Skip to main content
Sign Out

Welcome to Dell

My Account
  • Place orders quickly and easily
  • View orders and track your shipping status
  • Enjoy members-only rewards and discounts
  • Create and access a list of your products
  • Manage your Dell EMC sites, products, and product-level contacts using Company Administration.
Sign In Create an Account Dell Financial Services Premier Sign In Partner Program Sign In
Contact Us

Your Dell.com Carts

Article Number: 000225667

DSA-2024-210: Security Update for Dell PowerScale OneFS for Multiple Security Vulnerabilities

Summary: Dell PowerScale OneFS remediation is available for multiple security vulnerabilities that could be exploited by malicious users to compromise the affected system.

Article Content

Impact

High

Details

Third-Party Component CVEs More information
Sudo CVE-2023-42465 https://nvd.nist.gov/vuln/detail/CVE-2023-42465This hyperlink is taking you to a website outside of Dell Technologies.
pyca/cryptography CVE-2023-23931, CVE-2020-25659 See the NVD link below for individual scores for each CVE.https://nvd.nist.gov/This hyperlink is taking you to a website outside of Dell Technologies.

Proprietary Code CVE Description CVSS Base Score CVSS Vector String
CVE-2024-29170 Dell PowerScale OneFS versions 8.2.x through 9.8.0.x contain a use of hard coded credentials vulnerability. An adjacent network unauthenticated attacker could potentially exploit this vulnerability, leading to information disclosure of network traffic and denial of service. 8.1 CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:HThis hyperlink is taking you to a website outside of Dell Technologies.
Proprietary Code CVE Description CVSS Base Score CVSS Vector String
CVE-2024-29170 Dell PowerScale OneFS versions 8.2.x through 9.8.0.x contain a use of hard coded credentials vulnerability. An adjacent network unauthenticated attacker could potentially exploit this vulnerability, leading to information disclosure of network traffic and denial of service. 8.1 CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:HThis hyperlink is taking you to a website outside of Dell Technologies.
Dell Technologies recommends all customers consider both the CVSS base score and any relevant temporal and environmental scores that may impact the potential severity associated with a particular security vulnerability.

Affected Products and Remediation

CVEs Addressed Product Affected Versions Remediated Versions Links
CVE-2023-42465 PowerScale OneFS

Version 8.2.x through 9.4.0.17

Version 9.4.0.18 or later

 PowerScale OneFS Downloads Area
CVE-2023-23931, CVE-2020-25659 PowerScale OneFS

Version 8.2.x through 9.4.0.17

 Version 9.7.1.0 or later PowerScale OneFS Downloads Area
CVE-2023-42465, CVE-2023-23931, CVE-2020-25659 PowerScale OneFS

Version 9.5.0.0 through 9.7.0.1

 Version 9.7.1.0 or later PowerScale OneFS Downloads Area
CVE-2023-23931, CVE-2020-25659 PowerScale OneFS

Version 9.7.0.2

 Version 9.7.1.0 or later PowerScale OneFS Downloads Area
CVE-2024-29170 PowerScale OneFS

Version 8.2.x through 9.8.0.x

 N/A PowerScale OneFS 
Security Configuration Guide
CVEs Addressed Product Affected Versions Remediated Versions Links
CVE-2023-42465 PowerScale OneFS

Version 8.2.x through 9.4.0.17

Version 9.4.0.18 or later

 PowerScale OneFS Downloads Area
CVE-2023-23931, CVE-2020-25659 PowerScale OneFS

Version 8.2.x through 9.4.0.17

 Version 9.7.1.0 or later PowerScale OneFS Downloads Area
CVE-2023-42465, CVE-2023-23931, CVE-2020-25659 PowerScale OneFS

Version 9.5.0.0 through 9.7.0.1

 Version 9.7.1.0 or later PowerScale OneFS Downloads Area
CVE-2023-23931, CVE-2020-25659 PowerScale OneFS

Version 9.7.0.2

 Version 9.7.1.0 or later PowerScale OneFS Downloads Area
CVE-2024-29170 PowerScale OneFS

Version 8.2.x through 9.8.0.x

 N/A PowerScale OneFS 
Security Configuration Guide

Any version not listed in the Affected Products and Remediation section should upgrade PowerScale OneFS to version 9.7.1.0 or later.

We encourage all customers to adopt the Long Term Support (LTS) 2024 version, the 9.7.x code line with the latest maintenance MR 9.7.1.0. For more information about LTS code lines, see Dell Infrastructure Solutions Group (ISG) LTS Release Support Customer Summary.

Workarounds and Mitigations

CVEs Mitigations
CVE-2023-42465 This vulnerability only applies when customers are given ISI_PRIV_LOGIN_SSH or ISI_PRIV_LOGIN_CONSOLE to users.

This vulnerability can be mitigated in non-compliance mode cluster and PowerScale OneFS version 9.5 or later by enabling the restricted shell for users.

More information regarding restricted shell can be found at: OneFS Restricted Shell | Dell Technologies Info Hub.
CVE-2024-29170

Please refer the section "Change password on backend switches” in the “Security Configuration Guide” document listed under "Administering Your Cluster" at https://www.dell.com/support/kbdoc/000220353

Revision History

 

RevisionDateDescription
1.02024-06-03Initial Release
2.02024-06-12Updated Workarounds and Mitigations section: CVE-2024-29170 mitigation details

Related Information

Dell Security Advisories and Notices
Dell Vulnerability Response Policy
CVSS Scoring Guide

Legal Information

Article Properties

Last Published Date

13 Jun 2024

Article Type

Dell Security Advisory

Back to Top