SB2022110237 - Multiple vulnerabilities in Dell PowerConnect Series
Published: November 2, 2022
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 3 vulnerabilities.
1) Integer underflow (CVE-ID: CVE-2019-12255)
CWE-ID: CWE-191 - Integer underflow
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/U:Amber
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to integer underflow when processing TCP packets with URG-flag set. A remote attacker can send a specially crafted TCP request to the affected system, trigger integer underflow and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
2) Race condition (CVE-ID: CVE-2019-12263)
CWE-ID: CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote attacker to perform denial of service (DoS) attack.
The vulnerability exists due to a race condition when processing TCP packets. A remote unauthenticated attacker can send malicious sequence of TCP packets within a specific timing, trigger a race condition and perform denial of service attack.
3) Input validation error (CVE-ID: CVE-2019-12258)
CWE-ID: CWE-20 - Improper input validation
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:A/U:Clear
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to insufficient validation when processing options in TCP packets. A remote attacker can a specially crafted TCP packet with the source and destination TCP-port and IP-addresses of an existing session can reset the TCP session, leading to a DoS attack.
Remediation
Install update from vendor's website.