Article Number: 000218107
DSA-2023-347: Dell SmartFabric Storage Software Security Update for Multiple Vulnerabilities
Summary: Dell SmartFabric Storage Software remediation is available for multiple security vulnerabilities that could be exploited by malicious users to compromise the affected system.
Article Content
Impact
High
Details
| Proprietary Code CVEs | Description | CVSS Base Score | CVSS Vector String |
|---|---|---|---|
CVE-2023-4401  |
Dell SmartFabric Storage Software v1.4 (and earlier) contains an OS Command Injection Vulnerability in the CLI use of the ‘more’ command. A local or remote authenticated attacker could potentially exploit this vulnerability, leading to the ability to gain root-level access. | 7.8 | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
| CVE-2023-43068 |
Dell SmartFabric Storage Software v1.4 (and earlier) contains an OS Command Injection Vulnerability in the restricted shell in SSH. An authenticated remote attacker could potentially exploit this vulnerability, leading to execute arbitrary commands. | 7.8 | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
| CVE-2023-43069 |
Dell SmartFabric Storage Software v1.4 (and earlier) contain(s) an OS Command Injection Vulnerability in the CLI. An authenticated local attacker could potentially exploit this vulnerability, leading to possible injection of parameters to curl or docker. | 7.8 | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
| CVE-2023-43070 |
Dell SmartFabric Storage Software v1.4 (and earlier) contains a Path Traversal Vulnerability in the HTTP interface. A remote authenticated attacker could potentially exploit this vulnerability, leading to modify or write arbitrary files to arbitrary locations in the license container. | 6.3 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L |
| CVE-2023-43071 |
Dell SmartFabric Storage Software v1.4 (and earlier) contains possible vulnerabilities for HTML injection or CVS formula injection which might escalate to cross-site scripting attacks in HTML pages in the GUI. A remote authenticated attacker could potentially exploit these issues, leading to various injection type attacks. | 4.4 | CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N |
| CVE-2023-43072 |
Dell SmartFabric Storage Software v1.4 (and earlier) contains an improper access control vulnerability in the CLI. A local possibly unauthenticated attacker could potentially exploit this vulnerability, leading to ability to execute arbritrary shell commands. | 4.4 | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L |
| CVE-2023-43073 |
Dell SmartFabric Storage Software v1.4 (and earlier) contains an Improper Input Validation vulnerability in RADIUS configuration. An authenticated remote attacker could potentially exploit this vulnerability, leading to gaining unauthorized access to data. | 4.3 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N |
| Proprietary Code CVEs | Description | CVSS Base Score | CVSS Vector String |
|---|---|---|---|
| CVE-2023-4401 |
Dell SmartFabric Storage Software v1.4 (and earlier) contains an OS Command Injection Vulnerability in the CLI use of the ‘more’ command. A local or remote authenticated attacker could potentially exploit this vulnerability, leading to the ability to gain root-level access. | 7.8 | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
| CVE-2023-43068 |
Dell SmartFabric Storage Software v1.4 (and earlier) contains an OS Command Injection Vulnerability in the restricted shell in SSH. An authenticated remote attacker could potentially exploit this vulnerability, leading to execute arbitrary commands. | 7.8 | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
| CVE-2023-43069 |
Dell SmartFabric Storage Software v1.4 (and earlier) contain(s) an OS Command Injection Vulnerability in the CLI. An authenticated local attacker could potentially exploit this vulnerability, leading to possible injection of parameters to curl or docker. | 7.8 | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
| CVE-2023-43070 |
Dell SmartFabric Storage Software v1.4 (and earlier) contains a Path Traversal Vulnerability in the HTTP interface. A remote authenticated attacker could potentially exploit this vulnerability, leading to modify or write arbitrary files to arbitrary locations in the license container. | 6.3 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L |
| CVE-2023-43071 |
Dell SmartFabric Storage Software v1.4 (and earlier) contains possible vulnerabilities for HTML injection or CVS formula injection which might escalate to cross-site scripting attacks in HTML pages in the GUI. A remote authenticated attacker could potentially exploit these issues, leading to various injection type attacks. | 4.4 | CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N |
| CVE-2023-43072 |
Dell SmartFabric Storage Software v1.4 (and earlier) contains an improper access control vulnerability in the CLI. A local possibly unauthenticated attacker could potentially exploit this vulnerability, leading to ability to execute arbritrary shell commands. | 4.4 | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L |
| CVE-2023-43073 |
Dell SmartFabric Storage Software v1.4 (and earlier) contains an Improper Input Validation vulnerability in RADIUS configuration. An authenticated remote attacker could potentially exploit this vulnerability, leading to gaining unauthorized access to data. | 4.3 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N |
Affected Products and Remediation
| CVEs Addressed | Product | Affected Versions | Updated Versions | Link |
|---|---|---|---|---|
| CVE-2023-4401, CVE-2023-43068, CVE-2023-43069, CVE-2023-43070, CVE-2023-43071, CVE-2023-43072, CVE-2023-43073 | SmartFabric Storage Software Debian package v1.4.1 for upgrading SmartFabric Storage Software VM deployed on either ESXi or linux KVM |
v1.4.0 and prior | v1.4.1 |
Debian Package v1.4.1 upgrade SmartFabric Storage Software VM (applicable to ESXi or Linux KVM) |
| CVE-2023-4401, CVE-2023-43068, CVE-2023-43069, CVE-2023-43070, CVE-2023-43071, CVE-2023-43072, CVE-2023-43073 | SmartFabric Storage Software package v1.4.1 for ESXi. | v1.4.0 and prior | v1.4.1 | SmartFabric Storage Software package v1.4.1 for ESXi |
| CVE-2023-4401, CVE-2023-43068, CVE-2023-43069, CVE-2023-43070, CVE-2023-43071, CVE-2023-43072, CVE-2023-43073 | SmartFabric Storage Software package v1.4.1 for Linux KVM. | v1.4.0 and prior | v1.4.1 | SmartFabric Storage Software package v1.4.1 for Linux KVM |
| CVEs Addressed | Product | Affected Versions | Updated Versions | Link |
|---|---|---|---|---|
| CVE-2023-4401, CVE-2023-43068, CVE-2023-43069, CVE-2023-43070, CVE-2023-43071, CVE-2023-43072, CVE-2023-43073 | SmartFabric Storage Software Debian package v1.4.1 for upgrading SmartFabric Storage Software VM deployed on either ESXi or linux KVM |
v1.4.0 and prior | v1.4.1 |
Debian Package v1.4.1 upgrade SmartFabric Storage Software VM (applicable to ESXi or Linux KVM) |
| CVE-2023-4401, CVE-2023-43068, CVE-2023-43069, CVE-2023-43070, CVE-2023-43071, CVE-2023-43072, CVE-2023-43073 | SmartFabric Storage Software package v1.4.1 for ESXi. | v1.4.0 and prior | v1.4.1 | SmartFabric Storage Software package v1.4.1 for ESXi |
| CVE-2023-4401, CVE-2023-43068, CVE-2023-43069, CVE-2023-43070, CVE-2023-43071, CVE-2023-43072, CVE-2023-43073 | SmartFabric Storage Software package v1.4.1 for Linux KVM. | v1.4.0 and prior | v1.4.1 | SmartFabric Storage Software package v1.4.1 for Linux KVM |
Workarounds and Mitigations
None
Revision History
| Revision | Date | Description |
|---|---|---|
| 1.0 | 2023-09-28 | Initial Revision |
| 2.0 | 2023-10-05 | Major Revision: added CVE links and modified some minor formatting |
| 3.0 | 2023-10-13 | Major Revision: added legally required external redirect icon.Embedded external hyperlinks to the CVSS strings. |
Related Information
Legal Information
Article Properties
Affected Product
SmartFabric Storage Software for NVMe/TCP SAN, SmartFabric Storage Software Download for NVMe/TCP SAN
Last Published Date
13 Oct 2023
Article Type
Dell Security Advisory