail P670N, VxRail P675F, VxRail P675N, VxRail S Series Nodes, VxRail S470, VxRail S570, VxRail S570 VCF, VxRail S670, VxRail Software, VxRail V Series Nodes, VxRail V470, VxRail V570, VxRail V570 VCF, VxRail V570F, VxRail V570F VCF, VXRAIL V670F, VxRail VD-4000R, VxRail VD-4000W, VxRail VD-4000Z, VxRail VD-4510C, VxRail VD-4520C, VxRail VD Series Nodes
...
Article Properties
Article Number: 000213011
Article Type: Dell Security Advisory
Last Modified: 27 Oct 2023
Find answers to your questions from other Dell users
Support Services
Check if your device is covered by Support Services.