Headline
CVE-2023-32457: DSA-2023-277: Security Update for Dell PowerScale OneFS for Improper Privilege Management Vulnerability
Dell PowerScale OneFS, versions 8.2.2.x-9.5.0.x, contains an improper privilege management vulnerability. A remote attacker with low privileges could potentially exploit this vulnerability, leading to escalation of privileges.
Impact
High
Details
Proprietary Code CVE
Description
CVSS Base Score
CVSS Vector String
CVE-2023-32457
Dell PowerScale OneFS, versions 8.2.2.x-9.5.0.x, contains an improper privilege management vulnerability. A remote attacker with low privileges could potentially exploit this vulnerability, leading to escalation of privileges.
7.5
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Proprietary Code CVE
Description
CVSS Base Score
CVSS Vector String
CVE-2023-32457
Dell PowerScale OneFS, versions 8.2.2.x-9.5.0.x, contains an improper privilege management vulnerability. A remote attacker with low privileges could potentially exploit this vulnerability, leading to escalation of privileges.
7.5
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Dell Technologies recommends all customers consider both the CVSS base score and any relevant temporal and environmental scores that may impact the potential severity associated with a particular security vulnerability.
Affected Products and Remediation
CVE Addressed
Product
Affected Versions
Updated Versions
Link to Update
CVE-2023-32457
PowerScale OneFS
Version 9.2.1.0 through 9.2.1.22
Version 9.2.1.23 or later, Version 9.4.0.14 or later, Version 9.5.0.5 or later
PowerScale OneFS Downloads Area
CVE-2023-32457
PowerScale OneFS
Version 9.4.0.0 through 9.4.0.13
Version 9.4.0.14 or later, Version 9.5.0.5 or later
PowerScale OneFS Downloads Area
CVE-2023-32457
PowerScale OneFS
Version 9.5.0.0 through 9.5.0.3
Version 9.5.0.5 or later
PowerScale OneFS Downloads Area
CVE Addressed
Product
Affected Versions
Updated Versions
Link to Update
CVE-2023-32457
PowerScale OneFS
Version 9.2.1.0 through 9.2.1.22
Version 9.2.1.23 or later, Version 9.4.0.14 or later, Version 9.5.0.5 or later
PowerScale OneFS Downloads Area
CVE-2023-32457
PowerScale OneFS
Version 9.4.0.0 through 9.4.0.13
Version 9.4.0.14 or later, Version 9.5.0.5 or later
PowerScale OneFS Downloads Area
CVE-2023-32457
PowerScale OneFS
Version 9.5.0.0 through 9.5.0.3
Version 9.5.0.5 or later
PowerScale OneFS Downloads Area
Workarounds and Mitigations
CVE
Workarounds
CVE-2023-32457
This vulnerability can be mitigated by performing following steps:
- Check/remove membership from any roles when deleting user or group from local provider until upgrade to fixed version.
- Review all roles members for non-existent/unintended user or group for correction. Following command will provide the lists of roles and users membership:
for zone in $(isi zone zones list -az | awk ' { print $1 } ') ; do for role in $(isi auth roles list -az --zone $zone | awk ' { print $1 } '); do echo “Zone: $zone\tRole: $role” ; isi auth roles members list $role -v --zone $zone | grep -v – --; echo; done; done
In addition to upgrading your version of OneFS or downloading and installing the latest RUP, please perform step 2 to remove any past mis-mapping.
Revision History
Revision
Date
Description
1.0
2023-08-29
Initial Release
Related Information
Dell Security Advisories and Notices
Dell Vulnerability Response Policy
CVSS Scoring Guide
Additional Information
Any version not listed in the Affected Products and Remediation section should upgrade PowerScale OneFS to a version 9.5.0.5 or later.
We encourage all customers to adopt the LTS 2023 version which is 9.5.x code line, with the latest maintenance RUP 9.5.0.5. For more information on LTS (Long Term Support) code lines, see Dell Infrastructure Solutions Group (ISG) LTS Release Support Customer Summary