SB2022110237 - Multiple vulnerabilities in Dell PowerConnect Series

Security Bulletin ID SB2022110237

Severity

High

Patch available

YES

Number of vulnerabilities 3

Exploitation vector Remote access

Highest impact Code execution

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 3 secuirty vulnerabilities.

1) Integer underflow (CVE-ID: CVE-2019-12255)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to integer underflow when processing TCP packets with URG-flag set. A remote attacker can send a specially crafted TCP request to the affected system, trigger integer underflow and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

2) Race condition (CVE-ID: CVE-2019-12263)

The vulnerability allows a remote attacker to perform denial of service (DoS) attack.

The vulnerability exists due to a race condition when processing TCP packets. A remote unauthenticated attacker can send malicious sequence of TCP packets within a specific timing, trigger a race condition and perform denial of service attack.

3) Input validation error (CVE-ID: CVE-2019-12258)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient validation when processing options in TCP packets. A remote attacker can a specially crafted TCP packet with the source and destination TCP-port and IP-addresses of an existing session can reset the TCP session, leading to a DoS attack.

Remediation

Install update from vendor's website.

References

https://www.dell.com/support/kbdoc/en-us/000133296/dsa-2020-047-dell-emc-networking-os6-security-update-for-vxworks-component