SB2022110941 - Multiple vulnerabilities in Dell EMC Atmos

Security Bulletin ID SB2022110941

Severity

Low

Patch available

YES

Number of vulnerabilities 2

Exploitation vector Remote access

Highest impact Denial of service

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 2 secuirty vulnerabilities.

1) Denial of service (CVE-ID: CVE-2016-8610)

The vulnerability allows a remote unauthenticated user to exhaust memory on the target system.
The weakness is due to improper handling of certain packets by the ssl3_read_bytes() function in 'ssl/s3_pkt.c.
By sending a flood of SSL3_AL_WARNING alerts during the SSL handshake, a remote attacker can consume excessive CPU resources that may lead to OpenSSL library being unavailable.
Successful exploitation of the vulnerability results in denial of service on the vulnerable system.

2) Memory leak (CVE-ID: CVE-2017-15671)

The vulnerability allows a remote attacker to cause DoS condition on the target system.

The weakness exists in the glob function in glob.c due to it skips freeing allocated memory when processing the ~ operator with a long user name when invoked with GLOB_TILDE. A remote attacker can trigger memory corruption and cause the service to crash.

Remediation

Install update from vendor's website.

References

https://www.dell.com/support/kbdoc/en-us/000153848/dsa-2019-064-dell-emc-atmos-security-update-for-multiple-vulnerabilities-in-embedded-components