DSA-2024-210: Security Update for Dell PowerScale OneFS for Multiple Security Vulnerabilities
Summary: Dell PowerScale OneFS remediation is available for multiple security vulnerabilities that could be exploited by malicious users to compromise the affected system.
This article applies to
This article does not apply to
This article is not tied to any specific product.
Not all product versions are identified in this article.
Impact
High
Details
| Third-Party Component | CVEs | More information |
|---|---|---|
| Sudo | CVE-2023-42465 | https://nvd.nist.gov/vuln/detail/CVE-2023-42465 |
| pyca/cryptography | CVE-2023-23931, CVE-2020-25659 | See the NVD link below for individual scores for each CVE. https://nvd.nist.gov/ |
| Proprietary Code CVEs | Description | CVSS Base Score | CVSS Vector String |
|---|---|---|---|
| CVE-2024-29170 | Dell PowerScale OneFS versions 8.2.x through 9.8.0.x contain a use of hard coded credentials vulnerability. An adjacent network unauthenticated attacker could potentially exploit this vulnerability, leading to information disclosure of network traffic and denial of service. | 8.1 | CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H |
| Proprietary Code CVEs | Description | CVSS Base Score | CVSS Vector String |
|---|---|---|---|
| CVE-2024-29170 | Dell PowerScale OneFS versions 8.2.x through 9.8.0.x contain a use of hard coded credentials vulnerability. An adjacent network unauthenticated attacker could potentially exploit this vulnerability, leading to information disclosure of network traffic and denial of service. | 8.1 | CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H |
Affected Products & Remediation
| CVEs Addressed | Product | Affected Versions | Remediated Versions | Links |
|---|---|---|---|---|
| CVE-2023-42465 | PowerScale OneFS | Version 8.2.x through 9.4.0.17 |
Version 9.4.0.18 or later |
PowerScale OneFS Downloads Area |
| CVE-2023-23931, CVE-2020-25659 | PowerScale OneFS | Version 8.2.x through 9.4.0.17 |
Version 9.5.1.0 or later | PowerScale OneFS Downloads Area |
| CVE-2023-42465, CVE-2023-23931, CVE-2020-25659 | PowerScale OneFS | Version 9.5.0.0 through 9.5.0.8 |
Version 9.5.1.0 or later | PowerScale OneFS Downloads Area |
| CVE-2023-42465, CVE-2023-23931, CVE-2020-25659 | PowerScale OneFS | Version 9.6.0.0 through 9.7.0.1 | Version 9.7.1.0 or later | PowerScale OneFS Downloads Area |
| CVE-2023-23931, CVE-2020-25659 | PowerScale OneFS | Version 9.7.0.2 |
Version 9.7.1.0 or later | PowerScale OneFS Downloads Area |
| CVE-2024-29170 | PowerScale OneFS | Version 8.2.x through 9.8.0.x |
N/A | PowerScale OneFS Security Configuration Guide |
| CVEs Addressed | Product | Affected Versions | Remediated Versions | Links |
|---|---|---|---|---|
| CVE-2023-42465 | PowerScale OneFS | Version 8.2.x through 9.4.0.17 |
Version 9.4.0.18 or later |
PowerScale OneFS Downloads Area |
| CVE-2023-23931, CVE-2020-25659 | PowerScale OneFS | Version 8.2.x through 9.4.0.17 |
Version 9.5.1.0 or later | PowerScale OneFS Downloads Area |
| CVE-2023-42465, CVE-2023-23931, CVE-2020-25659 | PowerScale OneFS | Version 9.5.0.0 through 9.5.0.8 |
Version 9.5.1.0 or later | PowerScale OneFS Downloads Area |
| CVE-2023-42465, CVE-2023-23931, CVE-2020-25659 | PowerScale OneFS | Version 9.6.0.0 through 9.7.0.1 | Version 9.7.1.0 or later | PowerScale OneFS Downloads Area |
| CVE-2023-23931, CVE-2020-25659 | PowerScale OneFS | Version 9.7.0.2 |
Version 9.7.1.0 or later | PowerScale OneFS Downloads Area |
| CVE-2024-29170 | PowerScale OneFS | Version 8.2.x through 9.8.0.x |
N/A | PowerScale OneFS Security Configuration Guide |
Note:Any version not listed in the Affected Products and Remediation section should upgrade PowerScale OneFS to version 9.7.1.0 or later. We encourage all customers to adopt the Long Term Support (LTS) 2024 version, the 9.7.x code line with the latest maintenance MR 9.7.1.0. For more information about LTS code lines, see Dell Infrastructure Solutions Group (ISG) LTS Release Support Customer Summary.
Workarounds & Mitigations
| CVEs | Mitigations |
|---|---|
| CVE-2023-42465 | This vulnerability only applies when customers are given ISI_PRIV_LOGIN_SSH or ISI_PRIV_LOGIN_CONSOLE to users. This vulnerability can be mitigated in non-compliance mode cluster and PowerScale OneFS version 9.5 or later by enabling the restricted shell for users. More information regarding restricted shell can be found at: OneFS Restricted Shell | Dell Technologies Info Hub. |
| CVE-2024-29170 | Please refer the section "Change password on backend switches” in the “Security Configuration Guide” document listed under "Administering Your Cluster" at https://www.dell.com/support/kbdoc/000220353 |
Revision History
| Revision | Date | Description |
|---|---|---|
| 1.0 | 2024-06-03 | Initial Release |
| 2.0 | 2024-06-12 | Updated Workarounds and Mitigations section: CVE-2024-29170 mitigation details |
| 3.0 | 2024-06-19 | Updated for enhanced presentation with no changes to content |
| 4.0 | 2024-07-01 | Updated Affected Products and Remediation section: Version 9.5.1.0 release |
| 5.0 | 2024-07-29 | Updated for enhanced presentation with no changes to content. |
| 6.0 | 2024-10-03 | Updated for enhanced presentation with no changes to content. |
Related Information
Legal Disclaimer
Affected Products
PowerScale OneFSArticle Properties
Article Number: 000225667
Article Type: Dell Security Advisory
Last Modified: 03 Oct 2024
Find answers to your questions from other Dell users
Support Services
Check if your device is covered by Support Services.