Headline
CVE-2023-4401: DSA-2023-347: Dell SmartFabric Storage Software Security Update for Multiple Vulnerabilities
Dell SmartFabric Storage Software v1.4 (and earlier) contains an OS Command Injection Vulnerability in the CLI use of the ‘more’ command. A local or remote authenticated attacker could potentially exploit this vulnerability, leading to the ability to gain root-level access.
Impact
High
Details
Proprietary Code CVEs
Description
CVSS Base Score
CVSS Vector String
CVE-2023-4401
Dell SmartFabric Storage Software v1.4 (and earlier) contains an OS Command Injection Vulnerability in the CLI use of the ‘more’ command. A local or remote authenticated attacker could potentially exploit this vulnerability, leading to the ability to gain root-level access.
7.8
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CVE-2023-43068
Dell SmartFabric Storage Software v1.4 (and earlier) contains an OS Command Injection Vulnerability in the restricted shell in SSH. An authenticated remote attacker could potentially exploit this vulnerability, leading to execute arbitrary commands.
7.8
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CVE-2023-43069
Dell SmartFabric Storage Software v1.4 (and earlier) contain(s) an OS Command Injection Vulnerability in the CLI. An authenticated local attacker could potentially exploit this vulnerability, leading to possible injection of parameters to curl or docker.
7.8
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CVE-2023-43070
Dell SmartFabric Storage Software v1.4 (and earlier) contains a Path Traversal Vulnerability in the HTTP interface. A remote authenticated attacker could potentially exploit this vulnerability, leading to modify or write arbitrary files to arbitrary locations in the license container.
6.3
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
CVE-2023-43071
Dell SmartFabric Storage Software v1.4 (and earlier) contains possible vulnerabilities for HTML injection or CVS formula injection which might escalate to cross-site scripting attacks in HTML pages in the GUI. A remote authenticated attacker could potentially exploit these issues, leading to various injection type attacks.
4.4
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N
CVE-2023-43072
Dell SmartFabric Storage Software v1.4 (and earlier) contains an improper access control vulnerability in the CLI. A local possibly unauthenticated attacker could potentially exploit this vulnerability, leading to ability to execute arbritrary shell commands.
4.4
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L
CVE-2023-43073
Dell SmartFabric Storage Software v1.4 (and earlier) contains an Improper Input Validation vulnerability in RADIUS configuration. An authenticated remote attacker could potentially exploit this vulnerability, leading to gaining unauthorized access to data.
4.3
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Proprietary Code CVEs
Description
CVSS Base Score
CVSS Vector String
CVE-2023-4401
Dell SmartFabric Storage Software v1.4 (and earlier) contains an OS Command Injection Vulnerability in the CLI use of the ‘more’ command. A local or remote authenticated attacker could potentially exploit this vulnerability, leading to the ability to gain root-level access.
7.8
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CVE-2023-43068
Dell SmartFabric Storage Software v1.4 (and earlier) contains an OS Command Injection Vulnerability in the restricted shell in SSH. An authenticated remote attacker could potentially exploit this vulnerability, leading to execute arbitrary commands.
7.8
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CVE-2023-43069
Dell SmartFabric Storage Software v1.4 (and earlier) contain(s) an OS Command Injection Vulnerability in the CLI. An authenticated local attacker could potentially exploit this vulnerability, leading to possible injection of parameters to curl or docker.
7.8
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CVE-2023-43070
Dell SmartFabric Storage Software v1.4 (and earlier) contains a Path Traversal Vulnerability in the HTTP interface. A remote authenticated attacker could potentially exploit this vulnerability, leading to modify or write arbitrary files to arbitrary locations in the license container.
6.3
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
CVE-2023-43071
Dell SmartFabric Storage Software v1.4 (and earlier) contains possible vulnerabilities for HTML injection or CVS formula injection which might escalate to cross-site scripting attacks in HTML pages in the GUI. A remote authenticated attacker could potentially exploit these issues, leading to various injection type attacks.
4.4
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N
CVE-2023-43072
Dell SmartFabric Storage Software v1.4 (and earlier) contains an improper access control vulnerability in the CLI. A local possibly unauthenticated attacker could potentially exploit this vulnerability, leading to ability to execute arbritrary shell commands.
4.4
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L
CVE-2023-43073
Dell SmartFabric Storage Software v1.4 (and earlier) contains an Improper Input Validation vulnerability in RADIUS configuration. An authenticated remote attacker could potentially exploit this vulnerability, leading to gaining unauthorized access to data.
4.3
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Dell Technologies recommends all customers consider both the CVSS base score and any relevant temporal and environmental scores that may impact the potential severity associated with a particular security vulnerability.
Affected Products and Remediation
CVEs Addressed
Product
Affected Versions
Updated Versions
Link
CVE-2023-4401, CVE-2023-43068, CVE-2023-43069, CVE-2023-43070, CVE-2023-43071, CVE-2023-43072, CVE-2023-43073
SmartFabric Storage Software Debian package v1.4.1
for upgrading SmartFabric Storage Software VM
deployed on either ESXi or linux KVM
v1.4.0 and prior
v1.4.1
Debian Package v1.4.1 upgrade SmartFabric Storage Software VM (applicable to ESXi or Linux KVM)
CVE-2023-4401, CVE-2023-43068, CVE-2023-43069, CVE-2023-43070, CVE-2023-43071, CVE-2023-43072, CVE-2023-43073
SmartFabric Storage Software package v1.4.1 for ESXi.
v1.4.0 and prior
v1.4.1
SmartFabric Storage Software package v1.4.1 for ESXi
CVE-2023-4401, CVE-2023-43068, CVE-2023-43069, CVE-2023-43070, CVE-2023-43071, CVE-2023-43072, CVE-2023-43073
SmartFabric Storage Software package v1.4.1 for Linux KVM.
v1.4.0 and prior
v1.4.1
SmartFabric Storage Software package v1.4.1 for Linux KVM
CVEs Addressed
Product
Affected Versions
Updated Versions
Link
CVE-2023-4401, CVE-2023-43068, CVE-2023-43069, CVE-2023-43070, CVE-2023-43071, CVE-2023-43072, CVE-2023-43073
SmartFabric Storage Software Debian package v1.4.1
for upgrading SmartFabric Storage Software VM
deployed on either ESXi or linux KVM
v1.4.0 and prior
v1.4.1
Debian Package v1.4.1 upgrade SmartFabric Storage Software VM (applicable to ESXi or Linux KVM)
CVE-2023-4401, CVE-2023-43068, CVE-2023-43069, CVE-2023-43070, CVE-2023-43071, CVE-2023-43072, CVE-2023-43073
SmartFabric Storage Software package v1.4.1 for ESXi.
v1.4.0 and prior
v1.4.1
SmartFabric Storage Software package v1.4.1 for ESXi
CVE-2023-4401, CVE-2023-43068, CVE-2023-43069, CVE-2023-43070, CVE-2023-43071, CVE-2023-43072, CVE-2023-43073
SmartFabric Storage Software package v1.4.1 for Linux KVM.
v1.4.0 and prior
v1.4.1
SmartFabric Storage Software package v1.4.1 for Linux KVM
Workarounds and Mitigations
None
Revision History
Revision
Date
Description
1.0
2023-09-28
Initial Revision
2.0
2023-10-05
Major Revision: added CVE links and modified some minor formatting
Related Information
Dell Security Advisories and Notices
Dell Vulnerability Response Policy
CVSS Scoring Guide
SmartFabric Storage Software for NVMe/TCP SAN, SmartFabric Storage Software Download for NVMe/TCP SAN