Headline
CVE-2022-23161: DSA-2022-024: Dell EMC PowerScale OneFS Security Update for Multiple Vulnerabilities
Dell PowerScale OneFS versions 8.2.x - 9.3.0.x contains a denial-of-service vulnerability in SmartConnect. An unprivileged network attacker could potentially exploit this vulnerability, leading to denial-of-service. (of course this is temporary and will need to be adapted/reviewed as we determine the CWE with Srisimha Tummala 's help)
Vaikutus
Critical
Overview
Proprietary Code CVEs
Description
CVSS Base Score
CVSS Vector String
CVE-2022-24411
Dell PowerScale OneFS 8.2.2 and later contain an elevation of privilege vulnerability. A local attacker with ISI_PRIV_LOGIN_SSH and/or ISI_PRIV_LOGIN_CONSOLE may potentially exploit this vulnerability, leading to elevation of privilege. This may potentially allow users to circumvent PowerScale Compliance Mode guarantees.
7.8
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CVE-2022-24412
Dell EMC PowerScale OneFS 8.2.x - 9.3.0.x contain an improper handling of value vulnerability. An unauthenticated remote attacker may potentially exploit this vulnerability, leading to denial-of-service.
7.5
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CVE-2022-23161
Dell PowerScale OneFS versions 8.2.x - 9.3.0.x contain a denial-of-service vulnerability in SmartConnect. An unprivileged network attacker may potentially exploit this vulnerability, leading to denial-of-service.
7.5
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CVE-2022-23160
Dell PowerScale OneFS 8.2.x - 9.3.0 contain an Improper Handling of Insufficient Permissions vulnerability. An remote malicious user may potentially exploit this vulnerability, leading to gaining write permissions on read-only files.
5.4
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L
CVE-2022-23159
Dell PowerScale OneFS 8.2.x - 9.3.0.x contain a missing release of memory after effective lifetime vulnerability. An authenticated user with ISI_PRIV_LOGIN_SSH and/or ISI_PRIV_LOGIN_CONSOLE and ISI_PRIV_AUTH_PROVIDERS privileges may potentially exploit this vulnerability, leading to a Denial-Of-Service. This can also impact a cluster in Compliance mode. Dell recommends to update at the earliest opportunity.
4.8
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:N/A:H
CVE-2022-23163
Dell PowerScale OneFS 8.2.x - 9.3.0.x contain a denial of service vulnerability. A local attacker with minimal privileges may potentially exploit this vulnerability, leading to denial of service/data unavailability.
4.7
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
CVE-2022-24413
Dell PowerScale OneFS 8.2.2-9.3.x contain a time-of-check-to-time-of-use vulnerability. A local user with access to the filesystem may potentially exploit this vulnerability, leading to data loss.
4.4
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L
Third-Party Component
CVE
More information
Apache Portable Runtime
CVE-2017-12613
CVE-2021-35940
Dell Technologies suosittelee, että kaikki asiakkaat ottavat huomioon sekä CVSS-peruspistemäärän että kaikki asiaankuuluvat väliaikaiset ja ympäristöön liittyvät pisteet, jotka voivat vaikuttaa tietyn tietoturvahaavoittuvuuden mahdolliseen vakavuuteen.
Tuotteet, joihin asia vaikuttaa ja tilanteen korjaaminen
CVEs Addressed
Affected Versions
Updated Versions
Link to Update
CVE-2022-24411
8.2.2, 9.0.0, 9.1.1.x, and 9.2.0.x.
Upgrade your version of OneFS
PowerScale OneFS Downloads Area
9.1.0.x, 9.2.1.x, and 9.3.0.x.
Download and install the latest RUP
CVE-2022-24412
8.2.2, 9.0.0, 9.1.1.x, and 9.2.0.x.
Upgrade your version of OneFS
9.1.0.x, 9.2.1.x, and 9.3.0.x.
Download and install the latest RUP
CVE-2022-23161
8.2.2, 9.0.0, 9.1.1.x, and 9.2.0.x.
Upgrade your version of OneFS
9.1.0.x, 9.2.1.x, and 9.3.0.x.
Download and install the latest RUP
CVE-20174-12613
8.2.2, 9.0.0, 9.1.1.x, and 9.2.0.x.
Upgrade your version of OneFS
9.1.0.x, 9.2.1.x, and 9.3.0.x.
Download and install the latest RUP
CVE-2022-23160
8.2.2, 9.0.0, 9.1.1.x, and 9.2.0.x.
Upgrade your version of OneFS
9.1.0.x, 9.2.1.x, and 9.3.0.x.
Download and install the latest RUP
CVE-2022-23159
8.2.2, 9.0.0, 9.1.1.x, and 9.2.0.x.
Upgrade your version of OneFS
9.1.0.x, 9.2.1.x, and 9.3.0.x.
Download and install the latest RUP
CVE-2022-23163
8.2.2, 9.0.0, 9.1.1.x, and 9.2.0.x.
Upgrade your version of OneFS
9.1.0.x, 9.2.1.x, and 9.3.0.x.
Download and install the latest RUP
CVE-2022-24413
8.2.2, 9.0.0, 9.1.1.x, and 9.2.0.x.
Upgrade your version of OneFS
9.1.0.x, 9.2.1.x, and 9.3.0.x.
Download and install the latest RUP
CVEs Addressed
Affected Versions
Updated Versions
Link to Update
CVE-2022-24411
8.2.2, 9.0.0, 9.1.1.x, and 9.2.0.x.
Upgrade your version of OneFS
PowerScale OneFS Downloads Area
9.1.0.x, 9.2.1.x, and 9.3.0.x.
Download and install the latest RUP
CVE-2022-24412
8.2.2, 9.0.0, 9.1.1.x, and 9.2.0.x.
Upgrade your version of OneFS
9.1.0.x, 9.2.1.x, and 9.3.0.x.
Download and install the latest RUP
CVE-2022-23161
8.2.2, 9.0.0, 9.1.1.x, and 9.2.0.x.
Upgrade your version of OneFS
9.1.0.x, 9.2.1.x, and 9.3.0.x.
Download and install the latest RUP
CVE-20174-12613
8.2.2, 9.0.0, 9.1.1.x, and 9.2.0.x.
Upgrade your version of OneFS
9.1.0.x, 9.2.1.x, and 9.3.0.x.
Download and install the latest RUP
CVE-2022-23160
8.2.2, 9.0.0, 9.1.1.x, and 9.2.0.x.
Upgrade your version of OneFS
9.1.0.x, 9.2.1.x, and 9.3.0.x.
Download and install the latest RUP
CVE-2022-23159
8.2.2, 9.0.0, 9.1.1.x, and 9.2.0.x.
Upgrade your version of OneFS
9.1.0.x, 9.2.1.x, and 9.3.0.x.
Download and install the latest RUP
CVE-2022-23163
8.2.2, 9.0.0, 9.1.1.x, and 9.2.0.x.
Upgrade your version of OneFS
9.1.0.x, 9.2.1.x, and 9.3.0.x.
Download and install the latest RUP
CVE-2022-24413
8.2.2, 9.0.0, 9.1.1.x, and 9.2.0.x.
Upgrade your version of OneFS
9.1.0.x, 9.2.1.x, and 9.3.0.x.
Download and install the latest RUP
Keinoja ongelman kiertämiseen tai lieventämiseen
CVEs addressed
Workaround or Mitigation
CVE-2022-24411
none
CVE-2022-24412
Disable netbios support if enabled (default setting: disabled):
- Open an SSH connection on any node in the cluster and log on using the “root” account.
- Run the following command:
#isi smb settings global modify --support-netbios no
- To verify that the service is disabled, run the following command:
#isi smb settings global view | grep NetBIOS
If the service is disabled, the following output is displayed:
#Support NetBIOS: No
CVE-2022-23161
Configure a valid FQDN in the SmartConnect service name field for every SmartConnect subnet on the cluster:
#isi network subnets modify <subnet> --sc-service-name cluster-sc.example.com
CVE-2017-12613
none
CVE-2022-23160
Configure SMB share permissions of any SyncIQ target directory to prevent writes.
CVE-2022-23159
none
CVE-2022-23163
none
CVE-2022-24413
none
Versiohistoria
Revision
Date
Description
1.0
2022-03-03
Initial
1.1
2022-03-04
Corrected Impact
Asiaan liittyvät tiedot
Dell Security Advisories and Notices
Dell Vulnerability Response Policy
CVSS Scoring Guide
Tämän Dell Technologiesin tietoturvatiedotteen tiedot on luettava, ja niiden avulla voidaan välttää tilanteita, jotka voivat johtua tässä kuvatuista ongelmista. Dell Technologiesin tietoturvatiedotteet tuovat tärkeitä tietoturvatietoja haavoittuvuudelle alttiiden tuotteiden käyttäjien tietoon. Dell Technologies arvioi riskin perustuen asennettujen järjestelmien hajautetun joukon keskimääräisiin riskeihin, eikä se välttämättä vastaa paikallisen asennuksen ja yksittäisen ympäristön todellista riskiä. Suositus on, että kaikki käyttäjät ratkaisevat näiden tietojen sovellettavuuden yksittäisten ympäristöjen mukaan ja ryhtyvät tarvittaviin toimenpiteisiin. Tässä esitetyt tiedot annetaan “sellaisenaan” ilman minkäänlaista takuuta. Dell Technologies kiistää kaikki suorat tai epäsuorat takuut, mukaan lukien takuut soveltuvuudesta kaupankäynnin kohteeksi, sopivuudesta tiettyyn käyttötarkoitukseen, omistusoikeudesta ja loukkaamattomuudesta. Dell Technologies, sen tytäryhtiöt tai toimittajat eivät missään tilanteessa ole vastuussa mistään vahingoista, jotka johtuvat tässä asiakirjassa mainituista tiedoista tai toimenpiteistä, joihin käyttäjä päättää ryhtyä. Tämä koskee kaikkia suoria, epäsuoria, satunnaisia, välillisiä, liikevoiton menetykseen liittyviä tai erityisluontoisia vahinkoja, vaikka Dell Technologies tai sen tytäryhtiöt tai toimittajat olisivat saaneet tiedon tällaisten vahinkojen mahdollisuudesta. Jotkin osavaltiot eivät salli satunnaisten tai seuraamuksellisten vahinkojen vastuun poistamista tai rajoittamista, joten edellä mainittua rajoitusta sovelletaan vain lain sallimassa laajuudessa.
Related news
Jenkins promoted builds Plugin 873.v6149db_d64130 and earlier, except 3.10.1, does not validate the names of promotions defined in Job DSL, allowing attackers with Job/Configure permission to create a promotion with an unsafe name.
Missing permission checks in Jenkins Publish Over FTP Plugin 1.16 and earlier allow attackers with Overall/Read permission to connect to an FTP server using attacker-specified credentials.
Jenkins Credentials Plugin 1111.v35a_307992395 and earlier, except 1087.1089.v2f1b_9a_b_040e4, 1074.1076.v39c30cecb_0e2, and 2.6.1.1, does not escape the name and description of Credentials parameters on views displaying parameters, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.
Jenkins Google Compute Engine Plugin 4.3.8 and earlier stores private keys unencrypted in cloud agent config.xml files on the Jenkins controller where they can be viewed by users with Extended Read permission, or access to the Jenkins controller file system.
Dell PowerScale OneFS, versions 8.2.x-9.3.0.x, contain an improper restriction of excessive authentication attempts. An unauthenticated remote attacker could potentially exploit this vulnerability, leading to compromised accounts.
RiteCMS version 3.1.0 and below suffers from an arbitrary file deletion via path traversal vulnerability in Admin Panel. Exploiting the vulnerability allows an authenticated attacker to delete any file in the web root (along with any other file on the server that the PHP process user has the proper permissions to delete). Furthermore, an attacker might leverage the capability of arbitrary file deletion to circumvent certain web server security mechanisms such as deleting .htaccess file that would deactivate those security constraints.
An Out-Of-Bounds Read Vulnerability in Autodesk FBX Review version 1.5.2 and prior may lead to code execution through maliciously crafted ActionScript Byte Code “ABC” files or information disclosure. ABC files are created by the Flash compiler and contain executable code. This vulnerability in conjunction with other vulnerabilities could lead to code execution in the context of the current process.
A Double Free vulnerability allows remote malicious actors to execute arbitrary code on DWF file in Autodesk Navisworks 2022 within affected installations. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.