Headline
CVE-2023-44277: DSA-2023-412: Dell Technologies PowerProtect Security Update for Multiple Security Vulnerabilities
Dell PowerProtect DD, versions prior to 7.13.0.10, LTS 7.7.5.25, LTS 7.10.1.15, 6.2.1.110 contain an OS command injection vulnerability in the CLI. A local low privileged attacker could potentially exploit this vulnerability, leading to the execution of arbitrary OS commands on the application’s underlying OS, with the privileges of the vulnerable application. Exploitation may lead to a system take over by an attacker.
Impact
High
Details
Proprietary Code CVEs
Description
CVSS Base Score
CVSS Vector String
CVE-2023-44286
Dell PowerProtect DD , versions prior to 7.13.0.10, LTS 7.7.5.25, LTS 7.10.1.15, 6.2.1.110 contain a DOM-based Cross-Site Scripting vulnerability. A remote unauthenticated attacker could potentially exploit this vulnerability, leading to the injection of malicious HTML or JavaScript code to a victim user’s DOM environment in the browser. . Exploitation may lead to information disclosure, session theft, or client-side request forgery.
8.8
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CVE-2023-48668
Dell PowerProtect DD, versions prior to 7.13.0.10, LTS 7.7.5.25, LTS 7.10.1.15, 6.2.1.110 on DDMC contain an OS command injection vulnerability in an admin operation. A local high privileged attacker could potentially exploit this vulnerability, leading to the execution of arbitrary OS commands on the managed system application’s underlying OS with the privileges of the vulnerable application. Exploitation may lead to a system take over by an attacker on a managed system of DDMC.
8.2
CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
CVE-2023-44285
Dell PowerProtect DD, versions prior to 7.13.0.10, LTS 7.7.5.25, LTS 7.10.1.15, 6.2.1.110 contain an improper access control vulnerability. A local malicious user with low privileges could potentially exploit this vulnerability leading to escalation of privilege.
7.8
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CVE-2023-44277
Dell PowerProtect DD, versions prior to 7.13.0.10, LTS 7.7.5.25, LTS 7.10.1.15, 6.2.1.110 contain an OS command injection vulnerability in the CLI. A local low privileged attacker could potentially exploit this vulnerability, leading to the execution of arbitrary OS commands on the application’s underlying OS, with the privileges of the vulnerable application. Exploitation may lead to a system take over by an attacker.
7.8
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CVE-2023-48667
Dell PowerProtect DD, versions prior to 7.13.0.10, LTS 7.7.5.25, LTS 7.10.1.15, 6.2.1.110 contain an OS command injection vulnerability in administrator CLI. A remote high privileged attacker could potentially exploit this vulnerability, leading to the execution of arbitrary OS commands on the application’s underlying OS to bypass security restriction. Exploitation may lead to a system take over by an attacker.
7.2
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
CVE-2023-44279
Dell PowerProtect DD , versions prior to 7.13.0.10, LTS 7.7.5.25, LTS 7.10.1.15, 6.2.1.110 contain an OS command injection vulnerability in administrator CLI. A local high privileged attacker could potentially exploit this vulnerability, to bypass security restrictions. Exploitation may lead to a system take over by an attacker.
6.7
CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
CVE-2023-44278
Dell PowerProtect DD , versions prior to 7.13.0.10, LTS 7.7.5.25, LTS 7.10.1.15, 6.2.1.110 contain a path traversal vulnerability. A local high privileged attacker could potentially exploit this vulnerability, to gain unauthorized read and write access to the OS files stored on the server filesystem, with the privileges of the running application.
6.7
CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
CVE-2023-44284
Dell PowerProtect DD , versions prior to 7.13.0.10, LTS 7.7.5.25, LTS 7.10.1.15, 6.2.1.110 contain an SQL Injection vulnerability. A remote low privileged attacker could potentially exploit this vulnerability, leading to the execution of certain SQL commands on the application’s backend database causing unauthorized read access to application data.
4.3
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Proprietary Code CVEs
Description
CVSS Base Score
CVSS Vector String
CVE-2023-44286
Dell PowerProtect DD , versions prior to 7.13.0.10, LTS 7.7.5.25, LTS 7.10.1.15, 6.2.1.110 contain a DOM-based Cross-Site Scripting vulnerability. A remote unauthenticated attacker could potentially exploit this vulnerability, leading to the injection of malicious HTML or JavaScript code to a victim user’s DOM environment in the browser. . Exploitation may lead to information disclosure, session theft, or client-side request forgery.
8.8
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CVE-2023-48668
Dell PowerProtect DD, versions prior to 7.13.0.10, LTS 7.7.5.25, LTS 7.10.1.15, 6.2.1.110 on DDMC contain an OS command injection vulnerability in an admin operation. A local high privileged attacker could potentially exploit this vulnerability, leading to the execution of arbitrary OS commands on the managed system application’s underlying OS with the privileges of the vulnerable application. Exploitation may lead to a system take over by an attacker on a managed system of DDMC.
8.2
CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
CVE-2023-44285
Dell PowerProtect DD, versions prior to 7.13.0.10, LTS 7.7.5.25, LTS 7.10.1.15, 6.2.1.110 contain an improper access control vulnerability. A local malicious user with low privileges could potentially exploit this vulnerability leading to escalation of privilege.
7.8
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CVE-2023-44277
Dell PowerProtect DD, versions prior to 7.13.0.10, LTS 7.7.5.25, LTS 7.10.1.15, 6.2.1.110 contain an OS command injection vulnerability in the CLI. A local low privileged attacker could potentially exploit this vulnerability, leading to the execution of arbitrary OS commands on the application’s underlying OS, with the privileges of the vulnerable application. Exploitation may lead to a system take over by an attacker.
7.8
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CVE-2023-48667
Dell PowerProtect DD, versions prior to 7.13.0.10, LTS 7.7.5.25, LTS 7.10.1.15, 6.2.1.110 contain an OS command injection vulnerability in administrator CLI. A remote high privileged attacker could potentially exploit this vulnerability, leading to the execution of arbitrary OS commands on the application’s underlying OS to bypass security restriction. Exploitation may lead to a system take over by an attacker.
7.2
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
CVE-2023-44279
Dell PowerProtect DD , versions prior to 7.13.0.10, LTS 7.7.5.25, LTS 7.10.1.15, 6.2.1.110 contain an OS command injection vulnerability in administrator CLI. A local high privileged attacker could potentially exploit this vulnerability, to bypass security restrictions. Exploitation may lead to a system take over by an attacker.
6.7
CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
CVE-2023-44278
Dell PowerProtect DD , versions prior to 7.13.0.10, LTS 7.7.5.25, LTS 7.10.1.15, 6.2.1.110 contain a path traversal vulnerability. A local high privileged attacker could potentially exploit this vulnerability, to gain unauthorized read and write access to the OS files stored on the server filesystem, with the privileges of the running application.
6.7
CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
CVE-2023-44284
Dell PowerProtect DD , versions prior to 7.13.0.10, LTS 7.7.5.25, LTS 7.10.1.15, 6.2.1.110 contain an SQL Injection vulnerability. A remote low privileged attacker could potentially exploit this vulnerability, leading to the execution of certain SQL commands on the application’s backend database causing unauthorized read access to application data.
4.3
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Dell Technologies recommends all customers consider both the CVSS base score and any relevant temporal and environmental scores that may impact the potential severity associated with a particular security vulnerability.
Affected Products and Remediation
CVEs Addressed
Product
Affected Versions
Remediated Versions
Link
CVE-2023-44286, CVE-2023-44285, CVE-2023-44277, CVE-2023-48667, CVE-2023-44279, CVE-2023-44278, CVE-2023-44284
Dell PowerProtect DD series appliances
Dell PowerProtect DD Virtual Edition
Dell APEX Protection Storage
7.0 to 7.12.0.0
7.13.0.10 and above
or
7.10.1.15 and above to stay on LTS2023 7.10
or
7.7.5.25 and above to stay on LTS2022 7.7
For more details about DD OS software versions available for download, see the links below (requires log in to Dell Support to view articles):
https://www.dell.com/support/kbdoc/ 000081247
https://www.dell.com/support/kbdoc/ 000014125525902
6.2.1.100 and below
6.2.1.110 and above
CVE-2023-44286, CVE-2023-48668, CVE-2023-44285, CVE-2023-44277, CVE-2023-48667, CVE-2023-44279, CVE-2023-44278
Dell PowerProtect DD management Center
7.0 to 7.12.0.0
7.13.0.10 and above
or
7.10.1.15 and above to stay on LTS2023 7.10
or
7.7.5.25 and above to stay on LTS2022 7.7
6.2.1.100 and below
6.2.1.110 and above
CVE-2023-44286, CVE-2023-44285, CVE-2023-44277, CVE-2023-48667, CVE-2023-44279, CVE-2023-44278, CVE-2023-44284
PowerProtect DP Series Appliance (IDPA): All Models
2.7.4 and below
2.7.6 and above
Expected Availability: December 21, 2023
CVE-2023-44284
PowerProtect Data Manager Appliance model: DM5500
5.14 and below
5.15.0.0 and above
To download (requires log in to Dell Support): https://dl.dell.com/downloads/HY8KV_PowerProtect-Data-Manager-DM5500-Appliance-5.15.0.0-Upgrade-file.pkg
CVE-2023-44286, CVE-2023-44285, CVE-2023-44277, CVE-2023-48667, CVE-2023-44279, CVE-2023-44278, CVE-2023-44284
Dell PowerProtect DD series appliances and Dell PowerProtect DD Virtual Edition leveraged in the Disk Library for Mainframe (DLm) environment
7.0 to 7.12.0.0
7.13.0.10 and above
or
7.10.1.15 and above to stay on LTS2023 7.10
or
7.7.5.25 and above to stay on LTS2022 7.7
Contact customer support to schedule the code update.
For more details about DDOS versions available for download, see the links below (requires log in to Dell Support to view articles):
https://www.dell.com/support/kbdoc/000081247
https://www.dell.com/support/kbdoc/000014125
6.2.1.100 and below
6.2.1.110 and above
CVEs Addressed
Product
Affected Versions
Remediated Versions
Link
CVE-2023-44286, CVE-2023-44285, CVE-2023-44277, CVE-2023-48667, CVE-2023-44279, CVE-2023-44278, CVE-2023-44284
Dell PowerProtect DD series appliances
Dell PowerProtect DD Virtual Edition
Dell APEX Protection Storage
7.0 to 7.12.0.0
7.13.0.10 and above
or
7.10.1.15 and above to stay on LTS2023 7.10
or
7.7.5.25 and above to stay on LTS2022 7.7
For more details about DD OS software versions available for download, see the links below (requires log in to Dell Support to view articles):
https://www.dell.com/support/kbdoc/ 000081247
https://www.dell.com/support/kbdoc/ 000014125525902
6.2.1.100 and below
6.2.1.110 and above
CVE-2023-44286, CVE-2023-48668, CVE-2023-44285, CVE-2023-44277, CVE-2023-48667, CVE-2023-44279, CVE-2023-44278
Dell PowerProtect DD management Center
7.0 to 7.12.0.0
7.13.0.10 and above
or
7.10.1.15 and above to stay on LTS2023 7.10
or
7.7.5.25 and above to stay on LTS2022 7.7
6.2.1.100 and below
6.2.1.110 and above
CVE-2023-44286, CVE-2023-44285, CVE-2023-44277, CVE-2023-48667, CVE-2023-44279, CVE-2023-44278, CVE-2023-44284
PowerProtect DP Series Appliance (IDPA): All Models
2.7.4 and below
2.7.6 and above
Expected Availability: December 21, 2023
CVE-2023-44284
PowerProtect Data Manager Appliance model: DM5500
5.14 and below
5.15.0.0 and above
To download (requires log in to Dell Support): https://dl.dell.com/downloads/HY8KV_PowerProtect-Data-Manager-DM5500-Appliance-5.15.0.0-Upgrade-file.pkg
CVE-2023-44286, CVE-2023-44285, CVE-2023-44277, CVE-2023-48667, CVE-2023-44279, CVE-2023-44278, CVE-2023-44284
Dell PowerProtect DD series appliances and Dell PowerProtect DD Virtual Edition leveraged in the Disk Library for Mainframe (DLm) environment
7.0 to 7.12.0.0
7.13.0.10 and above
or
7.10.1.15 and above to stay on LTS2023 7.10
or
7.7.5.25 and above to stay on LTS2022 7.7
Contact customer support to schedule the code update.
For more details about DDOS versions available for download, see the links below (requires log in to Dell Support to view articles):
https://www.dell.com/support/kbdoc/000081247
https://www.dell.com/support/kbdoc/000014125
6.2.1.100 and below
6.2.1.110 and above
Additional, related information is available at this Knowledgebase article KB000220263: Additional Information Regarding DSA-2023-412: Dell PowerProtect DD Vulnerabilities.
Expected availability dates are subject to change.
Acknowledgements
CVE-2023-44279: Dell Technologies would like to thank Rushank Shetty and Ryan Kane (Security Researchers at Northwestern Mutual) for reporting this issue.
CVE-2023-44277, CVE-2023-44284, CVE-2023-44286: Dell Technologies would like to thank Jakub Brzozowski (redfr0g), Franciszek Kalinowski, and Stanisław Koza from STM Cyber for reporting these issues.
CVE-2023-44285: Dell Technologies would like to thank Jens Krüger from SAP for reporting this issue.
Revision History
Revision
Date
Description
1.0
2023-12-13
Initial Release
2.0
2023-12-13
Updated for enhancement no change to content
3.0
2023-12-13
• Updated “Affected Product” section under “Article Properties”
• Added Additional details stating “The downloads will be made available shortly”
4.0
2023-12-13
Added Additional Acknowledgement in “Acknowledgements” section
5.0
2023-12-13
• Corrected link in the “Affected Products and Remediation” Table
• Removed Additional Details statement “The downloads will be made available shortly”
• Updated "Affected Product section under “Article Properties”
6.0
2023-12-13
Updated "Affected Product section under “Article Properties”
Related Information
Dell Security Advisories and Notices
Dell Vulnerability Response Policy
CVSS Scoring Guide
Data Backup & Protection Storage, Data Domain, PowerProtect Data Protection Appliance, PowerProtect Data Manager Appliance, DD3300 Appliance, Data Domain Deduplication Storage Systems, DD OS 6.2, DD OS, DD OS 6.0, DD OS 6.1, DD OS 7.0, DD OS 7.1 , DD OS 7.10, DD OS 7.11, DD OS 7.12, DD OS 7.2, DD OS 7.3, DD OS 7.4, DD OS 7.5, DD OS 7.6, DD OS 7.7, DD OS 7.8, DD OS 7.9, Data Domain Virtual Edition, DD2200 Appliance, DD6300 Appliance, DD6400 Appliance, DD6800 Appliance, DD6900 Appliance, DD9300 Appliance, DD9400 Appliance, DD9800 Appliance, DD9900 Appliance, Disk Library for mainframe, PowerProtect Data Domain Management Center, Integrated Data Protection Appliance Software, PowerProtect DM5500 …