Multiple vulnerabilities in Dell Unisphere for PowerMax, Dell Solutions Enabler, Dell Unisphere 360 and Dell VASA Provider



Published: 2022-11-14 | Updated: 2023-07-02
Risk Critical
Patch available YES
Number of vulnerabilities 141
CVE-ID CVE-2022-21873
CVE-2022-21867
CVE-2022-21868
CVE-2022-21869
CVE-2022-21870
CVE-2022-21871
CVE-2022-21872
CVE-2022-21874
CVE-2022-21865
CVE-2022-21875
CVE-2022-21876
CVE-2022-21877
CVE-2022-21878
CVE-2022-21879
CVE-2022-21880
CVE-2022-21866
CVE-2022-21864
CVE-2022-21882
CVE-2022-21851
CVE-2022-21838
CVE-2022-21839
CVE-2022-21843
CVE-2022-21848
CVE-2022-21849
CVE-2022-21850
CVE-2022-21852
CVE-2022-21863
CVE-2022-21857
CVE-2022-21858
CVE-2022-21859
CVE-2022-21860
CVE-2022-21861
CVE-2022-21862
CVE-2022-21881
CVE-2022-21883
CVE-2022-21835
CVE-2022-21924
CVE-2022-21915
CVE-2022-21916
CVE-2022-21918
CVE-2022-21919
CVE-2022-21920
CVE-2022-21922
CVE-2022-21928
CVE-2022-21913
CVE-2022-21958
CVE-2022-21959
CVE-2022-21960
CVE-2022-21961
CVE-2022-21962
CVE-2022-21963
CVE-2022-21914
CVE-2022-21912
CVE-2022-21885
CVE-2022-21895
CVE-2022-21888
CVE-2022-21889
CVE-2022-21890
CVE-2022-21892
CVE-2022-21893
CVE-2022-21894
CVE-2022-21896
CVE-2022-21908
CVE-2022-21897
CVE-2022-21898
CVE-2022-21902
CVE-2022-21903
CVE-2022-21904
CVE-2022-21906
CVE-2022-21907
CVE-2022-21836
CVE-2022-21834
CVE-2021-38631
CVE-2022-21340
CVE-2022-21341
CVE-2022-21248
CVE-2021-22947
CVE-2021-36957
CVE-2021-36976
CVE-2021-38665
CVE-2022-21293
CVE-2021-38666
CVE-2021-41333
CVE-2021-41356
CVE-2021-41366
CVE-2021-41367
CVE-2021-41370
CVE-2022-21294
CVE-2022-21283
CVE-2021-41377
CVE-2022-21305
CVE-2021-36339
CVE-2021-4034
CVE-2021-22959
CVE-2022-21349
CVE-2022-21291
CVE-2022-21277
CVE-2022-21271
CVE-2022-21360
CVE-2022-21365
CVE-2022-21366
CVE-2022-21282
CVE-2022-21296
CVE-2022-21299
CVE-2021-41371
CVE-2021-41378
CVE-2022-21833
CVE-2021-43235
CVE-2021-43229
CVE-2021-43230
CVE-2021-43231
CVE-2021-43232
CVE-2021-43233
CVE-2021-43234
CVE-2021-43236
CVE-2021-43227
CVE-2021-43238
CVE-2021-43244
CVE-2021-43247
CVE-2021-43248
CVE-2021-43883
CVE-2021-43893
CVE-2021-43228
CVE-2021-43226
CVE-2021-41379
CVE-2021-42285
CVE-2021-42275
CVE-2021-42276
CVE-2021-42277
CVE-2021-42279
CVE-2021-42280
CVE-2021-42283
CVE-2021-42288
CVE-2021-43224
CVE-2021-43207
CVE-2021-43215
CVE-2021-43216
CVE-2021-43217
CVE-2021-43219
CVE-2021-43222
CVE-2021-43223
CWE-ID CWE-264
CWE-94
CWE-200
CWE-125
CWE-20
CWE-119
CWE-59
CWE-254
CWE-451
CWE-345
CWE-416
CWE-250
CWE-444
CWE-787
Exploitation vector Network
Public exploit Vulnerability #12 is being exploited in the wild.
Vulnerability #18 is being exploited in the wild.
Public exploit code for vulnerability #34 is available.
Vulnerability #41 is being exploited in the wild.
Public exploit code for vulnerability #61 is available.
Vulnerability #70 is being exploited in the wild.
Vulnerability #93 is being exploited in the wild.
Public exploit code for vulnerability #121 is available.
Public exploit code for vulnerability #122 is available.
Vulnerability #124 is being exploited in the wild.
Vulnerability #125 is being exploited in the wild.
Public exploit code for vulnerability #134 is available.
Vulnerable software
Subscribe
VASA Provider Standalone
Other software / Other software solutions

Solutions Enabler
Other software / Other software solutions

Unisphere 360
Other software / Other software solutions

Unisphere for PowerMax Virtual Appliance
Other software / Other software solutions

Unisphere for PowerMax
Other software / Other software solutions

Solutions Enabler Virtual Appliance
Server applications / Virtualization software

Vendor Dell

Security Bulletin

This security bulletin contains information about 141 vulnerabilities.

1) Permissions, Privileges, and Access Controls

EUVDB-ID: #VU59486

Risk: Low

CVSSv3.1: 6.1 [CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-21873

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Exploit availability: No

Description

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to application does not properly impose security restrictions in Tile Data Repository, which leads to security restrictions bypass and privilege escalation.

Mitigation

Install update from vendor's website.

Vulnerable software versions

VASA Provider Standalone: before 9.2.3.10

Solutions Enabler Virtual Appliance: before 9.2.3.1

Solutions Enabler: before 9.2.3.1

Unisphere 360: before 9.2.3.4

Unisphere for PowerMax Virtual Appliance: before 9.2.3.11

Unisphere for PowerMax: before 9.2.3.11

External links

http://www.dell.com/support/kbdoc/en-us/000197693/dsa-2022-073-dell-unisphere-for-powermax-dell-unisphere-for-powermax-vapp-dell-solutions-enabler-vapp-dell-unisphere-360-dell-vasa-provider-vapp-and-dell-powermax-embedded-management-security-update-for-multiple-vulnerabilities


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Permissions, Privileges, and Access Controls

EUVDB-ID: #VU59497

Risk: Low

CVSSv3.1: 6.1 [CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-21867

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Exploit availability: No

Description

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to application does not properly impose security restrictions in Windows Push Notifications Apps, which leads to security restrictions bypass and privilege escalation.

Mitigation

Install update from vendor's website.

Vulnerable software versions

VASA Provider Standalone: before 9.2.3.10

Solutions Enabler Virtual Appliance: before 9.2.3.1

Solutions Enabler: before 9.2.3.1

Unisphere 360: before 9.2.3.4

Unisphere for PowerMax Virtual Appliance: before 9.2.3.11

Unisphere for PowerMax: before 9.2.3.11

External links

http://www.dell.com/support/kbdoc/en-us/000197693/dsa-2022-073-dell-unisphere-for-powermax-dell-unisphere-for-powermax-vapp-dell-solutions-enabler-vapp-dell-unisphere-360-dell-vasa-provider-vapp-and-dell-powermax-embedded-management-security-update-for-multiple-vulnerabilities


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

3) Permissions, Privileges, and Access Controls

EUVDB-ID: #VU59495

Risk: Low

CVSSv3.1: 6.1 [CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-21868

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Exploit availability: No

Description

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to application does not properly impose security restrictions in Windows Devices Human Interface, which leads to security restrictions bypass and privilege escalation.

Mitigation

Install update from vendor's website.

Vulnerable software versions

VASA Provider Standalone: before 9.2.3.10

Solutions Enabler Virtual Appliance: before 9.2.3.1

Solutions Enabler: before 9.2.3.1

Unisphere 360: before 9.2.3.4

Unisphere for PowerMax Virtual Appliance: before 9.2.3.11

Unisphere for PowerMax: before 9.2.3.11

External links

http://www.dell.com/support/kbdoc/en-us/000197693/dsa-2022-073-dell-unisphere-for-powermax-dell-unisphere-for-powermax-vapp-dell-solutions-enabler-vapp-dell-unisphere-360-dell-vasa-provider-vapp-and-dell-powermax-embedded-management-security-update-for-multiple-vulnerabilities


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

4) Permissions, Privileges, and Access Controls

EUVDB-ID: #VU59493

Risk: Low

CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-21869

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Exploit availability: No

Description

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to application does not properly impose security restrictions in Clipboard User Service, which leads to security restrictions bypass and privilege escalation.

Mitigation

Install update from vendor's website.

Vulnerable software versions

VASA Provider Standalone: before 9.2.3.10

Solutions Enabler Virtual Appliance: before 9.2.3.1

Solutions Enabler: before 9.2.3.1

Unisphere 360: before 9.2.3.4

Unisphere for PowerMax Virtual Appliance: before 9.2.3.11

Unisphere for PowerMax: before 9.2.3.11

External links

http://www.dell.com/support/kbdoc/en-us/000197693/dsa-2022-073-dell-unisphere-for-powermax-dell-unisphere-for-powermax-vapp-dell-solutions-enabler-vapp-dell-unisphere-360-dell-vasa-provider-vapp-and-dell-powermax-embedded-management-security-update-for-multiple-vulnerabilities


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

5) Permissions, Privileges, and Access Controls

EUVDB-ID: #VU59492

Risk: Low

CVSSv3.1: 6.1 [CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-21870

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Exploit availability: No

Description

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to application does not properly impose security restrictions in Tablet Windows User Interface Application Core, which leads to security restrictions bypass and privilege escalation.

Mitigation

Install update from vendor's website.

Vulnerable software versions

VASA Provider Standalone: before 9.2.3.10

Solutions Enabler Virtual Appliance: before 9.2.3.1

Solutions Enabler: before 9.2.3.1

Unisphere 360: before 9.2.3.4

Unisphere for PowerMax Virtual Appliance: before 9.2.3.11

Unisphere for PowerMax: before 9.2.3.11

External links

http://www.dell.com/support/kbdoc/en-us/000197693/dsa-2022-073-dell-unisphere-for-powermax-dell-unisphere-for-powermax-vapp-dell-solutions-enabler-vapp-dell-unisphere-360-dell-vasa-provider-vapp-and-dell-powermax-embedded-management-security-update-for-multiple-vulnerabilities


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

6) Permissions, Privileges, and Access Controls

EUVDB-ID: #VU59490

Risk: Low

CVSSv3.1: 6.1 [CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-21871

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Exploit availability: No

Description

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to application does not properly impose security restrictions in Microsoft Diagnostics Hub Standard Collector Runtime, which leads to security restrictions bypass and privilege escalation.

Mitigation

Install update from vendor's website.

Vulnerable software versions

VASA Provider Standalone: before 9.2.3.10

Solutions Enabler Virtual Appliance: before 9.2.3.1

Solutions Enabler: before 9.2.3.1

Unisphere 360: before 9.2.3.4

Unisphere for PowerMax Virtual Appliance: before 9.2.3.11

Unisphere for PowerMax: before 9.2.3.11

External links

http://www.dell.com/support/kbdoc/en-us/000197693/dsa-2022-073-dell-unisphere-for-powermax-dell-unisphere-for-powermax-vapp-dell-solutions-enabler-vapp-dell-unisphere-360-dell-vasa-provider-vapp-and-dell-powermax-embedded-management-security-update-for-multiple-vulnerabilities


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

7) Permissions, Privileges, and Access Controls

EUVDB-ID: #VU59488

Risk: Low

CVSSv3.1: 6.1 [CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-21872

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Exploit availability: No

Description

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to application does not properly impose security restrictions in Windows Event Tracing, which leads to security restrictions bypass and privilege escalation.

Mitigation

Install update from vendor's website.

Vulnerable software versions

VASA Provider Standalone: before 9.2.3.10

Solutions Enabler Virtual Appliance: before 9.2.3.1

Solutions Enabler: before 9.2.3.1

Unisphere 360: before 9.2.3.4

Unisphere for PowerMax Virtual Appliance: before 9.2.3.11

Unisphere for PowerMax: before 9.2.3.11

External links

http://www.dell.com/support/kbdoc/en-us/000197693/dsa-2022-073-dell-unisphere-for-powermax-dell-unisphere-for-powermax-vapp-dell-solutions-enabler-vapp-dell-unisphere-360-dell-vasa-provider-vapp-and-dell-powermax-embedded-management-security-update-for-multiple-vulnerabilities


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

8) Code Injection

EUVDB-ID: #VU59451

Risk: High

CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-21874

CWE-ID: CWE-94 - Improper Control of Generation of Code ('Code Injection')

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to improper input validation in Windows Security Center API. A remote attacker can send a specially crafted request and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install update from vendor's website.

Vulnerable software versions

VASA Provider Standalone: before 9.2.3.10

Solutions Enabler Virtual Appliance: before 9.2.3.1

Solutions Enabler: before 9.2.3.1

Unisphere 360: before 9.2.3.4

Unisphere for PowerMax Virtual Appliance: before 9.2.3.11

Unisphere for PowerMax: before 9.2.3.11

External links

http://www.dell.com/support/kbdoc/en-us/000197693/dsa-2022-073-dell-unisphere-for-powermax-dell-unisphere-for-powermax-vapp-dell-solutions-enabler-vapp-dell-unisphere-360-dell-vasa-provider-vapp-and-dell-powermax-embedded-management-security-update-for-multiple-vulnerabilities


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

9) Permissions, Privileges, and Access Controls

EUVDB-ID: #VU59500

Risk: Low

CVSSv3.1: 6.1 [CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-21865

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Exploit availability: No

Description

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to application does not properly impose security restrictions in Connected Devices Platform Service, which leads to security restrictions bypass and privilege escalation.

Mitigation

Install update from vendor's website.

Vulnerable software versions

VASA Provider Standalone: before 9.2.3.10

Solutions Enabler Virtual Appliance: before 9.2.3.1

Solutions Enabler: before 9.2.3.1

Unisphere 360: before 9.2.3.4

Unisphere for PowerMax Virtual Appliance: before 9.2.3.11

Unisphere for PowerMax: before 9.2.3.11

External links

http://www.dell.com/support/kbdoc/en-us/000197693/dsa-2022-073-dell-unisphere-for-powermax-dell-unisphere-for-powermax-vapp-dell-solutions-enabler-vapp-dell-unisphere-360-dell-vasa-provider-vapp-and-dell-powermax-embedded-management-security-update-for-multiple-vulnerabilities


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

10) Permissions, Privileges, and Access Controls

EUVDB-ID: #VU59485

Risk: Low

CVSSv3.1: 6.1 [CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-21875

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Exploit availability: No

Description

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to application does not properly impose security restrictions in Windows Storage, which leads to security restrictions bypass and privilege escalation.

Mitigation

Install update from vendor's website.

Vulnerable software versions

VASA Provider Standalone: before 9.2.3.10

Solutions Enabler Virtual Appliance: before 9.2.3.1

Solutions Enabler: before 9.2.3.1

Unisphere 360: before 9.2.3.4

Unisphere for PowerMax Virtual Appliance: before 9.2.3.11

Unisphere for PowerMax: before 9.2.3.11

External links

http://www.dell.com/support/kbdoc/en-us/000197693/dsa-2022-073-dell-unisphere-for-powermax-dell-unisphere-for-powermax-vapp-dell-solutions-enabler-vapp-dell-unisphere-360-dell-vasa-provider-vapp-and-dell-powermax-embedded-management-security-update-for-multiple-vulnerabilities


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

11) Information disclosure

EUVDB-ID: #VU59414

Risk: Low

CVSSv3.1: 4.8 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-21876

CWE-ID: CWE-200 - Information exposure

Exploit availability: No

Description

The vulnerability allows a local user to gain access to potentially sensitive information.

The vulnerability exists due to excessive data output by the application in Win32k. A local user can gain unauthorized access to sensitive information on the system.

Mitigation

Install update from vendor's website.

Vulnerable software versions

VASA Provider Standalone: before 9.2.3.10

Solutions Enabler Virtual Appliance: before 9.2.3.1

Solutions Enabler: before 9.2.3.1

Unisphere 360: before 9.2.3.4

Unisphere for PowerMax Virtual Appliance: before 9.2.3.11

Unisphere for PowerMax: before 9.2.3.11

External links

http://www.dell.com/support/kbdoc/en-us/000197693/dsa-2022-073-dell-unisphere-for-powermax-dell-unisphere-for-powermax-vapp-dell-solutions-enabler-vapp-dell-unisphere-360-dell-vasa-provider-vapp-and-dell-powermax-embedded-management-security-update-for-multiple-vulnerabilities


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

12) Out-of-bounds read

EUVDB-ID: #VU59517

Risk: Low

CVSSv3.1: 6.2 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N/E:H/RL:O/RC:C]

CVE-ID: CVE-2022-21877

CWE-ID: CWE-125 - Out-of-bounds read

Exploit availability: Yes

Description

The vulnerability allows a local user to gain access to potentially sensitive information.

The vulnerability exists due to a boundary condition within the Storage Spaces Controller (spaceport.sys drive). A local user can run a specially crafted program to trigger an out-of-bounds read error and read contents of memory with SYSTEM privileges..

Mitigation

Install update from vendor's website.

Vulnerable software versions

VASA Provider Standalone: before 9.2.3.10

Solutions Enabler Virtual Appliance: before 9.2.3.1

Solutions Enabler: before 9.2.3.1

Unisphere 360: before 9.2.3.4

Unisphere for PowerMax Virtual Appliance: before 9.2.3.11

Unisphere for PowerMax: before 9.2.3.11

External links

http://www.dell.com/support/kbdoc/en-us/000197693/dsa-2022-073-dell-unisphere-for-powermax-dell-unisphere-for-powermax-vapp-dell-solutions-enabler-vapp-dell-unisphere-360-dell-vasa-provider-vapp-and-dell-powermax-embedded-management-security-update-for-multiple-vulnerabilities


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

Yes. This vulnerability is being exploited in the wild.

13) Code Injection

EUVDB-ID: #VU59518

Risk: High

CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-21878

CWE-ID: CWE-94 - Improper Control of Generation of Code ('Code Injection')

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to improper input validation in Windows Geolocation Service. A remote attacker can send a specially crafted request and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install update from vendor's website.

Vulnerable software versions

VASA Provider Standalone: before 9.2.3.10

Solutions Enabler Virtual Appliance: before 9.2.3.1

Solutions Enabler: before 9.2.3.1

Unisphere 360: before 9.2.3.4

Unisphere for PowerMax Virtual Appliance: before 9.2.3.11

Unisphere for PowerMax: before 9.2.3.11

External links

http://www.dell.com/support/kbdoc/en-us/000197693/dsa-2022-073-dell-unisphere-for-powermax-dell-unisphere-for-powermax-vapp-dell-solutions-enabler-vapp-dell-unisphere-360-dell-vasa-provider-vapp-and-dell-powermax-embedded-management-security-update-for-multiple-vulnerabilities


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

14) Input validation error

EUVDB-ID: #VU59482

Risk: Low

CVSSv3.1: 4.8 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-21879

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a local user to gain access to sensitive information.

The vulnerability exists due to insufficient validation of user-supplied input in Windows kernel. A local user can run a specially crafted program to read contents of memory on the system.

Mitigation

Install update from vendor's website.

Vulnerable software versions

VASA Provider Standalone: before 9.2.3.10

Solutions Enabler Virtual Appliance: before 9.2.3.1

Solutions Enabler: before 9.2.3.1

Unisphere 360: before 9.2.3.4

Unisphere for PowerMax Virtual Appliance: before 9.2.3.11

Unisphere for PowerMax: before 9.2.3.11

External links

http://www.dell.com/support/kbdoc/en-us/000197693/dsa-2022-073-dell-unisphere-for-powermax-dell-unisphere-for-powermax-vapp-dell-solutions-enabler-vapp-dell-unisphere-360-dell-vasa-provider-vapp-and-dell-powermax-embedded-management-security-update-for-multiple-vulnerabilities


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

15) Information disclosure

EUVDB-ID: #VU59401

Risk: Medium

CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-21880

CWE-ID: CWE-200 - Information exposure

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to excessive data output by the application in Windows GDI+. A remote attacker can gain unauthorized access to sensitive information on the system.

Mitigation

Install update from vendor's website.

Vulnerable software versions

VASA Provider Standalone: before 9.2.3.10

Solutions Enabler Virtual Appliance: before 9.2.3.1

Solutions Enabler: before 9.2.3.1

Unisphere 360: before 9.2.3.4

Unisphere for PowerMax Virtual Appliance: before 9.2.3.11

Unisphere for PowerMax: before 9.2.3.11

External links

http://www.dell.com/support/kbdoc/en-us/000197693/dsa-2022-073-dell-unisphere-for-powermax-dell-unisphere-for-powermax-vapp-dell-solutions-enabler-vapp-dell-unisphere-360-dell-vasa-provider-vapp-and-dell-powermax-embedded-management-security-update-for-multiple-vulnerabilities


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

16) Permissions, Privileges, and Access Controls

EUVDB-ID: #VU59499

Risk: Low

CVSSv3.1: 6.1 [CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-21866

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Exploit availability: No

Description

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to application does not properly impose security restrictions in Windows System Launcher, which leads to security restrictions bypass and privilege escalation.

Mitigation

Install update from vendor's website.

Vulnerable software versions

VASA Provider Standalone: before 9.2.3.10

Solutions Enabler Virtual Appliance: before 9.2.3.1

Solutions Enabler: before 9.2.3.1

Unisphere 360: before 9.2.3.4

Unisphere for PowerMax Virtual Appliance: before 9.2.3.11

Unisphere for PowerMax: before 9.2.3.11

External links

http://www.dell.com/support/kbdoc/en-us/000197693/dsa-2022-073-dell-unisphere-for-powermax-dell-unisphere-for-powermax-vapp-dell-solutions-enabler-vapp-dell-unisphere-360-dell-vasa-provider-vapp-and-dell-powermax-embedded-management-security-update-for-multiple-vulnerabilities


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

17) Permissions, Privileges, and Access Controls

EUVDB-ID: #VU59502

Risk: Low

CVSSv3.1: 6.1 [CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-21864

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Exploit availability: No

Description

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to application does not properly impose security restrictions in Windows UI Immersive Server API, which leads to security restrictions bypass and privilege escalation.

Mitigation

Install update from vendor's website.

Vulnerable software versions

VASA Provider Standalone: before 9.2.3.10

Solutions Enabler Virtual Appliance: before 9.2.3.1

Solutions Enabler: before 9.2.3.1

Unisphere 360: before 9.2.3.4

Unisphere for PowerMax Virtual Appliance: before 9.2.3.11

Unisphere for PowerMax: before 9.2.3.11

External links

http://www.dell.com/support/kbdoc/en-us/000197693/dsa-2022-073-dell-unisphere-for-powermax-dell-unisphere-for-powermax-vapp-dell-solutions-enabler-vapp-dell-unisphere-360-dell-vasa-provider-vapp-and-dell-powermax-embedded-management-security-update-for-multiple-vulnerabilities


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

18) Buffer overflow

EUVDB-ID: #VU59413

Risk: High

CVSSv3.1: 8.4 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:H/RL:O/RC:C]

CVE-ID: CVE-2022-21882

CWE-ID: CWE-119 - Memory corruption

Exploit availability: Yes

Description

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to a boundary error within the Win32k.sys driver. A local user can run a specially crafted program to trigger a buffer overflow and execute arbitrary code on the system with elevated privileges.

Note, the vulnerability is being actively exploited in the wild.

Mitigation

Install update from vendor's website.

Vulnerable software versions

VASA Provider Standalone: before 9.2.3.10

Solutions Enabler Virtual Appliance: before 9.2.3.1

Solutions Enabler: before 9.2.3.1

Unisphere 360: before 9.2.3.4

Unisphere for PowerMax Virtual Appliance: before 9.2.3.11

Unisphere for PowerMax: before 9.2.3.11

External links

http://www.dell.com/support/kbdoc/en-us/000197693/dsa-2022-073-dell-unisphere-for-powermax-dell-unisphere-for-powermax-vapp-dell-solutions-enabler-vapp-dell-unisphere-360-dell-vasa-provider-vapp-and-dell-powermax-embedded-management-security-update-for-multiple-vulnerabilities


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

Yes. This vulnerability is being exploited in the wild.

19) Buffer overflow

EUVDB-ID: #VU59506

Risk: High

CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-21851

CWE-ID: CWE-119 - Memory corruption

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error when processing PDU (Server RDP Preconnection) requests in client's drive redirection virtual channel in Remote Desktop Client. A remote attacker can trick the victim to connect to a malicious RDP server, trigger memory corruption and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install update from vendor's website.

Vulnerable software versions

VASA Provider Standalone: before 9.2.3.10

Solutions Enabler Virtual Appliance: before 9.2.3.1

Solutions Enabler: before 9.2.3.1

Unisphere 360: before 9.2.3.4

Unisphere for PowerMax Virtual Appliance: before 9.2.3.11

Unisphere for PowerMax: before 9.2.3.11

External links

http://www.dell.com/support/kbdoc/en-us/000197693/dsa-2022-073-dell-unisphere-for-powermax-dell-unisphere-for-powermax-vapp-dell-solutions-enabler-vapp-dell-unisphere-360-dell-vasa-provider-vapp-and-dell-powermax-embedded-management-security-update-for-multiple-vulnerabilities


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

20) Link following

EUVDB-ID: #VU59472

Risk: Low

CVSSv3.1: 2.9 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-21838

CWE-ID: CWE-59 - Improper Link Resolution Before File Access ('Link Following')

Exploit availability: No

Description

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to a link following issue within the SilentCleanup scheduled task. A local user can create a specially symbolic crafted link to critical folders on the system and force the task to delete the folder.

Mitigation

Install update from vendor's website.

Vulnerable software versions

VASA Provider Standalone: before 9.2.3.10

Solutions Enabler Virtual Appliance: before 9.2.3.1

Solutions Enabler: before 9.2.3.1

Unisphere 360: before 9.2.3.4

Unisphere for PowerMax Virtual Appliance: before 9.2.3.11

Unisphere for PowerMax: before 9.2.3.11

External links

http://www.dell.com/support/kbdoc/en-us/000197693/dsa-2022-073-dell-unisphere-for-powermax-dell-unisphere-for-powermax-vapp-dell-solutions-enabler-vapp-dell-unisphere-360-dell-vasa-provider-vapp-and-dell-powermax-embedded-management-security-update-for-multiple-vulnerabilities


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

21) Input validation error

EUVDB-ID: #VU59475

Risk: Low

CVSSv3.1: 4.8 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-21839

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient validation of user-supplied input in Windows Event Tracing Discretionary Access Control List. A local user can pass specially crafted input to the application and perform a denial of service (DoS) attack.

Mitigation

Install update from vendor's website.

Vulnerable software versions

VASA Provider Standalone: before 9.2.3.10

Solutions Enabler Virtual Appliance: before 9.2.3.1

Solutions Enabler: before 9.2.3.1

Unisphere 360: before 9.2.3.4

Unisphere for PowerMax Virtual Appliance: before 9.2.3.11

Unisphere for PowerMax: before 9.2.3.11

External links

http://www.dell.com/support/kbdoc/en-us/000197693/dsa-2022-073-dell-unisphere-for-powermax-dell-unisphere-for-powermax-vapp-dell-solutions-enabler-vapp-dell-unisphere-360-dell-vasa-provider-vapp-and-dell-powermax-embedded-management-security-update-for-multiple-vulnerabilities


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

22) Input validation error

EUVDB-ID: #VU59408

Risk: Medium

CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-21843

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient validation of user-supplied input in Windows IKE Extension. A remote attacker can pass specially crafted input to the application and perform a denial of service (DoS) attack.

Mitigation

Install update from vendor's website.

Vulnerable software versions

VASA Provider Standalone: before 9.2.3.10

Solutions Enabler Virtual Appliance: before 9.2.3.1

Solutions Enabler: before 9.2.3.1

Unisphere 360: before 9.2.3.4

Unisphere for PowerMax Virtual Appliance: before 9.2.3.11

Unisphere for PowerMax: before 9.2.3.11

External links

http://www.dell.com/support/kbdoc/en-us/000197693/dsa-2022-073-dell-unisphere-for-powermax-dell-unisphere-for-powermax-vapp-dell-solutions-enabler-vapp-dell-unisphere-360-dell-vasa-provider-vapp-and-dell-powermax-embedded-management-security-update-for-multiple-vulnerabilities


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

23) Input validation error

EUVDB-ID: #VU59406

Risk: Medium

CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-21848

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient validation of user-supplied input in Windows IKE Extension. A remote attacker can pass specially crafted input to the application and perform a denial of service (DoS) attack.

Mitigation

Install update from vendor's website.

Vulnerable software versions

VASA Provider Standalone: before 9.2.3.10

Solutions Enabler Virtual Appliance: before 9.2.3.1

Solutions Enabler: before 9.2.3.1

Unisphere 360: before 9.2.3.4

Unisphere for PowerMax Virtual Appliance: before 9.2.3.11

Unisphere for PowerMax: before 9.2.3.11

External links

http://www.dell.com/support/kbdoc/en-us/000197693/dsa-2022-073-dell-unisphere-for-powermax-dell-unisphere-for-powermax-vapp-dell-solutions-enabler-vapp-dell-unisphere-360-dell-vasa-provider-vapp-and-dell-powermax-embedded-management-security-update-for-multiple-vulnerabilities


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

24) Code Injection

EUVDB-ID: #VU59405

Risk: High

CVSSv3.1: 8.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-21849

CWE-ID: CWE-94 - Improper Control of Generation of Code ('Code Injection')

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to improper input validation in Windows IKE Extension. A remote attacker can send a specially crafted request and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install update from vendor's website.

Vulnerable software versions

VASA Provider Standalone: before 9.2.3.10

Solutions Enabler Virtual Appliance: before 9.2.3.1

Solutions Enabler: before 9.2.3.1

Unisphere 360: before 9.2.3.4

Unisphere for PowerMax Virtual Appliance: before 9.2.3.11

Unisphere for PowerMax: before 9.2.3.11

External links

http://www.dell.com/support/kbdoc/en-us/000197693/dsa-2022-073-dell-unisphere-for-powermax-dell-unisphere-for-powermax-vapp-dell-solutions-enabler-vapp-dell-unisphere-360-dell-vasa-provider-vapp-and-dell-powermax-embedded-management-security-update-for-multiple-vulnerabilities


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

25) Buffer overflow

EUVDB-ID: #VU59507

Risk: High

CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-21850

CWE-ID: CWE-119 - Memory corruption

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error in the Remote Desktop Client. A remote attacker can trick the victim to connect to a malicious RDP server, trigger memory corruption and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install update from vendor's website.

Vulnerable software versions

VASA Provider Standalone: before 9.2.3.10

Solutions Enabler Virtual Appliance: before 9.2.3.1

Solutions Enabler: before 9.2.3.1

Unisphere 360: before 9.2.3.4

Unisphere for PowerMax Virtual Appliance: before 9.2.3.11

Unisphere for PowerMax: before 9.2.3.11

External links

http://www.dell.com/support/kbdoc/en-us/000197693/dsa-2022-073-dell-unisphere-for-powermax-dell-unisphere-for-powermax-vapp-dell-solutions-enabler-vapp-dell-unisphere-360-dell-vasa-provider-vapp-and-dell-powermax-embedded-management-security-update-for-multiple-vulnerabilities


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

26) Permissions, Privileges, and Access Controls

EUVDB-ID: #VU59419

Risk: Low

CVSSv3.1: 6.8 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-21852

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Exploit availability: No

Description

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to application does not properly impose security restrictions in Windows DWM Core Library, which leads to security restrictions bypass and privilege escalation.

Mitigation

Install update from vendor's website.

Vulnerable software versions

VASA Provider Standalone: before 9.2.3.10

Solutions Enabler Virtual Appliance: before 9.2.3.1

Solutions Enabler: before 9.2.3.1

Unisphere 360: before 9.2.3.4

Unisphere for PowerMax Virtual Appliance: before 9.2.3.11

Unisphere for PowerMax: before 9.2.3.11

External links

http://www.dell.com/support/kbdoc/en-us/000197693/dsa-2022-073-dell-unisphere-for-powermax-dell-unisphere-for-powermax-vapp-dell-solutions-enabler-vapp-dell-unisphere-360-dell-vasa-provider-vapp-and-dell-powermax-embedded-management-security-update-for-multiple-vulnerabilities


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

27) Permissions, Privileges, and Access Controls

EUVDB-ID: #VU59505

Risk: Low

CVSSv3.1: 6.1 [CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-21863

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Exploit availability: No

Description

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to application does not properly impose security restrictions in Windows StateRepository API Server file, which leads to security restrictions bypass and privilege escalation.

Mitigation

Install update from vendor's website.

Vulnerable software versions

VASA Provider Standalone: before 9.2.3.10

Solutions Enabler Virtual Appliance: before 9.2.3.1

Solutions Enabler: before 9.2.3.1

Unisphere 360: before 9.2.3.4

Unisphere for PowerMax Virtual Appliance: before 9.2.3.11

Unisphere for PowerMax: before 9.2.3.11

External links

http://www.dell.com/support/kbdoc/en-us/000197693/dsa-2022-073-dell-unisphere-for-powermax-dell-unisphere-for-powermax-vapp-dell-solutions-enabler-vapp-dell-unisphere-360-dell-vasa-provider-vapp-and-dell-powermax-embedded-management-security-update-for-multiple-vulnerabilities


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

28) Permissions, Privileges, and Access Controls

EUVDB-ID: #VU59478

Risk: Medium

CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-21857

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Exploit availability: No

Description

The vulnerability allows a remote authenticated attacker to escalate privileges on the system.

The vulnerability exists due to application does not properly impose security restrictions in Active Directory Domain Services, which leads to security restrictions bypass and privilege escalation.

Mitigation

Install update from vendor's website.

Vulnerable software versions

VASA Provider Standalone: before 9.2.3.10

Solutions Enabler Virtual Appliance: before 9.2.3.1

Solutions Enabler: before 9.2.3.1

Unisphere 360: before 9.2.3.4

Unisphere for PowerMax Virtual Appliance: before 9.2.3.11

Unisphere for PowerMax: before 9.2.3.11

External links

http://www.dell.com/support/kbdoc/en-us/000197693/dsa-2022-073-dell-unisphere-for-powermax-dell-unisphere-for-powermax-vapp-dell-solutions-enabler-vapp-dell-unisphere-360-dell-vasa-provider-vapp-and-dell-powermax-embedded-management-security-update-for-multiple-vulnerabilities


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

29) Permissions, Privileges, and Access Controls

EUVDB-ID: #VU59481

Risk: Low

CVSSv3.1: 6.8 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-21858

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Exploit availability: No

Description

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to application does not properly impose security restrictions in Windows Bind Filter Driver, which leads to security restrictions bypass and privilege escalation.

Mitigation

Install update from vendor's website.

Vulnerable software versions

VASA Provider Standalone: before 9.2.3.10

Solutions Enabler Virtual Appliance: before 9.2.3.1

Solutions Enabler: before 9.2.3.1

Unisphere 360: before 9.2.3.4

Unisphere for PowerMax Virtual Appliance: before 9.2.3.11

Unisphere for PowerMax: before 9.2.3.11

External links

http://www.dell.com/support/kbdoc/en-us/000197693/dsa-2022-073-dell-unisphere-for-powermax-dell-unisphere-for-powermax-vapp-dell-solutions-enabler-vapp-dell-unisphere-360-dell-vasa-provider-vapp-and-dell-powermax-embedded-management-security-update-for-multiple-vulnerabilities


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

30) Permissions, Privileges, and Access Controls

EUVDB-ID: #VU59515

Risk: Low

CVSSv3.1: 6.1 [CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-21859

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Exploit availability: No

Description

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to application does not properly impose security restrictions in Windows Accounts Control, which leads to security restrictions bypass and privilege escalation.

Mitigation

Install update from vendor's website.

Vulnerable software versions

VASA Provider Standalone: before 9.2.3.10

Solutions Enabler Virtual Appliance: before 9.2.3.1

Solutions Enabler: before 9.2.3.1

Unisphere 360: before 9.2.3.4

Unisphere for PowerMax Virtual Appliance: before 9.2.3.11

Unisphere for PowerMax: before 9.2.3.11

External links

http://www.dell.com/support/kbdoc/en-us/000197693/dsa-2022-073-dell-unisphere-for-powermax-dell-unisphere-for-powermax-vapp-dell-solutions-enabler-vapp-dell-unisphere-360-dell-vasa-provider-vapp-and-dell-powermax-embedded-management-security-update-for-multiple-vulnerabilities


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

31) Permissions, Privileges, and Access Controls

EUVDB-ID: #VU59484

Risk: Low

CVSSv3.1: 5.8 [CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-21860

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Exploit availability: No

Description

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to application does not properly impose security restrictions in Windows AppContracts API Server, which leads to security restrictions bypass and privilege escalation.

Mitigation

Install update from vendor's website.

Vulnerable software versions

VASA Provider Standalone: before 9.2.3.10

Solutions Enabler Virtual Appliance: before 9.2.3.1

Solutions Enabler: before 9.2.3.1

Unisphere 360: before 9.2.3.4

Unisphere for PowerMax Virtual Appliance: before 9.2.3.11

Unisphere for PowerMax: before 9.2.3.11

External links

http://www.dell.com/support/kbdoc/en-us/000197693/dsa-2022-073-dell-unisphere-for-powermax-dell-unisphere-for-powermax-vapp-dell-solutions-enabler-vapp-dell-unisphere-360-dell-vasa-provider-vapp-and-dell-powermax-embedded-management-security-update-for-multiple-vulnerabilities


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

32) Permissions, Privileges, and Access Controls

EUVDB-ID: #VU59510

Risk: Low

CVSSv3.1: 6.1 [CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-21861

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Exploit availability: No

Description

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to application does not properly impose security restrictions in Task Flow Data Engine, which leads to security restrictions bypass and privilege escalation.

Mitigation

Install update from vendor's website.

Vulnerable software versions

VASA Provider Standalone: before 9.2.3.10

Solutions Enabler Virtual Appliance: before 9.2.3.1

Solutions Enabler: before 9.2.3.1

Unisphere 360: before 9.2.3.4

Unisphere for PowerMax Virtual Appliance: before 9.2.3.11

Unisphere for PowerMax: before 9.2.3.11

External links

http://www.dell.com/support/kbdoc/en-us/000197693/dsa-2022-073-dell-unisphere-for-powermax-dell-unisphere-for-powermax-vapp-dell-solutions-enabler-vapp-dell-unisphere-360-dell-vasa-provider-vapp-and-dell-powermax-embedded-management-security-update-for-multiple-vulnerabilities


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

33) Permissions, Privileges, and Access Controls

EUVDB-ID: #VU59509

Risk: Low

CVSSv3.1: 6.1 [CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-21862

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Exploit availability: No

Description

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to application does not properly impose security restrictions in Windows Application Model Core API, which leads to security restrictions bypass and privilege escalation.

Mitigation

Install update from vendor's website.

Vulnerable software versions

VASA Provider Standalone: before 9.2.3.10

Solutions Enabler Virtual Appliance: before 9.2.3.1

Solutions Enabler: before 9.2.3.1

Unisphere 360: before 9.2.3.4

Unisphere for PowerMax Virtual Appliance: before 9.2.3.11

Unisphere for PowerMax: before 9.2.3.11

External links

http://www.dell.com/support/kbdoc/en-us/000197693/dsa-2022-073-dell-unisphere-for-powermax-dell-unisphere-for-powermax-vapp-dell-solutions-enabler-vapp-dell-unisphere-360-dell-vasa-provider-vapp-and-dell-powermax-embedded-management-security-update-for-multiple-vulnerabilities


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

34) Buffer overflow

EUVDB-ID: #VU59483

Risk: Low

CVSSv3.1: 7 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C]

CVE-ID: CVE-2022-21881

CWE-ID: CWE-119 - Memory corruption

Exploit availability: Yes

Description

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to a boundary error in Windows kernel. A local user can run a specially crafted program to trigger buffer overflow and execute arbitrary code with elevated privileges.

Mitigation

Install update from vendor's website.

Vulnerable software versions

VASA Provider Standalone: before 9.2.3.10

Solutions Enabler Virtual Appliance: before 9.2.3.1

Solutions Enabler: before 9.2.3.1

Unisphere 360: before 9.2.3.4

Unisphere for PowerMax Virtual Appliance: before 9.2.3.11

Unisphere for PowerMax: before 9.2.3.11

External links

http://www.dell.com/support/kbdoc/en-us/000197693/dsa-2022-073-dell-unisphere-for-powermax-dell-unisphere-for-powermax-vapp-dell-solutions-enabler-vapp-dell-unisphere-360-dell-vasa-provider-vapp-and-dell-powermax-embedded-management-security-update-for-multiple-vulnerabilities


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

35) Input validation error

EUVDB-ID: #VU59407

Risk: Medium

CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-21883

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient validation of user-supplied input in Windows IKE Extension. A remote attacker can pass specially crafted input to the application and perform a denial of service (DoS) attack.

Mitigation

Install update from vendor's website.

Vulnerable software versions

VASA Provider Standalone: before 9.2.3.10

Solutions Enabler Virtual Appliance: before 9.2.3.1

Solutions Enabler: before 9.2.3.1

Unisphere 360: before 9.2.3.4

Unisphere for PowerMax Virtual Appliance: before 9.2.3.11

Unisphere for PowerMax: before 9.2.3.11

External links

http://www.dell.com/support/kbdoc/en-us/000197693/dsa-2022-073-dell-unisphere-for-powermax-dell-unisphere-for-powermax-vapp-dell-solutions-enabler-vapp-dell-unisphere-360-dell-vasa-provider-vapp-and-dell-powermax-embedded-management-security-update-for-multiple-vulnerabilities


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

36) Permissions, Privileges, and Access Controls

EUVDB-ID: #VU59470

Risk: Low

CVSSv3.1: 6.8 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-21835

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Exploit availability: No

Description

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to application does not properly impose security restrictions in Microsoft Cryptographic Services, which leads to security restrictions bypass and privilege escalation.

Mitigation

Install update from vendor's website.

Vulnerable software versions

VASA Provider Standalone: before 9.2.3.10

Solutions Enabler Virtual Appliance: before 9.2.3.1

Solutions Enabler: before 9.2.3.1

Unisphere 360: before 9.2.3.4

Unisphere for PowerMax Virtual Appliance: before 9.2.3.11

Unisphere for PowerMax: before 9.2.3.11

External links

http://www.dell.com/support/kbdoc/en-us/000197693/dsa-2022-073-dell-unisphere-for-powermax-dell-unisphere-for-powermax-vapp-dell-solutions-enabler-vapp-dell-unisphere-360-dell-vasa-provider-vapp-and-dell-powermax-embedded-management-security-update-for-multiple-vulnerabilities


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

37) Security features bypass

EUVDB-ID: #VU59516

Risk: Medium

CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-21924

CWE-ID: CWE-254 - Security Features

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain access to sensitive information.

The vulnerability exists due to an error in the Workstation Service. A remote attacker can trick the victim to initiate connection to the malicious host and gain access to sensitive information.

Mitigation

Install update from vendor's website.

Vulnerable software versions

VASA Provider Standalone: before 9.2.3.10

Solutions Enabler Virtual Appliance: before 9.2.3.1

Solutions Enabler: before 9.2.3.1

Unisphere 360: before 9.2.3.4

Unisphere for PowerMax Virtual Appliance: before 9.2.3.11

Unisphere for PowerMax: before 9.2.3.11

External links

http://www.dell.com/support/kbdoc/en-us/000197693/dsa-2022-073-dell-unisphere-for-powermax-dell-unisphere-for-powermax-vapp-dell-solutions-enabler-vapp-dell-unisphere-360-dell-vasa-provider-vapp-and-dell-powermax-embedded-management-security-update-for-multiple-vulnerabilities


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

38) Information disclosure

EUVDB-ID: #VU59400

Risk: Medium

CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-21915

CWE-ID: CWE-200 - Information exposure

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to excessive data output by the application in Windows GDI+. A remote authenticated attacker can gain unauthorized access to sensitive information on the system.

Mitigation

Install update from vendor's website.

Vulnerable software versions

VASA Provider Standalone: before 9.2.3.10

Solutions Enabler Virtual Appliance: before 9.2.3.1

Solutions Enabler: before 9.2.3.1

Unisphere 360: before 9.2.3.4

Unisphere for PowerMax Virtual Appliance: before 9.2.3.11

Unisphere for PowerMax: before 9.2.3.11

External links

http://www.dell.com/support/kbdoc/en-us/000197693/dsa-2022-073-dell-unisphere-for-powermax-dell-unisphere-for-powermax-vapp-dell-solutions-enabler-vapp-dell-unisphere-360-dell-vasa-provider-vapp-and-dell-powermax-embedded-management-security-update-for-multiple-vulnerabilities


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

39) Buffer overflow

EUVDB-ID: #VU59504

Risk: Low

CVSSv3.1: 6.8 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-21916

CWE-ID: CWE-119 - Memory corruption

Exploit availability: No

Description

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to a boundary error in Windows Common Log File System Driver. A local user can run a specially crafted program to trigger memory corruption and execute arbitrary code with elevated privileges.

Mitigation

Install update from vendor's website.

Vulnerable software versions

VASA Provider Standalone: before 9.2.3.10

Solutions Enabler Virtual Appliance: before 9.2.3.1

Solutions Enabler: before 9.2.3.1

Unisphere 360: before 9.2.3.4

Unisphere for PowerMax Virtual Appliance: before 9.2.3.11

Unisphere for PowerMax: before 9.2.3.11

External links

http://www.dell.com/support/kbdoc/en-us/000197693/dsa-2022-073-dell-unisphere-for-powermax-dell-unisphere-for-powermax-vapp-dell-solutions-enabler-vapp-dell-unisphere-360-dell-vasa-provider-vapp-and-dell-powermax-embedded-management-security-update-for-multiple-vulnerabilities


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

40) Input validation error

EUVDB-ID: #VU59395

Risk: Low

CVSSv3.1: 4.8 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-21918

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient validation of user-supplied input in DirectX Graphics Kernel File. A local user can pass specially crafted input to the application and perform a denial of service (DoS) attack.

Mitigation

Install update from vendor's website.

Vulnerable software versions

VASA Provider Standalone: before 9.2.3.10

Solutions Enabler Virtual Appliance: before 9.2.3.1

Solutions Enabler: before 9.2.3.1

Unisphere 360: before 9.2.3.4

Unisphere for PowerMax Virtual Appliance: before 9.2.3.11

Unisphere for PowerMax: before 9.2.3.11

External links

http://www.dell.com/support/kbdoc/en-us/000197693/dsa-2022-073-dell-unisphere-for-powermax-dell-unisphere-for-powermax-vapp-dell-solutions-enabler-vapp-dell-unisphere-360-dell-vasa-provider-vapp-and-dell-powermax-embedded-management-security-update-for-multiple-vulnerabilities


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

41) Buffer overflow

EUVDB-ID: #VU59512

Risk: Low

CVSSv3.1: 6.7 [CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:H/RL:O/RC:C]

CVE-ID: CVE-2022-21919

CWE-ID: CWE-119 - Memory corruption

Exploit availability: No

Description

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to a boundary error in Windows User Profile Service. A local user can execute arbitrary code with elevated privileges.

Mitigation

Install update from vendor's website.

Vulnerable software versions

VASA Provider Standalone: before 9.2.3.10

Solutions Enabler Virtual Appliance: before 9.2.3.1

Solutions Enabler: before 9.2.3.1

Unisphere 360: before 9.2.3.4

Unisphere for PowerMax Virtual Appliance: before 9.2.3.11

Unisphere for PowerMax: before 9.2.3.11

External links

http://www.dell.com/support/kbdoc/en-us/000197693/dsa-2022-073-dell-unisphere-for-powermax-dell-unisphere-for-powermax-vapp-dell-solutions-enabler-vapp-dell-unisphere-360-dell-vasa-provider-vapp-and-dell-powermax-embedded-management-security-update-for-multiple-vulnerabilities


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

Yes. This vulnerability is being exploited in the wild.

42) Permissions, Privileges, and Access Controls

EUVDB-ID: #VU59402

Risk: Medium

CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-21920

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Exploit availability: No

Description

The vulnerability allows a remote authenticated attacker to escalate privileges on the system.

The vulnerability exists due to application does not properly impose security restrictions in Windows Kerberos, which leads to security restrictions bypass and privilege escalation.

Mitigation

Install update from vendor's website.

Vulnerable software versions

VASA Provider Standalone: before 9.2.3.10

Solutions Enabler Virtual Appliance: before 9.2.3.1

Solutions Enabler: before 9.2.3.1

Unisphere 360: before 9.2.3.4

Unisphere for PowerMax Virtual Appliance: before 9.2.3.11

Unisphere for PowerMax: before 9.2.3.11

External links

http://www.dell.com/support/kbdoc/en-us/000197693/dsa-2022-073-dell-unisphere-for-powermax-dell-unisphere-for-powermax-vapp-dell-solutions-enabler-vapp-dell-unisphere-360-dell-vasa-provider-vapp-and-dell-powermax-embedded-management-security-update-for-multiple-vulnerabilities


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

43) Buffer overflow

EUVDB-ID: #VU59501

Risk: Medium

CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-21922

CWE-ID: CWE-119 - Memory corruption

Exploit availability: No

Description

The vulnerability allows a remote user to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error in Microsoft Windows RPC service. A remote authenticated  user can send specially crafted data through the RPC runtime, trigger memory corruption and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install update from vendor's website.

Vulnerable software versions

VASA Provider Standalone: before 9.2.3.10

Solutions Enabler Virtual Appliance: before 9.2.3.1

Solutions Enabler: before 9.2.3.1

Unisphere 360: before 9.2.3.4

Unisphere for PowerMax Virtual Appliance: before 9.2.3.11

Unisphere for PowerMax: before 9.2.3.11

External links

http://www.dell.com/support/kbdoc/en-us/000197693/dsa-2022-073-dell-unisphere-for-powermax-dell-unisphere-for-powermax-vapp-dell-solutions-enabler-vapp-dell-unisphere-360-dell-vasa-provider-vapp-and-dell-powermax-embedded-management-security-update-for-multiple-vulnerabilities


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

44) Code Injection

EUVDB-ID: #VU59390

Risk: Low

CVSSv3.1: 5.5 [CVSS:3.1/AV:P/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-21928

CWE-ID: CWE-94 - Improper Control of Generation of Code ('Code Injection')

Exploit availability: No

Description

The vulnerability allows a local user to execute arbitrary code on the target system.

The vulnerability exists due to improper input validation in Windows Resilient File System (ReFS). An authenticated attacker with physical access can send a specially crafted request and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install update from vendor's website.

Vulnerable software versions

VASA Provider Standalone: before 9.2.3.10

Solutions Enabler Virtual Appliance: before 9.2.3.1

Solutions Enabler: before 9.2.3.1

Unisphere 360: before 9.2.3.4

Unisphere for PowerMax Virtual Appliance: before 9.2.3.11

Unisphere for PowerMax: before 9.2.3.11

External links

http://www.dell.com/support/kbdoc/en-us/000197693/dsa-2022-073-dell-unisphere-for-powermax-dell-unisphere-for-powermax-vapp-dell-solutions-enabler-vapp-dell-unisphere-360-dell-vasa-provider-vapp-and-dell-powermax-embedded-management-security-update-for-multiple-vulnerabilities


Q & A

Can this vulnerability be exploited remotely?

No. The attacker should have physical access to the system in order to successfully exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

45) Security features bypass

EUVDB-ID: #VU59513

Risk: Medium

CVSSv3.1: 4.6 [CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-21913

CWE-ID: CWE-254 - Security Features

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain access to sensitive information.

The vulnerability exists due to unspecified error in Local Security Authority (Domain Policy). A remote attacker can trick the victim to initiate connection with a malicious system and gain access to sensitive information.

Mitigation

Install update from vendor's website.

Vulnerable software versions

VASA Provider Standalone: before 9.2.3.10

Solutions Enabler Virtual Appliance: before 9.2.3.1

Solutions Enabler: before 9.2.3.1

Unisphere 360: before 9.2.3.4

Unisphere for PowerMax Virtual Appliance: before 9.2.3.11

Unisphere for PowerMax: before 9.2.3.11

External links

http://www.dell.com/support/kbdoc/en-us/000197693/dsa-2022-073-dell-unisphere-for-powermax-dell-unisphere-for-powermax-vapp-dell-solutions-enabler-vapp-dell-unisphere-360-dell-vasa-provider-vapp-and-dell-powermax-embedded-management-security-update-for-multiple-vulnerabilities


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

46) Code Injection

EUVDB-ID: #VU59389

Risk: Low

CVSSv3.1: 5.9 [CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-21958

CWE-ID: CWE-94 - Improper Control of Generation of Code ('Code Injection')

Exploit availability: No

Description

The vulnerability allows a local attacker to execute arbitrary code on the target system.

The vulnerability exists due to improper input validation in Windows Resilient File System (ReFS). An attacker with physical access can send a specially crafted request and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install update from vendor's website.

Vulnerable software versions

VASA Provider Standalone: before 9.2.3.10

Solutions Enabler Virtual Appliance: before 9.2.3.1

Solutions Enabler: before 9.2.3.1

Unisphere 360: before 9.2.3.4

Unisphere for PowerMax Virtual Appliance: before 9.2.3.11

Unisphere for PowerMax: before 9.2.3.11

External links

http://www.dell.com/support/kbdoc/en-us/000197693/dsa-2022-073-dell-unisphere-for-powermax-dell-unisphere-for-powermax-vapp-dell-solutions-enabler-vapp-dell-unisphere-360-dell-vasa-provider-vapp-and-dell-powermax-embedded-management-security-update-for-multiple-vulnerabilities


Q & A

Can this vulnerability be exploited remotely?

No. The attacker should have physical access to the system in order to successfully exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

47) Code Injection

EUVDB-ID: #VU59388

Risk: Low

CVSSv3.1: 5.9 [CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-21959

CWE-ID: CWE-94 - Improper Control of Generation of Code ('Code Injection')

Exploit availability: No

Description

The vulnerability allows a local attacker to execute arbitrary code on the target system.

The vulnerability exists due to improper input validation in Windows Resilient File System (ReFS). An attacker with physical access can send a specially crafted request and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install update from vendor's website.

Vulnerable software versions

VASA Provider Standalone: before 9.2.3.10

Solutions Enabler Virtual Appliance: before 9.2.3.1

Solutions Enabler: before 9.2.3.1

Unisphere 360: before 9.2.3.4

Unisphere for PowerMax Virtual Appliance: before 9.2.3.11

Unisphere for PowerMax: before 9.2.3.11

External links

http://www.dell.com/support/kbdoc/en-us/000197693/dsa-2022-073-dell-unisphere-for-powermax-dell-unisphere-for-powermax-vapp-dell-solutions-enabler-vapp-dell-unisphere-360-dell-vasa-provider-vapp-and-dell-powermax-embedded-management-security-update-for-multiple-vulnerabilities


Q & A

Can this vulnerability be exploited remotely?

No. The attacker should have physical access to the system in order to successfully exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

48) Code Injection

EUVDB-ID: #VU59387

Risk: Low

CVSSv3.1: 5.9 [CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-21960

CWE-ID: CWE-94 - Improper Control of Generation of Code ('Code Injection')

Exploit availability: No

Description

The vulnerability allows a local attacker to execute arbitrary code on the target system.

The vulnerability exists due to improper input validation in Windows Resilient File System (ReFS). An attacker with physical access can send a specially crafted request and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install update from vendor's website.

Vulnerable software versions

VASA Provider Standalone: before 9.2.3.10

Solutions Enabler Virtual Appliance: before 9.2.3.1

Solutions Enabler: before 9.2.3.1

Unisphere 360: before 9.2.3.4

Unisphere for PowerMax Virtual Appliance: before 9.2.3.11

Unisphere for PowerMax: before 9.2.3.11

External links

http://www.dell.com/support/kbdoc/en-us/000197693/dsa-2022-073-dell-unisphere-for-powermax-dell-unisphere-for-powermax-vapp-dell-solutions-enabler-vapp-dell-unisphere-360-dell-vasa-provider-vapp-and-dell-powermax-embedded-management-security-update-for-multiple-vulnerabilities


Q & A

Can this vulnerability be exploited remotely?

No. The attacker should have physical access to the system in order to successfully exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

49) Code Injection

EUVDB-ID: #VU59386

Risk: Low

CVSSv3.1: 5.9 [CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-21961

CWE-ID: CWE-94 - Improper Control of Generation of Code ('Code Injection')

Exploit availability: No

Description

The vulnerability allows a local attacker to execute arbitrary code on the target system.

The vulnerability exists due to improper input validation in Windows Resilient File System (ReFS). An attacker with physical access can send a specially crafted request and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install update from vendor's website.

Vulnerable software versions

VASA Provider Standalone: before 9.2.3.10

Solutions Enabler Virtual Appliance: before 9.2.3.1

Solutions Enabler: before 9.2.3.1

Unisphere 360: before 9.2.3.4

Unisphere for PowerMax Virtual Appliance: before 9.2.3.11

Unisphere for PowerMax: before 9.2.3.11

External links

http://www.dell.com/support/kbdoc/en-us/000197693/dsa-2022-073-dell-unisphere-for-powermax-dell-unisphere-for-powermax-vapp-dell-solutions-enabler-vapp-dell-unisphere-360-dell-vasa-provider-vapp-and-dell-powermax-embedded-management-security-update-for-multiple-vulnerabilities


Q & A

Can this vulnerability be exploited remotely?

No. The attacker should have physical access to the system in order to successfully exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

50) Code Injection

EUVDB-ID: #VU59385

Risk: Low

CVSSv3.1: 5.9 [CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-21962

CWE-ID: CWE-94 - Improper Control of Generation of Code ('Code Injection')

Exploit availability: No

Description

The vulnerability allows a local attacker to execute arbitrary code on the target system.

The vulnerability exists due to improper input validation in Windows Resilient File System (ReFS). An attacker with physical access can send a specially crafted request and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install update from vendor's website.

Vulnerable software versions

VASA Provider Standalone: before 9.2.3.10

Solutions Enabler Virtual Appliance: before 9.2.3.1

Solutions Enabler: before 9.2.3.1

Unisphere 360: before 9.2.3.4

Unisphere for PowerMax Virtual Appliance: before 9.2.3.11

Unisphere for PowerMax: before 9.2.3.11

External links

http://www.dell.com/support/kbdoc/en-us/000197693/dsa-2022-073-dell-unisphere-for-powermax-dell-unisphere-for-powermax-vapp-dell-solutions-enabler-vapp-dell-unisphere-360-dell-vasa-provider-vapp-and-dell-powermax-embedded-management-security-update-for-multiple-vulnerabilities


Q & A

Can this vulnerability be exploited remotely?

No. The attacker should have physical access to the system in order to successfully exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

51) Code Injection

EUVDB-ID: #VU59384

Risk: Low

CVSSv3.1: 5.6 [CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-21963

CWE-ID: CWE-94 - Improper Control of Generation of Code ('Code Injection')

Exploit availability: No

Description

The vulnerability allows a local attacker to execute arbitrary code on the target system.

The vulnerability exists due to improper input validation in Windows Resilient File System (ReFS). An attacker with physical access can send a specially crafted request and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install update from vendor's website.

Vulnerable software versions

VASA Provider Standalone: before 9.2.3.10

Solutions Enabler Virtual Appliance: before 9.2.3.1

Solutions Enabler: before 9.2.3.1

Unisphere 360: before 9.2.3.4

Unisphere for PowerMax Virtual Appliance: before 9.2.3.11

Unisphere for PowerMax: before 9.2.3.11

External links

http://www.dell.com/support/kbdoc/en-us/000197693/dsa-2022-073-dell-unisphere-for-powermax-dell-unisphere-for-powermax-vapp-dell-solutions-enabler-vapp-dell-unisphere-360-dell-vasa-provider-vapp-and-dell-powermax-embedded-management-security-update-for-multiple-vulnerabilities


Q & A

Can this vulnerability be exploited remotely?

No. The attacker should have physical access to the system in order to successfully exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

52) Permissions, Privileges, and Access Controls

EUVDB-ID: #VU59436

Risk: Low

CVSSv3.1: 6.8 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-21914

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Exploit availability: No

Description

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to application does not properly impose security restrictions in Windows Remote Access Connection Manager, which leads to security restrictions bypass and privilege escalation.

Mitigation

Install update from vendor's website.

Vulnerable software versions

VASA Provider Standalone: before 9.2.3.10

Solutions Enabler Virtual Appliance: before 9.2.3.1

Solutions Enabler: before 9.2.3.1

Unisphere 360: before 9.2.3.4

Unisphere for PowerMax Virtual Appliance: before 9.2.3.11

Unisphere for PowerMax: before 9.2.3.11

External links

http://www.dell.com/support/kbdoc/en-us/000197693/dsa-2022-073-dell-unisphere-for-powermax-dell-unisphere-for-powermax-vapp-dell-solutions-enabler-vapp-dell-unisphere-360-dell-vasa-provider-vapp-and-dell-powermax-embedded-management-security-update-for-multiple-vulnerabilities


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

53) Code Injection

EUVDB-ID: #VU59393

Risk: Low

CVSSv3.1: 6.8 [CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-21912

CWE-ID: CWE-94 - Improper Control of Generation of Code ('Code Injection')

Exploit availability: No

Description

The vulnerability allows a local user to execute arbitrary code on the target system.

The vulnerability exists due to improper input validation in DirectX Graphics Kernel. A local user can send a specially crafted request and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install update from vendor's website.

Vulnerable software versions

VASA Provider Standalone: before 9.2.3.10

Solutions Enabler Virtual Appliance: before 9.2.3.1

Solutions Enabler: before 9.2.3.1

Unisphere 360: before 9.2.3.4

Unisphere for PowerMax Virtual Appliance: before 9.2.3.11

Unisphere for PowerMax: before 9.2.3.11

External links

http://www.dell.com/support/kbdoc/en-us/000197693/dsa-2022-073-dell-unisphere-for-powermax-dell-unisphere-for-powermax-vapp-dell-solutions-enabler-vapp-dell-unisphere-360-dell-vasa-provider-vapp-and-dell-powermax-embedded-management-security-update-for-multiple-vulnerabilities


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

54) Permissions, Privileges, and Access Controls

EUVDB-ID: #VU59438

Risk: Low

CVSSv3.1: 6.8 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-21885

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Exploit availability: No

Description

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to application does not properly impose security restrictions in Windows Remote Access Connection Manager, which leads to security restrictions bypass and privilege escalation.

Mitigation

Install update from vendor's website.

Vulnerable software versions

VASA Provider Standalone: before 9.2.3.10

Solutions Enabler Virtual Appliance: before 9.2.3.1

Solutions Enabler: before 9.2.3.1

Unisphere 360: before 9.2.3.4

Unisphere for PowerMax Virtual Appliance: before 9.2.3.11

Unisphere for PowerMax: before 9.2.3.11

External links

http://www.dell.com/support/kbdoc/en-us/000197693/dsa-2022-073-dell-unisphere-for-powermax-dell-unisphere-for-powermax-vapp-dell-solutions-enabler-vapp-dell-unisphere-360-dell-vasa-provider-vapp-and-dell-powermax-embedded-management-security-update-for-multiple-vulnerabilities


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

55) Buffer overflow

EUVDB-ID: #VU59511

Risk: Low

CVSSv3.1: 6.8 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-21895

CWE-ID: CWE-119 - Memory corruption

Exploit availability: No

Description

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to a boundary error in Windows User Profile Service. A local user can execute arbitrary code with elevated privileges.

Mitigation

Install update from vendor's website.

Vulnerable software versions

VASA Provider Standalone: before 9.2.3.10

Solutions Enabler Virtual Appliance: before 9.2.3.1

Solutions Enabler: before 9.2.3.1

Unisphere 360: before 9.2.3.4

Unisphere for PowerMax Virtual Appliance: before 9.2.3.11

Unisphere for PowerMax: before 9.2.3.11

External links

http://www.dell.com/support/kbdoc/en-us/000197693/dsa-2022-073-dell-unisphere-for-powermax-dell-unisphere-for-powermax-vapp-dell-solutions-enabler-vapp-dell-unisphere-360-dell-vasa-provider-vapp-and-dell-powermax-embedded-management-security-update-for-multiple-vulnerabilities


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

56) Code Injection

EUVDB-ID: #VU59426

Risk: High

CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-21888

CWE-ID: CWE-94 - Improper Control of Generation of Code ('Code Injection')

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to improper input validation in Windows Modern Execution Server. A remote attacker can send a specially crafted request and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install update from vendor's website.

Vulnerable software versions

VASA Provider Standalone: before 9.2.3.10

Solutions Enabler Virtual Appliance: before 9.2.3.1

Solutions Enabler: before 9.2.3.1

Unisphere 360: before 9.2.3.4

Unisphere for PowerMax Virtual Appliance: before 9.2.3.11

Unisphere for PowerMax: before 9.2.3.11

External links

http://www.dell.com/support/kbdoc/en-us/000197693/dsa-2022-073-dell-unisphere-for-powermax-dell-unisphere-for-powermax-vapp-dell-solutions-enabler-vapp-dell-unisphere-360-dell-vasa-provider-vapp-and-dell-powermax-embedded-management-security-update-for-multiple-vulnerabilities


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

57) Input validation error

EUVDB-ID: #VU59404

Risk: Medium

CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-21889

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient validation of user-supplied input in Windows IKE Extension. A remote attacker can pass specially crafted input to the application and perform a denial of service (DoS) attack.

Mitigation

Install update from vendor's website.

Vulnerable software versions

VASA Provider Standalone: before 9.2.3.10

Solutions Enabler Virtual Appliance: before 9.2.3.1

Solutions Enabler: before 9.2.3.1

Unisphere 360: before 9.2.3.4

Unisphere for PowerMax Virtual Appliance: before 9.2.3.11

Unisphere for PowerMax: before 9.2.3.11

External links

http://www.dell.com/support/kbdoc/en-us/000197693/dsa-2022-073-dell-unisphere-for-powermax-dell-unisphere-for-powermax-vapp-dell-solutions-enabler-vapp-dell-unisphere-360-dell-vasa-provider-vapp-and-dell-powermax-embedded-management-security-update-for-multiple-vulnerabilities


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

58) Input validation error

EUVDB-ID: #VU59403

Risk: Medium

CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-21890

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient validation of user-supplied input Windows IKE Extension. A remote attacker can pass specially crafted input to the application and perform a denial of service (DoS) attack.

Mitigation

Install update from vendor's website.

Vulnerable software versions

VASA Provider Standalone: before 9.2.3.10

Solutions Enabler Virtual Appliance: before 9.2.3.1

Solutions Enabler: before 9.2.3.1

Unisphere 360: before 9.2.3.4

Unisphere for PowerMax Virtual Appliance: before 9.2.3.11

Unisphere for PowerMax: before 9.2.3.11

External links

http://www.dell.com/support/kbdoc/en-us/000197693/dsa-2022-073-dell-unisphere-for-powermax-dell-unisphere-for-powermax-vapp-dell-solutions-enabler-vapp-dell-unisphere-360-dell-vasa-provider-vapp-and-dell-powermax-embedded-management-security-update-for-multiple-vulnerabilities


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

59) Code Injection

EUVDB-ID: #VU59391

Risk: Low

CVSSv3.1: 5.9 [CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-21892

CWE-ID: CWE-94 - Improper Control of Generation of Code ('Code Injection')

Exploit availability: No

Description

The vulnerability allows a local attacker to execute arbitrary code on the target system.

The vulnerability exists due to improper input validation in Windows Resilient File System (ReFS). An attacker with physical access can send a specially crafted request and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install update from vendor's website.

Vulnerable software versions

VASA Provider Standalone: before 9.2.3.10

Solutions Enabler Virtual Appliance: before 9.2.3.1

Solutions Enabler: before 9.2.3.1

Unisphere 360: before 9.2.3.4

Unisphere for PowerMax Virtual Appliance: before 9.2.3.11

Unisphere for PowerMax: before 9.2.3.11

External links

http://www.dell.com/support/kbdoc/en-us/000197693/dsa-2022-073-dell-unisphere-for-powermax-dell-unisphere-for-powermax-vapp-dell-solutions-enabler-vapp-dell-unisphere-360-dell-vasa-provider-vapp-and-dell-powermax-embedded-management-security-update-for-multiple-vulnerabilities


Q & A

Can this vulnerability be exploited remotely?

No. The attacker should have physical access to the system in order to successfully exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

60) Code Injection

EUVDB-ID: #VU59415

Risk: High

CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-21893

CWE-ID: CWE-94 - Improper Control of Generation of Code ('Code Injection')

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to improper input validation in Remote Desktop Protocol. A remote attacker can trick a target victim to connect to a malicious RDP server and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install update from vendor's website.

Vulnerable software versions

VASA Provider Standalone: before 9.2.3.10

Solutions Enabler Virtual Appliance: before 9.2.3.1

Solutions Enabler: before 9.2.3.1

Unisphere 360: before 9.2.3.4

Unisphere for PowerMax Virtual Appliance: before 9.2.3.11

Unisphere for PowerMax: before 9.2.3.11

External links

http://www.dell.com/support/kbdoc/en-us/000197693/dsa-2022-073-dell-unisphere-for-powermax-dell-unisphere-for-powermax-vapp-dell-solutions-enabler-vapp-dell-unisphere-360-dell-vasa-provider-vapp-and-dell-powermax-embedded-management-security-update-for-multiple-vulnerabilities


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

61) Security features bypass

EUVDB-ID: #VU59498

Risk: Low

CVSSv3.1: 4 [CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N/E:P/RL:O/RC:C]

CVE-ID: CVE-2022-21894

CWE-ID: CWE-254 - Security Features

Exploit availability: Yes

Description

The vulnerability allows a local user to bypass implemented security restrictions.

the vulnerability exists due to an error in Secure Boot implementation. A local user can bypass implemented security restrictions.

Mitigation

Install update from vendor's website.

Vulnerable software versions

VASA Provider Standalone: before 9.2.3.10

Solutions Enabler Virtual Appliance: before 9.2.3.1

Solutions Enabler: before 9.2.3.1

Unisphere 360: before 9.2.3.4

Unisphere for PowerMax Virtual Appliance: before 9.2.3.11

Unisphere for PowerMax: before 9.2.3.11

External links

http://www.dell.com/support/kbdoc/en-us/000197693/dsa-2022-073-dell-unisphere-for-powermax-dell-unisphere-for-powermax-vapp-dell-solutions-enabler-vapp-dell-unisphere-360-dell-vasa-provider-vapp-and-dell-powermax-embedded-management-security-update-for-multiple-vulnerabilities


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

62) Permissions, Privileges, and Access Controls

EUVDB-ID: #VU59418

Risk: Low

CVSSv3.1: 6.8 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-21896

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Exploit availability: No

Description

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to application does not properly impose security restrictions in Windows DWM Core Library, which leads to security restrictions bypass and privilege escalation.

Mitigation

Install update from vendor's website.

Vulnerable software versions

VASA Provider Standalone: before 9.2.3.10

Solutions Enabler Virtual Appliance: before 9.2.3.1

Solutions Enabler: before 9.2.3.1

Unisphere 360: before 9.2.3.4

Unisphere for PowerMax Virtual Appliance: before 9.2.3.11

Unisphere for PowerMax: before 9.2.3.11

External links

http://www.dell.com/support/kbdoc/en-us/000197693/dsa-2022-073-dell-unisphere-for-powermax-dell-unisphere-for-powermax-vapp-dell-solutions-enabler-vapp-dell-unisphere-360-dell-vasa-provider-vapp-and-dell-powermax-embedded-management-security-update-for-multiple-vulnerabilities


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

63) Permissions, Privileges, and Access Controls

EUVDB-ID: #VU59397

Risk: Low

CVSSv3.1: 6.8 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-21908

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Exploit availability: No

Description

The vulnerability allows a remote attacker to escalate privileges on the system.

The vulnerability exists due to application does not properly impose security restrictions in Windows Installer, which leads to security restrictions bypass and privilege escalation.

Mitigation

Install update from vendor's website.

Vulnerable software versions

VASA Provider Standalone: before 9.2.3.10

Solutions Enabler Virtual Appliance: before 9.2.3.1

Solutions Enabler: before 9.2.3.1

Unisphere 360: before 9.2.3.4

Unisphere for PowerMax Virtual Appliance: before 9.2.3.11

Unisphere for PowerMax: before 9.2.3.11

External links

http://www.dell.com/support/kbdoc/en-us/000197693/dsa-2022-073-dell-unisphere-for-powermax-dell-unisphere-for-powermax-vapp-dell-solutions-enabler-vapp-dell-unisphere-360-dell-vasa-provider-vapp-and-dell-powermax-embedded-management-security-update-for-multiple-vulnerabilities


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

64) Buffer overflow

EUVDB-ID: #VU59503

Risk: Low

CVSSv3.1: 6.8 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-21897

CWE-ID: CWE-119 - Memory corruption

Exploit availability: No

Description

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to a boundary error in Windows Common Log File System Driver. A local user can run a specially crafted program to trigger memory corruption and execute arbitrary code with elevated privileges.

Mitigation

Install update from vendor's website.

Vulnerable software versions

VASA Provider Standalone: before 9.2.3.10

Solutions Enabler Virtual Appliance: before 9.2.3.1

Solutions Enabler: before 9.2.3.1

Unisphere 360: before 9.2.3.4

Unisphere for PowerMax Virtual Appliance: before 9.2.3.11

Unisphere for PowerMax: before 9.2.3.11

External links

http://www.dell.com/support/kbdoc/en-us/000197693/dsa-2022-073-dell-unisphere-for-powermax-dell-unisphere-for-powermax-vapp-dell-solutions-enabler-vapp-dell-unisphere-360-dell-vasa-provider-vapp-and-dell-powermax-embedded-management-security-update-for-multiple-vulnerabilities


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

65) Code Injection

EUVDB-ID: #VU59394

Risk: Low

CVSSv3.1: 6.1 [CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-21898

CWE-ID: CWE-94 - Improper Control of Generation of Code ('Code Injection')

Exploit availability: No

Description

The vulnerability allows a local user to execute arbitrary code on the target system.

The vulnerability exists due to improper input validation in DirectX Graphics Kernel. A local user can send a specially crafted request and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install update from vendor's website.

Vulnerable software versions

VASA Provider Standalone: before 9.2.3.10

Solutions Enabler Virtual Appliance: before 9.2.3.1

Solutions Enabler: before 9.2.3.1

Unisphere 360: before 9.2.3.4

Unisphere for PowerMax Virtual Appliance: before 9.2.3.11

Unisphere for PowerMax: before 9.2.3.11

External links

http://www.dell.com/support/kbdoc/en-us/000197693/dsa-2022-073-dell-unisphere-for-powermax-dell-unisphere-for-powermax-vapp-dell-solutions-enabler-vapp-dell-unisphere-360-dell-vasa-provider-vapp-and-dell-powermax-embedded-management-security-update-for-multiple-vulnerabilities


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

66) Permissions, Privileges, and Access Controls

EUVDB-ID: #VU59416

Risk: Low

CVSSv3.1: 6.8 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-21902

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Exploit availability: No

Description

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to application does not properly impose security restrictions in Windows DWM Core Library, which leads to security restrictions bypass and privilege escalation.

Mitigation

Install update from vendor's website.

Vulnerable software versions

VASA Provider Standalone: before 9.2.3.10

Solutions Enabler Virtual Appliance: before 9.2.3.1

Solutions Enabler: before 9.2.3.1

Unisphere 360: before 9.2.3.4

Unisphere for PowerMax Virtual Appliance: before 9.2.3.11

Unisphere for PowerMax: before 9.2.3.11

External links

http://www.dell.com/support/kbdoc/en-us/000197693/dsa-2022-073-dell-unisphere-for-powermax-dell-unisphere-for-powermax-vapp-dell-solutions-enabler-vapp-dell-unisphere-360-dell-vasa-provider-vapp-and-dell-powermax-embedded-management-security-update-for-multiple-vulnerabilities


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

67) Permissions, Privileges, and Access Controls

EUVDB-ID: #VU59399

Risk: Low

CVSSv3.1: 6.1 [CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-21903

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Exploit availability: No

Description

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to application does not properly impose security restrictions in Windows GDI, which leads to security restrictions bypass and privilege escalation.

Mitigation

Install update from vendor's website.

Vulnerable software versions

VASA Provider Standalone: before 9.2.3.10

Solutions Enabler Virtual Appliance: before 9.2.3.1

Solutions Enabler: before 9.2.3.1

Unisphere 360: before 9.2.3.4

Unisphere for PowerMax Virtual Appliance: before 9.2.3.11

Unisphere for PowerMax: before 9.2.3.11

External links

http://www.dell.com/support/kbdoc/en-us/000197693/dsa-2022-073-dell-unisphere-for-powermax-dell-unisphere-for-powermax-vapp-dell-solutions-enabler-vapp-dell-unisphere-360-dell-vasa-provider-vapp-and-dell-powermax-embedded-management-security-update-for-multiple-vulnerabilities


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

68) Information disclosure

EUVDB-ID: #VU59398

Risk: Medium

CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-21904

CWE-ID: CWE-200 - Information exposure

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to excessive data output by the application Windows GDI. A remote attacker can gain unauthorized access to sensitive information on the system.

Mitigation

Install update from vendor's website.

Vulnerable software versions

VASA Provider Standalone: before 9.2.3.10

Solutions Enabler Virtual Appliance: before 9.2.3.1

Solutions Enabler: before 9.2.3.1

Unisphere 360: before 9.2.3.4

Unisphere for PowerMax Virtual Appliance: before 9.2.3.11

Unisphere for PowerMax: before 9.2.3.11

External links

http://www.dell.com/support/kbdoc/en-us/000197693/dsa-2022-073-dell-unisphere-for-powermax-dell-unisphere-for-powermax-vapp-dell-solutions-enabler-vapp-dell-unisphere-360-dell-vasa-provider-vapp-and-dell-powermax-embedded-management-security-update-for-multiple-vulnerabilities


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

69) Security features bypass

EUVDB-ID: #VU59479

Risk: Medium

CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-21906

CWE-ID: CWE-254 - Security Features

Exploit availability: No

Description

The vulnerability allows a remote attacker to bypass implemented security restrictions.

The vulnerability exists due to improper input validation in Windows Defender Application Control. A remote attacker can pass a specially crafted file to the system and bypass implemented security restrictions.

Mitigation

Install update from vendor's website.

Vulnerable software versions

VASA Provider Standalone: before 9.2.3.10

Solutions Enabler Virtual Appliance: before 9.2.3.1

Solutions Enabler: before 9.2.3.1

Unisphere 360: before 9.2.3.4

Unisphere for PowerMax Virtual Appliance: before 9.2.3.11

Unisphere for PowerMax: before 9.2.3.11

External links

http://www.dell.com/support/kbdoc/en-us/000197693/dsa-2022-073-dell-unisphere-for-powermax-dell-unisphere-for-powermax-vapp-dell-solutions-enabler-vapp-dell-unisphere-360-dell-vasa-provider-vapp-and-dell-powermax-embedded-management-security-update-for-multiple-vulnerabilities


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

70) Buffer overflow

EUVDB-ID: #VU59392

Risk: Critical

CVSSv3.1: 9.4 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H/RL:O/RC:C]

CVE-ID: CVE-2022-21907

CWE-ID: CWE-119 - Memory corruption

Exploit availability: Yes

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error within the HTTP Trailer Support feature in HTTP Protocol Stack (http.sys). A remote attacker can send a specially crafted HTTP request to the web server, trigger a buffer overflow and execute arbitrary code on the system.

Mitigation

Install update from vendor's website.

Vulnerable software versions

VASA Provider Standalone: before 9.2.3.10

Solutions Enabler Virtual Appliance: before 9.2.3.1

Solutions Enabler: before 9.2.3.1

Unisphere 360: before 9.2.3.4

Unisphere for PowerMax Virtual Appliance: before 9.2.3.11

Unisphere for PowerMax: before 9.2.3.11

External links

http://www.dell.com/support/kbdoc/en-us/000197693/dsa-2022-073-dell-unisphere-for-powermax-dell-unisphere-for-powermax-vapp-dell-solutions-enabler-vapp-dell-unisphere-360-dell-vasa-provider-vapp-and-dell-powermax-embedded-management-security-update-for-multiple-vulnerabilities


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

Yes. This vulnerability is being exploited in the wild.

71) Spoofing attack

EUVDB-ID: #VU59471

Risk: Low

CVSSv3.1: 6.8 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-21836

CWE-ID: CWE-451 - User Interface (UI) Misrepresentation of Critical Information (Clickjacking, spoofing)

Exploit availability: No

Description

The vulnerability allows a local user to perform spoofing attack.

The vulnerability exists due to incorrect processing of user-supplied data in Windows Certificate. A local user can spoof page content.

Mitigation

Install update from vendor's website.

Vulnerable software versions

VASA Provider Standalone: before 9.2.3.10

Solutions Enabler Virtual Appliance: before 9.2.3.1

Solutions Enabler: before 9.2.3.1

Unisphere 360: before 9.2.3.4

Unisphere for PowerMax Virtual Appliance: before 9.2.3.11

Unisphere for PowerMax: before 9.2.3.11

External links

http://www.dell.com/support/kbdoc/en-us/000197693/dsa-2022-073-dell-unisphere-for-powermax-dell-unisphere-for-powermax-vapp-dell-solutions-enabler-vapp-dell-unisphere-360-dell-vasa-provider-vapp-and-dell-powermax-embedded-management-security-update-for-multiple-vulnerabilities


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

72) Permissions, Privileges, and Access Controls

EUVDB-ID: #VU59469

Risk: Low

CVSSv3.1: 6.1 [CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-21834

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Exploit availability: No

Description

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to application does not properly impose security restrictions in Windows User-mode Driver Framework Reflector Driver, which leads to security restrictions bypass and privilege escalation.

Mitigation

Install update from vendor's website.

Vulnerable software versions

VASA Provider Standalone: before 9.2.3.10

Solutions Enabler Virtual Appliance: before 9.2.3.1

Solutions Enabler: before 9.2.3.1

Unisphere 360: before 9.2.3.4

Unisphere for PowerMax Virtual Appliance: before 9.2.3.11

Unisphere for PowerMax: before 9.2.3.11

External links

http://www.dell.com/support/kbdoc/en-us/000197693/dsa-2022-073-dell-unisphere-for-powermax-dell-unisphere-for-powermax-vapp-dell-solutions-enabler-vapp-dell-unisphere-360-dell-vasa-provider-vapp-and-dell-powermax-embedded-management-security-update-for-multiple-vulnerabilities


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

73) Information disclosure

EUVDB-ID: #VU58047

Risk: Low

CVSSv3.1: 3.9 [CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-38631

CWE-ID: CWE-200 - Information exposure

Exploit availability: No

Description

The vulnerability allows a local user to gain access to potentially sensitive information.

The vulnerability exists due to excessive data output by the application in Windows Remote Desktop Protocol (RDP). A local administrator can gain unauthorized access to sensitive information on the system.

Mitigation

Install update from vendor's website.

Vulnerable software versions

VASA Provider Standalone: before 9.2.3.10

Solutions Enabler Virtual Appliance: before 9.2.3.1

Solutions Enabler: before 9.2.3.1

Unisphere 360: before 9.2.3.4

Unisphere for PowerMax Virtual Appliance: before 9.2.3.11

Unisphere for PowerMax: before 9.2.3.11

External links

http://www.dell.com/support/kbdoc/en-us/000197693/dsa-2022-073-dell-unisphere-for-powermax-dell-unisphere-for-powermax-vapp-dell-solutions-enabler-vapp-dell-unisphere-360-dell-vasa-provider-vapp-and-dell-powermax-embedded-management-security-update-for-multiple-vulnerabilities


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

74) Improper input validation

EUVDB-ID: #VU59732

Risk: Medium

CVSSv3.1: 4.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-21340

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote non-authenticated attacker to perform service disruption.

The vulnerability exists due to improper input validation within the Libraries component in Oracle GraalVM Enterprise Edition. A remote non-authenticated attacker can exploit this vulnerability to perform service disruption.

Mitigation

Install update from vendor's website.

Vulnerable software versions

VASA Provider Standalone: before 9.2.3.10

Solutions Enabler Virtual Appliance: before 9.2.3.1

Solutions Enabler: before 9.2.3.1

Unisphere 360: before 9.2.3.4

Unisphere for PowerMax Virtual Appliance: before 9.2.3.11

Unisphere for PowerMax: before 9.2.3.11

External links

http://www.dell.com/support/kbdoc/en-us/000197693/dsa-2022-073-dell-unisphere-for-powermax-dell-unisphere-for-powermax-vapp-dell-solutions-enabler-vapp-dell-unisphere-360-dell-vasa-provider-vapp-and-dell-powermax-embedded-management-security-update-for-multiple-vulnerabilities


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

75) Improper input validation

EUVDB-ID: #VU59733

Risk: Medium

CVSSv3.1: 4.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-21341

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote non-authenticated attacker to perform service disruption.

The vulnerability exists due to improper input validation within the Serialization component in Oracle GraalVM Enterprise Edition. A remote non-authenticated attacker can exploit this vulnerability to perform service disruption.

Mitigation

Install update from vendor's website.

Vulnerable software versions

VASA Provider Standalone: before 9.2.3.10

Solutions Enabler Virtual Appliance: before 9.2.3.1

Solutions Enabler: before 9.2.3.1

Unisphere 360: before 9.2.3.4

Unisphere for PowerMax Virtual Appliance: before 9.2.3.11

Unisphere for PowerMax: before 9.2.3.11

External links

http://www.dell.com/support/kbdoc/en-us/000197693/dsa-2022-073-dell-unisphere-for-powermax-dell-unisphere-for-powermax-vapp-dell-solutions-enabler-vapp-dell-unisphere-360-dell-vasa-provider-vapp-and-dell-powermax-embedded-management-security-update-for-multiple-vulnerabilities


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

76) Improper input validation

EUVDB-ID: #VU59734

Risk: Low

CVSSv3.1: 3.2 [CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-21248

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote non-authenticated attacker to manipulate data.

The vulnerability exists due to improper input validation within the Serialization component in Oracle GraalVM Enterprise Edition. A remote non-authenticated attacker can exploit this vulnerability to manipulate data.

Mitigation

Install update from vendor's website.

Vulnerable software versions

VASA Provider Standalone: before 9.2.3.10

Solutions Enabler Virtual Appliance: before 9.2.3.1

Solutions Enabler: before 9.2.3.1

Unisphere 360: before 9.2.3.4

Unisphere for PowerMax Virtual Appliance: before 9.2.3.11

Unisphere for PowerMax: before 9.2.3.11

External links

http://www.dell.com/support/kbdoc/en-us/000197693/dsa-2022-073-dell-unisphere-for-powermax-dell-unisphere-for-powermax-vapp-dell-solutions-enabler-vapp-dell-unisphere-360-dell-vasa-provider-vapp-and-dell-powermax-embedded-management-security-update-for-multiple-vulnerabilities


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

77) Insufficient verification of data authenticity

EUVDB-ID: #VU56615

Risk: Medium

CVSSv3.1: 6.2 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-22947

CWE-ID: CWE-345 - Insufficient Verification of Data Authenticity

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform MitM attack.

The vulnerability exists in the way libcurl handles the STARTTLS negotiation process. When curl connects to an IMAP, POP3, SMTP or FTP server to exchange data securely using STARTTLS to upgrade the connection to TLS level, the server can still respond and send back multiple responses before the TLS upgrade. Such multiple "pipelined" responses are cached by curl. curl would then upgrade to TLS but not flush the in-queue of cached responses and instead use and trust the responses it got before the TLS handshake as if they were authenticated.

Using this flaw, it allows a Man-In-The-Middle attacker to first inject the fake responses, then pass-through the TLS traffic from the legitimate server and trick curl into sending data back to the user thinking the attacker's injected data comes from the TLS-protected server.

Over POP3 and IMAP an attacker can inject fake response data.

Mitigation

Install update from vendor's website.

Vulnerable software versions

VASA Provider Standalone: before 9.2.3.10

Solutions Enabler Virtual Appliance: before 9.2.3.1

Solutions Enabler: before 9.2.3.1

Unisphere 360: before 9.2.3.4

Unisphere for PowerMax Virtual Appliance: before 9.2.3.11

Unisphere for PowerMax: before 9.2.3.11

External links

http://www.dell.com/support/kbdoc/en-us/000197693/dsa-2022-073-dell-unisphere-for-powermax-dell-unisphere-for-powermax-vapp-dell-solutions-enabler-vapp-dell-unisphere-360-dell-vasa-provider-vapp-and-dell-powermax-embedded-management-security-update-for-multiple-vulnerabilities


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

78) Permissions, Privileges, and Access Controls

EUVDB-ID: #VU58066

Risk: Low

CVSSv3.1: 6.8 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-36957

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Exploit availability: No

Description

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to application does not properly impose security restrictions in Windows Desktop Bridge, which leads to security restrictions bypass and privilege escalation.

Mitigation

Install update from vendor's website.

Vulnerable software versions

VASA Provider Standalone: before 9.2.3.10

Solutions Enabler Virtual Appliance: before 9.2.3.1

Solutions Enabler: before 9.2.3.1

Unisphere 360: before 9.2.3.4

Unisphere for PowerMax Virtual Appliance: before 9.2.3.11

Unisphere for PowerMax: before 9.2.3.11

External links

http://www.dell.com/support/kbdoc/en-us/000197693/dsa-2022-073-dell-unisphere-for-powermax-dell-unisphere-for-powermax-vapp-dell-solutions-enabler-vapp-dell-unisphere-360-dell-vasa-provider-vapp-and-dell-powermax-embedded-management-security-update-for-multiple-vulnerabilities


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

79) Use-after-free

EUVDB-ID: #VU59459

Risk: Medium

CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-36976

CWE-ID: CWE-416 - Use After Free

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a use-after-free error in copy_string. A remote attacker can cause a denial of service condition on the target system.

Mitigation

Install update from vendor's website.

Vulnerable software versions

VASA Provider Standalone: before 9.2.3.10

Solutions Enabler Virtual Appliance: before 9.2.3.1

Solutions Enabler: before 9.2.3.1

Unisphere 360: before 9.2.3.4

Unisphere for PowerMax Virtual Appliance: before 9.2.3.11

Unisphere for PowerMax: before 9.2.3.11

External links

http://www.dell.com/support/kbdoc/en-us/000197693/dsa-2022-073-dell-unisphere-for-powermax-dell-unisphere-for-powermax-vapp-dell-solutions-enabler-vapp-dell-unisphere-360-dell-vasa-provider-vapp-and-dell-powermax-embedded-management-security-update-for-multiple-vulnerabilities


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

80) Information disclosure

EUVDB-ID: #VU58022

Risk: Medium

CVSSv3.1: 6.4 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-38665

CWE-ID: CWE-200 - Information exposure

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to excessive data output by the application in Remote Desktop Protocol Client. A remote attacker can gain unauthorized access to sensitive information on the system.

Mitigation

Install update from vendor's website.

Vulnerable software versions

VASA Provider Standalone: before 9.2.3.10

Solutions Enabler Virtual Appliance: before 9.2.3.1

Solutions Enabler: before 9.2.3.1

Unisphere 360: before 9.2.3.4

Unisphere for PowerMax Virtual Appliance: before 9.2.3.11

Unisphere for PowerMax: before 9.2.3.11

External links

http://www.dell.com/support/kbdoc/en-us/000197693/dsa-2022-073-dell-unisphere-for-powermax-dell-unisphere-for-powermax-vapp-dell-solutions-enabler-vapp-dell-unisphere-360-dell-vasa-provider-vapp-and-dell-powermax-embedded-management-security-update-for-multiple-vulnerabilities


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

81) Improper input validation

EUVDB-ID: #VU59730

Risk: Medium

CVSSv3.1: 4.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-21293

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote non-authenticated attacker to perform service disruption.

The vulnerability exists due to improper input validation within the Libraries component in Oracle GraalVM Enterprise Edition. A remote non-authenticated attacker can exploit this vulnerability to perform service disruption.

Mitigation

Install update from vendor's website.

Vulnerable software versions

VASA Provider Standalone: before 9.2.3.10

Solutions Enabler Virtual Appliance: before 9.2.3.1

Solutions Enabler: before 9.2.3.1

Unisphere 360: before 9.2.3.4

Unisphere for PowerMax Virtual Appliance: before 9.2.3.11

Unisphere for PowerMax: before 9.2.3.11

External links

http://www.dell.com/support/kbdoc/en-us/000197693/dsa-2022-073-dell-unisphere-for-powermax-dell-unisphere-for-powermax-vapp-dell-solutions-enabler-vapp-dell-unisphere-360-dell-vasa-provider-vapp-and-dell-powermax-embedded-management-security-update-for-multiple-vulnerabilities


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

82) Code Injection

EUVDB-ID: #VU58023

Risk: High

CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-38666

CWE-ID: CWE-94 - Improper Control of Generation of Code ('Code Injection')

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to improper input validation in Remote Desktop Client. A remote attacker can send a specially crafted request and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install update from vendor's website.

Vulnerable software versions

VASA Provider Standalone: before 9.2.3.10

Solutions Enabler Virtual Appliance: before 9.2.3.1

Solutions Enabler: before 9.2.3.1

Unisphere 360: before 9.2.3.4

Unisphere for PowerMax Virtual Appliance: before 9.2.3.11

Unisphere for PowerMax: before 9.2.3.11

External links

http://www.dell.com/support/kbdoc/en-us/000197693/dsa-2022-073-dell-unisphere-for-powermax-dell-unisphere-for-powermax-vapp-dell-solutions-enabler-vapp-dell-unisphere-360-dell-vasa-provider-vapp-and-dell-powermax-embedded-management-security-update-for-multiple-vulnerabilities


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

83) Permissions, Privileges, and Access Controls

EUVDB-ID: #VU58925

Risk: Low

CVSSv3.1: 6.8 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-41333

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Exploit availability: No

Description

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to application does not properly impose security restrictions in Windows Print Spooler, which leads to security restrictions bypass and privilege escalation.

Mitigation

Install update from vendor's website.

Vulnerable software versions

VASA Provider Standalone: before 9.2.3.10

Solutions Enabler Virtual Appliance: before 9.2.3.1

Solutions Enabler: before 9.2.3.1

Unisphere 360: before 9.2.3.4

Unisphere for PowerMax Virtual Appliance: before 9.2.3.11

Unisphere for PowerMax: before 9.2.3.11

External links

http://www.dell.com/support/kbdoc/en-us/000197693/dsa-2022-073-dell-unisphere-for-powermax-dell-unisphere-for-powermax-vapp-dell-solutions-enabler-vapp-dell-unisphere-360-dell-vasa-provider-vapp-and-dell-powermax-embedded-management-security-update-for-multiple-vulnerabilities


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

84) Input validation error

EUVDB-ID: #VU58072

Risk: Medium

CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-41356

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient validation of user-supplied input in Windows. A remote attacker can pass specially crafted input to the application and perform a denial of service (DoS) attack.

Mitigation

Install update from vendor's website.

Vulnerable software versions

VASA Provider Standalone: before 9.2.3.10

Solutions Enabler Virtual Appliance: before 9.2.3.1

Solutions Enabler: before 9.2.3.1

Unisphere 360: before 9.2.3.4

Unisphere for PowerMax Virtual Appliance: before 9.2.3.11

Unisphere for PowerMax: before 9.2.3.11

External links

http://www.dell.com/support/kbdoc/en-us/000197693/dsa-2022-073-dell-unisphere-for-powermax-dell-unisphere-for-powermax-vapp-dell-solutions-enabler-vapp-dell-unisphere-360-dell-vasa-provider-vapp-and-dell-powermax-embedded-management-security-update-for-multiple-vulnerabilities


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

85) Permissions, Privileges, and Access Controls

EUVDB-ID: #VU58065

Risk: Low

CVSSv3.1: 6.8 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-41366

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Exploit availability: No

Description

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to application does not properly impose security restrictions in Credential Security Support Provider Protocol (CredSSP), which leads to security restrictions bypass and privilege escalation.

Mitigation

Install update from vendor's website.

Vulnerable software versions

VASA Provider Standalone: before 9.2.3.10

Solutions Enabler Virtual Appliance: before 9.2.3.1

Solutions Enabler: before 9.2.3.1

Unisphere 360: before 9.2.3.4

Unisphere for PowerMax Virtual Appliance: before 9.2.3.11

Unisphere for PowerMax: before 9.2.3.11

External links

http://www.dell.com/support/kbdoc/en-us/000197693/dsa-2022-073-dell-unisphere-for-powermax-dell-unisphere-for-powermax-vapp-dell-solutions-enabler-vapp-dell-unisphere-360-dell-vasa-provider-vapp-and-dell-powermax-embedded-management-security-update-for-multiple-vulnerabilities


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

86) Permissions, Privileges, and Access Controls

EUVDB-ID: #VU58026

Risk: Low

CVSSv3.1: 7.7 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-41367

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Exploit availability: No

Description

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to application does not properly impose security restrictions in NTFS, which leads to security restrictions bypass and privilege escalation.

Mitigation

Install update from vendor's website.

Vulnerable software versions

VASA Provider Standalone: before 9.2.3.10

Solutions Enabler Virtual Appliance: before 9.2.3.1

Solutions Enabler: before 9.2.3.1

Unisphere 360: before 9.2.3.4

Unisphere for PowerMax Virtual Appliance: before 9.2.3.11

Unisphere for PowerMax: before 9.2.3.11

External links

http://www.dell.com/support/kbdoc/en-us/000197693/dsa-2022-073-dell-unisphere-for-powermax-dell-unisphere-for-powermax-vapp-dell-solutions-enabler-vapp-dell-unisphere-360-dell-vasa-provider-vapp-and-dell-powermax-embedded-management-security-update-for-multiple-vulnerabilities


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

87) Permissions, Privileges, and Access Controls

EUVDB-ID: #VU58025

Risk: Low

CVSSv3.1: 7.7 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-41370

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Exploit availability: No

Description

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to application does not properly impose security restrictions in NTFS, which leads to security restrictions bypass and privilege escalation.

Mitigation

Install update from vendor's website.

Vulnerable software versions

VASA Provider Standalone: before 9.2.3.10

Solutions Enabler Virtual Appliance: before 9.2.3.1

Solutions Enabler: before 9.2.3.1

Unisphere 360: before 9.2.3.4

Unisphere for PowerMax Virtual Appliance: before 9.2.3.11

Unisphere for PowerMax: before 9.2.3.11

External links

http://www.dell.com/support/kbdoc/en-us/000197693/dsa-2022-073-dell-unisphere-for-powermax-dell-unisphere-for-powermax-vapp-dell-solutions-enabler-vapp-dell-unisphere-360-dell-vasa-provider-vapp-and-dell-powermax-embedded-management-security-update-for-multiple-vulnerabilities


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

88) Improper input validation

EUVDB-ID: #VU59731

Risk: Medium

CVSSv3.1: 4.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-21294

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote non-authenticated attacker to perform service disruption.

The vulnerability exists due to improper input validation within the Libraries component in Oracle GraalVM Enterprise Edition. A remote non-authenticated attacker can exploit this vulnerability to perform service disruption.

Mitigation

Install update from vendor's website.

Vulnerable software versions

VASA Provider Standalone: before 9.2.3.10

Solutions Enabler Virtual Appliance: before 9.2.3.1

Solutions Enabler: before 9.2.3.1

Unisphere 360: before 9.2.3.4

Unisphere for PowerMax Virtual Appliance: before 9.2.3.11

Unisphere for PowerMax: before 9.2.3.11

External links

http://www.dell.com/support/kbdoc/en-us/000197693/dsa-2022-073-dell-unisphere-for-powermax-dell-unisphere-for-powermax-vapp-dell-solutions-enabler-vapp-dell-unisphere-360-dell-vasa-provider-vapp-and-dell-powermax-embedded-management-security-update-for-multiple-vulnerabilities


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

89) Improper input validation

EUVDB-ID: #VU59729

Risk: Medium

CVSSv3.1: 4.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-21283

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote non-authenticated attacker to perform service disruption.

The vulnerability exists due to improper input validation within the Libraries component in Oracle GraalVM Enterprise Edition. A remote non-authenticated attacker can exploit this vulnerability to perform service disruption.

Mitigation

Install update from vendor's website.

Vulnerable software versions

VASA Provider Standalone: before 9.2.3.10

Solutions Enabler Virtual Appliance: before 9.2.3.1

Solutions Enabler: before 9.2.3.1

Unisphere 360: before 9.2.3.4

Unisphere for PowerMax Virtual Appliance: before 9.2.3.11

Unisphere for PowerMax: before 9.2.3.11

External links

http://www.dell.com/support/kbdoc/en-us/000197693/dsa-2022-073-dell-unisphere-for-powermax-dell-unisphere-for-powermax-vapp-dell-solutions-enabler-vapp-dell-unisphere-360-dell-vasa-provider-vapp-and-dell-powermax-embedded-management-security-update-for-multiple-vulnerabilities


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

90) Permissions, Privileges, and Access Controls

EUVDB-ID: #VU58062

Risk: Low

CVSSv3.1: 6.8 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-41377

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Exploit availability: No

Description

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to application does not properly impose security restrictions in Windows Fast FAT File System Driver, which leads to security restrictions bypass and privilege escalation.

Mitigation

Install update from vendor's website.

Vulnerable software versions

VASA Provider Standalone: before 9.2.3.10

Solutions Enabler Virtual Appliance: before 9.2.3.1

Solutions Enabler: before 9.2.3.1

Unisphere 360: before 9.2.3.4

Unisphere for PowerMax Virtual Appliance: before 9.2.3.11

Unisphere for PowerMax: before 9.2.3.11

External links

http://www.dell.com/support/kbdoc/en-us/000197693/dsa-2022-073-dell-unisphere-for-powermax-dell-unisphere-for-powermax-vapp-dell-solutions-enabler-vapp-dell-unisphere-360-dell-vasa-provider-vapp-and-dell-powermax-embedded-management-security-update-for-multiple-vulnerabilities


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

91) Improper input validation

EUVDB-ID: #VU59720

Risk: Medium

CVSSv3.1: 4.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-21305

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote non-authenticated attacker to manipulate data.

The vulnerability exists due to improper input validation within the Hotspot component in Oracle GraalVM Enterprise Edition. A remote non-authenticated attacker can exploit this vulnerability to manipulate data.

Mitigation

Install update from vendor's website.

Vulnerable software versions

VASA Provider Standalone: before 9.2.3.10

Solutions Enabler Virtual Appliance: before 9.2.3.1

Solutions Enabler: before 9.2.3.1

Unisphere 360: before 9.2.3.4

Unisphere for PowerMax Virtual Appliance: before 9.2.3.11

Unisphere for PowerMax: before 9.2.3.11

External links

http://www.dell.com/support/kbdoc/en-us/000197693/dsa-2022-073-dell-unisphere-for-powermax-dell-unisphere-for-powermax-vapp-dell-solutions-enabler-vapp-dell-unisphere-360-dell-vasa-provider-vapp-and-dell-powermax-embedded-management-security-update-for-multiple-vulnerabilities


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

92) Execution with unnecessary privileges

EUVDB-ID: #VU69272

Risk: Low

CVSSv3.1: 6.8 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-36339

CWE-ID: CWE-250 - Execution with Unnecessary Privileges

Exploit availability: No

Description

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to application binary has a setuid bit. A local low-privileged user can run the affected binary to get privileged access to the virtual appliance.

Mitigation

Install update from vendor's website.

Vulnerable software versions

VASA Provider Standalone: before 9.2.3.10

Solutions Enabler Virtual Appliance: before 9.2.3.1

Solutions Enabler: before 9.2.3.1

Unisphere 360: before 9.2.3.4

Unisphere for PowerMax Virtual Appliance: before 9.2.3.11

Unisphere for PowerMax: before 9.2.3.11

External links

http://www.dell.com/support/kbdoc/en-us/000197693/dsa-2022-073-dell-unisphere-for-powermax-dell-unisphere-for-powermax-vapp-dell-solutions-enabler-vapp-dell-unisphere-360-dell-vasa-provider-vapp-and-dell-powermax-embedded-management-security-update-for-multiple-vulnerabilities


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

93) Input validation error

EUVDB-ID: #VU60007

Risk: Medium

CVSSv3.1: 8.4 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:H/RL:O/RC:C]

CVE-ID: CVE-2021-4034

CWE-ID: CWE-20 - Improper input validation

Exploit availability: Yes

Description

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to improper handling of the calling parameters count in the pkexec setuid binary, which causes the binary to execute environment variables as commands. A local user can craft environment variables in a way that they will be processed and executed by pkexec and execute arbitrary commands on the system as root.

Mitigation

Install update from vendor's website.

Vulnerable software versions

VASA Provider Standalone: before 9.2.3.10

Solutions Enabler Virtual Appliance: before 9.2.3.1

Solutions Enabler: before 9.2.3.1

Unisphere 360: before 9.2.3.4

Unisphere for PowerMax Virtual Appliance: before 9.2.3.11

Unisphere for PowerMax: before 9.2.3.11

External links

http://www.dell.com/support/kbdoc/en-us/000197693/dsa-2022-073-dell-unisphere-for-powermax-dell-unisphere-for-powermax-vapp-dell-solutions-enabler-vapp-dell-unisphere-360-dell-vasa-provider-vapp-and-dell-powermax-embedded-management-security-update-for-multiple-vulnerabilities


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

Yes. This vulnerability is being exploited in the wild.

94) Inconsistent interpretation of HTTP requests

EUVDB-ID: #VU59233

Risk: Medium

CVSSv3.1: 5.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-22959

CWE-ID: CWE-444 - Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')

Exploit availability: No

Description

The vulnerability allows a remote attacker to preform HTTP request smuggling attacks.

The vulnerability exists due to improper validation of HTTP requests, where the application accepts requests with a space right after the header name before the colon. A remote attacker can send a specially crafted HTTP request to the server and smuggle arbitrary HTTP headers.

Successful exploitation of vulnerability may allow an attacker to poison HTTP cache and perform phishing attacks.

Mitigation

Install update from vendor's website.

Vulnerable software versions

VASA Provider Standalone: before 9.2.3.10

Solutions Enabler Virtual Appliance: before 9.2.3.1

Solutions Enabler: before 9.2.3.1

Unisphere 360: before 9.2.3.4

Unisphere for PowerMax Virtual Appliance: before 9.2.3.11

Unisphere for PowerMax: before 9.2.3.11

External links

http://www.dell.com/support/kbdoc/en-us/000197693/dsa-2022-073-dell-unisphere-for-powermax-dell-unisphere-for-powermax-vapp-dell-solutions-enabler-vapp-dell-unisphere-360-dell-vasa-provider-vapp-and-dell-powermax-embedded-management-security-update-for-multiple-vulnerabilities


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

95) Improper input validation

EUVDB-ID: #VU59718

Risk: Medium

CVSSv3.1: 4.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-21349

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote non-authenticated attacker to perform service disruption.

The vulnerability exists due to improper input validation within the 2D component in Oracle GraalVM Enterprise Edition. A remote non-authenticated attacker can exploit this vulnerability to perform service disruption.

Mitigation

Install update from vendor's website.

Vulnerable software versions

VASA Provider Standalone: before 9.2.3.10

Solutions Enabler Virtual Appliance: before 9.2.3.1

Solutions Enabler: before 9.2.3.1

Unisphere 360: before 9.2.3.4

Unisphere for PowerMax Virtual Appliance: before 9.2.3.11

Unisphere for PowerMax: before 9.2.3.11

External links

http://www.dell.com/support/kbdoc/en-us/000197693/dsa-2022-073-dell-unisphere-for-powermax-dell-unisphere-for-powermax-vapp-dell-solutions-enabler-vapp-dell-unisphere-360-dell-vasa-provider-vapp-and-dell-powermax-embedded-management-security-update-for-multiple-vulnerabilities


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

96) Improper input validation

EUVDB-ID: #VU59719

Risk: Medium

CVSSv3.1: 4.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-21291

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote non-authenticated attacker to manipulate data.

The vulnerability exists due to improper input validation within the Hotspot component in Oracle GraalVM Enterprise Edition. A remote non-authenticated attacker can exploit this vulnerability to manipulate data.

Mitigation

Install update from vendor's website.

Vulnerable software versions

VASA Provider Standalone: before 9.2.3.10

Solutions Enabler Virtual Appliance: before 9.2.3.1

Solutions Enabler: before 9.2.3.1

Unisphere 360: before 9.2.3.4

Unisphere for PowerMax Virtual Appliance: before 9.2.3.11

Unisphere for PowerMax: before 9.2.3.11

External links

http://www.dell.com/support/kbdoc/en-us/000197693/dsa-2022-073-dell-unisphere-for-powermax-dell-unisphere-for-powermax-vapp-dell-solutions-enabler-vapp-dell-unisphere-360-dell-vasa-provider-vapp-and-dell-powermax-embedded-management-security-update-for-multiple-vulnerabilities


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

97) Improper input validation

EUVDB-ID: #VU59721

Risk: Medium

CVSSv3.1: 4.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-21277

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote non-authenticated attacker to perform service disruption.

The vulnerability exists due to improper input validation within the ImageIO component in Oracle GraalVM Enterprise Edition. A remote non-authenticated attacker can exploit this vulnerability to perform service disruption.

Mitigation

Install update from vendor's website.

Vulnerable software versions

VASA Provider Standalone: before 9.2.3.10

Solutions Enabler Virtual Appliance: before 9.2.3.1

Solutions Enabler: before 9.2.3.1

Unisphere 360: before 9.2.3.4

Unisphere for PowerMax Virtual Appliance: before 9.2.3.11

Unisphere for PowerMax: before 9.2.3.11

External links

http://www.dell.com/support/kbdoc/en-us/000197693/dsa-2022-073-dell-unisphere-for-powermax-dell-unisphere-for-powermax-vapp-dell-solutions-enabler-vapp-dell-unisphere-360-dell-vasa-provider-vapp-and-dell-powermax-embedded-management-security-update-for-multiple-vulnerabilities


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

98) Improper input validation

EUVDB-ID: #VU59728

Risk: Medium

CVSSv3.1: 4.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-21271

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote non-authenticated attacker to perform service disruption.

The vulnerability exists due to improper input validation within the Libraries component in Oracle GraalVM Enterprise Edition. A remote non-authenticated attacker can exploit this vulnerability to perform service disruption.

Mitigation

Install update from vendor's website.

Vulnerable software versions

VASA Provider Standalone: before 9.2.3.10

Solutions Enabler Virtual Appliance: before 9.2.3.1

Solutions Enabler: before 9.2.3.1

Unisphere 360: before 9.2.3.4

Unisphere for PowerMax Virtual Appliance: before 9.2.3.11

Unisphere for PowerMax: before 9.2.3.11

External links

http://www.dell.com/support/kbdoc/en-us/000197693/dsa-2022-073-dell-unisphere-for-powermax-dell-unisphere-for-powermax-vapp-dell-solutions-enabler-vapp-dell-unisphere-360-dell-vasa-provider-vapp-and-dell-powermax-embedded-management-security-update-for-multiple-vulnerabilities


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

99) Improper input validation

EUVDB-ID: #VU59722

Risk: Medium

CVSSv3.1: 4.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-21360

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote non-authenticated attacker to perform service disruption.

The vulnerability exists due to improper input validation within the ImageIO component in Oracle GraalVM Enterprise Edition. A remote non-authenticated attacker can exploit this vulnerability to perform service disruption.

Mitigation

Install update from vendor's website.

Vulnerable software versions

VASA Provider Standalone: before 9.2.3.10

Solutions Enabler Virtual Appliance: before 9.2.3.1

Solutions Enabler: before 9.2.3.1

Unisphere 360: before 9.2.3.4

Unisphere for PowerMax Virtual Appliance: before 9.2.3.11

Unisphere for PowerMax: before 9.2.3.11

External links

http://www.dell.com/support/kbdoc/en-us/000197693/dsa-2022-073-dell-unisphere-for-powermax-dell-unisphere-for-powermax-vapp-dell-solutions-enabler-vapp-dell-unisphere-360-dell-vasa-provider-vapp-and-dell-powermax-embedded-management-security-update-for-multiple-vulnerabilities


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

100) Improper input validation

EUVDB-ID: #VU59723

Risk: Medium

CVSSv3.1: 4.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-21365

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote non-authenticated attacker to perform service disruption.

The vulnerability exists due to improper input validation within the ImageIO component in Oracle GraalVM Enterprise Edition. A remote non-authenticated attacker can exploit this vulnerability to perform service disruption.

Mitigation

Install update from vendor's website.

Vulnerable software versions

VASA Provider Standalone: before 9.2.3.10

Solutions Enabler Virtual Appliance: before 9.2.3.1

Solutions Enabler: before 9.2.3.1

Unisphere 360: before 9.2.3.4

Unisphere for PowerMax Virtual Appliance: before 9.2.3.11

Unisphere for PowerMax: before 9.2.3.11

External links

http://www.dell.com/support/kbdoc/en-us/000197693/dsa-2022-073-dell-unisphere-for-powermax-dell-unisphere-for-powermax-vapp-dell-solutions-enabler-vapp-dell-unisphere-360-dell-vasa-provider-vapp-and-dell-powermax-embedded-management-security-update-for-multiple-vulnerabilities


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

101) Improper input validation

EUVDB-ID: #VU59724

Risk: Medium

CVSSv3.1: 4.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-21366

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote non-authenticated attacker to perform service disruption.

The vulnerability exists due to improper input validation within the ImageIO component in Oracle GraalVM Enterprise Edition. A remote non-authenticated attacker can exploit this vulnerability to perform service disruption.

Mitigation

Install update from vendor's website.

Vulnerable software versions

VASA Provider Standalone: before 9.2.3.10

Solutions Enabler Virtual Appliance: before 9.2.3.1

Solutions Enabler: before 9.2.3.1

Unisphere 360: before 9.2.3.4

Unisphere for PowerMax Virtual Appliance: before 9.2.3.11

Unisphere for PowerMax: before 9.2.3.11

External links

http://www.dell.com/support/kbdoc/en-us/000197693/dsa-2022-073-dell-unisphere-for-powermax-dell-unisphere-for-powermax-vapp-dell-solutions-enabler-vapp-dell-unisphere-360-dell-vasa-provider-vapp-and-dell-powermax-embedded-management-security-update-for-multiple-vulnerabilities


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

102) Improper input validation

EUVDB-ID: #VU59725

Risk: Medium

CVSSv3.1: 4.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-21282

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.

The vulnerability exists due to improper input validation within the JAXP component in Oracle GraalVM Enterprise Edition. A remote non-authenticated attacker can exploit this vulnerability to gain access to sensitive information.

Mitigation

Install update from vendor's website.

Vulnerable software versions

VASA Provider Standalone: before 9.2.3.10

Solutions Enabler Virtual Appliance: before 9.2.3.1

Solutions Enabler: before 9.2.3.1

Unisphere 360: before 9.2.3.4

Unisphere for PowerMax Virtual Appliance: before 9.2.3.11

Unisphere for PowerMax: before 9.2.3.11

External links

http://www.dell.com/support/kbdoc/en-us/000197693/dsa-2022-073-dell-unisphere-for-powermax-dell-unisphere-for-powermax-vapp-dell-solutions-enabler-vapp-dell-unisphere-360-dell-vasa-provider-vapp-and-dell-powermax-embedded-management-security-update-for-multiple-vulnerabilities


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

103) Improper input validation

EUVDB-ID: #VU59726

Risk: Medium

CVSSv3.1: 4.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-21296

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.

The vulnerability exists due to improper input validation within the JAXP component in Oracle GraalVM Enterprise Edition. A remote non-authenticated attacker can exploit this vulnerability to gain access to sensitive information.

Mitigation

Install update from vendor's website.

Vulnerable software versions

VASA Provider Standalone: before 9.2.3.10

Solutions Enabler Virtual Appliance: before 9.2.3.1

Solutions Enabler: before 9.2.3.1

Unisphere 360: before 9.2.3.4

Unisphere for PowerMax Virtual Appliance: before 9.2.3.11

Unisphere for PowerMax: before 9.2.3.11

External links

http://www.dell.com/support/kbdoc/en-us/000197693/dsa-2022-073-dell-unisphere-for-powermax-dell-unisphere-for-powermax-vapp-dell-solutions-enabler-vapp-dell-unisphere-360-dell-vasa-provider-vapp-and-dell-powermax-embedded-management-security-update-for-multiple-vulnerabilities


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

104) Improper input validation

EUVDB-ID: #VU59727

Risk: Medium

CVSSv3.1: 4.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-21299

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote non-authenticated attacker to perform service disruption.

The vulnerability exists due to improper input validation within the JAXP component in Oracle GraalVM Enterprise Edition. A remote non-authenticated attacker can exploit this vulnerability to perform service disruption.

Mitigation

Install update from vendor's website.

Vulnerable software versions

VASA Provider Standalone: before 9.2.3.10

Solutions Enabler Virtual Appliance: before 9.2.3.1

Solutions Enabler: before 9.2.3.1

Unisphere 360: before 9.2.3.4

Unisphere for PowerMax Virtual Appliance: before 9.2.3.11

Unisphere for PowerMax: before 9.2.3.11

External links

http://www.dell.com/support/kbdoc/en-us/000197693/dsa-2022-073-dell-unisphere-for-powermax-dell-unisphere-for-powermax-vapp-dell-solutions-enabler-vapp-dell-unisphere-360-dell-vasa-provider-vapp-and-dell-powermax-embedded-management-security-update-for-multiple-vulnerabilities


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

105) Information disclosure

EUVDB-ID: #VU58048

Risk: Low

CVSSv3.1: 3.9 [CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-41371

CWE-ID: CWE-200 - Information exposure

Exploit availability: No

Description

The vulnerability allows a local user to gain access to potentially sensitive information.

The vulnerability exists due to excessive data output by the application in Windows Remote Desktop Protocol (RDP). A local administrator can gain unauthorized access to sensitive information on the system.

Mitigation

Install update from vendor's website.

Vulnerable software versions

VASA Provider Standalone: before 9.2.3.10

Solutions Enabler Virtual Appliance: before 9.2.3.1

Solutions Enabler: before 9.2.3.1

Unisphere 360: before 9.2.3.4

Unisphere for PowerMax Virtual Appliance: before 9.2.3.11

Unisphere for PowerMax: before 9.2.3.11

External links

http://www.dell.com/support/kbdoc/en-us/000197693/dsa-2022-073-dell-unisphere-for-powermax-dell-unisphere-for-powermax-vapp-dell-solutions-enabler-vapp-dell-unisphere-360-dell-vasa-provider-vapp-and-dell-powermax-embedded-management-security-update-for-multiple-vulnerabilities


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

106) Code Injection

EUVDB-ID: #VU58027

Risk: Medium

CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-41378

CWE-ID: CWE-94 - Improper Control of Generation of Code ('Code Injection')

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to improper input validation in Windows NTFS. A remote authenticated attacker can send a specially crafted request and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install update from vendor's website.

Vulnerable software versions

VASA Provider Standalone: before 9.2.3.10

Solutions Enabler Virtual Appliance: before 9.2.3.1

Solutions Enabler: before 9.2.3.1

Unisphere 360: before 9.2.3.4

Unisphere for PowerMax Virtual Appliance: before 9.2.3.11

Unisphere for PowerMax: before 9.2.3.11

External links

http://www.dell.com/support/kbdoc/en-us/000197693/dsa-2022-073-dell-unisphere-for-powermax-dell-unisphere-for-powermax-vapp-dell-solutions-enabler-vapp-dell-unisphere-360-dell-vasa-provider-vapp-and-dell-powermax-embedded-management-security-update-for-multiple-vulnerabilities


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

107) Permissions, Privileges, and Access Controls

EUVDB-ID: #VU59467

Risk: Low

CVSSv3.1: 6.8 [CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-21833

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Exploit availability: No

Description

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to application does not properly impose security restrictions in Virtual Machine IDE Drive, which leads to security restrictions bypass and privilege escalation.

Mitigation

Install update from vendor's website.

Vulnerable software versions

VASA Provider Standalone: before 9.2.3.10

Solutions Enabler Virtual Appliance: before 9.2.3.1

Solutions Enabler: before 9.2.3.1

Unisphere 360: before 9.2.3.4

Unisphere for PowerMax Virtual Appliance: before 9.2.3.11

Unisphere for PowerMax: before 9.2.3.11

External links

http://www.dell.com/support/kbdoc/en-us/000197693/dsa-2022-073-dell-unisphere-for-powermax-dell-unisphere-for-powermax-vapp-dell-solutions-enabler-vapp-dell-unisphere-360-dell-vasa-provider-vapp-and-dell-powermax-embedded-management-security-update-for-multiple-vulnerabilities


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

108) Information disclosure

EUVDB-ID: #VU58965

Risk: Low

CVSSv3.1: 4.8 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-43235

CWE-ID: CWE-200 - Information exposure

Exploit availability: No

Description

The vulnerability allows a local user to gain access to potentially sensitive information.

The vulnerability exists due to excessive data output by the application in Storage Spaces Controller. A local user can gain unauthorized access to sensitive information on the system.

Mitigation

Install update from vendor's website.

Vulnerable software versions

VASA Provider Standalone: before 9.2.3.10

Solutions Enabler Virtual Appliance: before 9.2.3.1

Solutions Enabler: before 9.2.3.1

Unisphere 360: before 9.2.3.4

Unisphere for PowerMax Virtual Appliance: before 9.2.3.11

Unisphere for PowerMax: before 9.2.3.11

External links

http://www.dell.com/support/kbdoc/en-us/000197693/dsa-2022-073-dell-unisphere-for-powermax-dell-unisphere-for-powermax-vapp-dell-solutions-enabler-vapp-dell-unisphere-360-dell-vasa-provider-vapp-and-dell-powermax-embedded-management-security-update-for-multiple-vulnerabilities


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

109) Permissions, Privileges, and Access Controls

EUVDB-ID: #VU58929

Risk: Low

CVSSv3.1: 6.8 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-43229

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Exploit availability: No

Description

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to application does not properly impose security restrictions in Windows NTFS, which leads to security restrictions bypass and privilege escalation.

Mitigation

Install update from vendor's website.

Vulnerable software versions

VASA Provider Standalone: before 9.2.3.10

Solutions Enabler Virtual Appliance: before 9.2.3.1

Solutions Enabler: before 9.2.3.1

Unisphere 360: before 9.2.3.4

Unisphere for PowerMax Virtual Appliance: before 9.2.3.11

Unisphere for PowerMax: before 9.2.3.11

External links

http://www.dell.com/support/kbdoc/en-us/000197693/dsa-2022-073-dell-unisphere-for-powermax-dell-unisphere-for-powermax-vapp-dell-solutions-enabler-vapp-dell-unisphere-360-dell-vasa-provider-vapp-and-dell-powermax-embedded-management-security-update-for-multiple-vulnerabilities


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

110) Permissions, Privileges, and Access Controls

EUVDB-ID: #VU58928

Risk: Low

CVSSv3.1: 6.8 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-43230

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Exploit availability: No

Description

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to application does not properly impose security restrictions in Windows NTFS, which leads to security restrictions bypass and privilege escalation.

Mitigation

Install update from vendor's website.

Vulnerable software versions

VASA Provider Standalone: before 9.2.3.10

Solutions Enabler Virtual Appliance: before 9.2.3.1

Solutions Enabler: before 9.2.3.1

Unisphere 360: before 9.2.3.4

Unisphere for PowerMax Virtual Appliance: before 9.2.3.11

Unisphere for PowerMax: before 9.2.3.11

External links

http://www.dell.com/support/kbdoc/en-us/000197693/dsa-2022-073-dell-unisphere-for-powermax-dell-unisphere-for-powermax-vapp-dell-solutions-enabler-vapp-dell-unisphere-360-dell-vasa-provider-vapp-and-dell-powermax-embedded-management-security-update-for-multiple-vulnerabilities


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

111) Permissions, Privileges, and Access Controls

EUVDB-ID: #VU58927

Risk: Low

CVSSv3.1: 6.8 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-43231

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Exploit availability: No

Description

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to application does not properly impose security restrictions in Windows NTFS, which leads to security restrictions bypass and privilege escalation.

Mitigation

Install update from vendor's website.

Vulnerable software versions

VASA Provider Standalone: before 9.2.3.10

Solutions Enabler Virtual Appliance: before 9.2.3.1

Solutions Enabler: before 9.2.3.1

Unisphere 360: before 9.2.3.4

Unisphere for PowerMax Virtual Appliance: before 9.2.3.11

Unisphere for PowerMax: before 9.2.3.11

External links

http://www.dell.com/support/kbdoc/en-us/000197693/dsa-2022-073-dell-unisphere-for-powermax-dell-unisphere-for-powermax-vapp-dell-solutions-enabler-vapp-dell-unisphere-360-dell-vasa-provider-vapp-and-dell-powermax-embedded-management-security-update-for-multiple-vulnerabilities


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

112) Code Injection

EUVDB-ID: #VU58967

Risk: High

CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-43232

CWE-ID: CWE-94 - Improper Control of Generation of Code ('Code Injection')

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to improper input validation in Windows Event Tracing. A remote attacker can send a specially crafted request and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install update from vendor's website.

Vulnerable software versions

VASA Provider Standalone: before 9.2.3.10

Solutions Enabler Virtual Appliance: before 9.2.3.1

Solutions Enabler: before 9.2.3.1

Unisphere 360: before 9.2.3.4

Unisphere for PowerMax Virtual Appliance: before 9.2.3.11

Unisphere for PowerMax: before 9.2.3.11

External links

http://www.dell.com/support/kbdoc/en-us/000197693/dsa-2022-073-dell-unisphere-for-powermax-dell-unisphere-for-powermax-vapp-dell-solutions-enabler-vapp-dell-unisphere-360-dell-vasa-provider-vapp-and-dell-powermax-embedded-management-security-update-for-multiple-vulnerabilities


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

113) Code Injection

EUVDB-ID: #VU58968

Risk: Medium

CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-43233

CWE-ID: CWE-94 - Improper Control of Generation of Code ('Code Injection')

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to improper input validation in Remote Desktop Client. A remote attacker can send a specially crafted request and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install update from vendor's website.

Vulnerable software versions

VASA Provider Standalone: before 9.2.3.10

Solutions Enabler Virtual Appliance: before 9.2.3.1

Solutions Enabler: before 9.2.3.1

Unisphere 360: before 9.2.3.4

Unisphere for PowerMax Virtual Appliance: before 9.2.3.11

Unisphere for PowerMax: before 9.2.3.11

External links

http://www.dell.com/support/kbdoc/en-us/000197693/dsa-2022-073-dell-unisphere-for-powermax-dell-unisphere-for-powermax-vapp-dell-solutions-enabler-vapp-dell-unisphere-360-dell-vasa-provider-vapp-and-dell-powermax-embedded-management-security-update-for-multiple-vulnerabilities


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

114) Code Injection

EUVDB-ID: #VU58969

Risk: High

CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-43234

CWE-ID: CWE-94 - Improper Control of Generation of Code ('Code Injection')

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to improper input validation in Windows Fax Service. A remote attacker can send a specially crafted request and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install update from vendor's website.

Vulnerable software versions

VASA Provider Standalone: before 9.2.3.10

Solutions Enabler Virtual Appliance: before 9.2.3.1

Solutions Enabler: before 9.2.3.1

Unisphere 360: before 9.2.3.4

Unisphere for PowerMax Virtual Appliance: before 9.2.3.11

Unisphere for PowerMax: before 9.2.3.11

External links

http://www.dell.com/support/kbdoc/en-us/000197693/dsa-2022-073-dell-unisphere-for-powermax-dell-unisphere-for-powermax-vapp-dell-solutions-enabler-vapp-dell-unisphere-360-dell-vasa-provider-vapp-and-dell-powermax-embedded-management-security-update-for-multiple-vulnerabilities


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

115) Information disclosure

EUVDB-ID: #VU58961

Risk: Medium

CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-43236

CWE-ID: CWE-200 - Information exposure

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to excessive data output by the application in Microsoft Message Queuing. A remote attacker can gain unauthorized access to sensitive information on the system.

Mitigation

Install update from vendor's website.

Vulnerable software versions

VASA Provider Standalone: before 9.2.3.10

Solutions Enabler Virtual Appliance: before 9.2.3.1

Solutions Enabler: before 9.2.3.1

Unisphere 360: before 9.2.3.4

Unisphere for PowerMax Virtual Appliance: before 9.2.3.11

Unisphere for PowerMax: before 9.2.3.11

External links

http://www.dell.com/support/kbdoc/en-us/000197693/dsa-2022-073-dell-unisphere-for-powermax-dell-unisphere-for-powermax-vapp-dell-solutions-enabler-vapp-dell-unisphere-360-dell-vasa-provider-vapp-and-dell-powermax-embedded-management-security-update-for-multiple-vulnerabilities


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

116) Information disclosure

EUVDB-ID: #VU58964

Risk: Low

CVSSv3.1: 4.8 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-43227

CWE-ID: CWE-200 - Information exposure

Exploit availability: No

Description

The vulnerability allows a local user to gain access to potentially sensitive information.

The vulnerability exists due to excessive data output by the application in Storage Spaces Controller. A local user can gain unauthorized access to sensitive information on the system.

Mitigation

Install update from vendor's website.

Vulnerable software versions

VASA Provider Standalone: before 9.2.3.10

Solutions Enabler Virtual Appliance: before 9.2.3.1

Solutions Enabler: before 9.2.3.1

Unisphere 360: before 9.2.3.4

Unisphere for PowerMax Virtual Appliance: before 9.2.3.11

Unisphere for PowerMax: before 9.2.3.11

External links

http://www.dell.com/support/kbdoc/en-us/000197693/dsa-2022-073-dell-unisphere-for-powermax-dell-unisphere-for-powermax-vapp-dell-solutions-enabler-vapp-dell-unisphere-360-dell-vasa-provider-vapp-and-dell-powermax-embedded-management-security-update-for-multiple-vulnerabilities


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

117) Permissions, Privileges, and Access Controls

EUVDB-ID: #VU58970

Risk: Low

CVSSv3.1: 6.8 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-43238

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Exploit availability: No

Description

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to application does not properly impose security restrictions in Windows Remote Access, which leads to security restrictions bypass and privilege escalation.

Mitigation

Install update from vendor's website.

Vulnerable software versions

VASA Provider Standalone: before 9.2.3.10

Solutions Enabler Virtual Appliance: before 9.2.3.1

Solutions Enabler: before 9.2.3.1

Unisphere 360: before 9.2.3.4

Unisphere for PowerMax Virtual Appliance: before 9.2.3.11

Unisphere for PowerMax: before 9.2.3.11

External links

http://www.dell.com/support/kbdoc/en-us/000197693/dsa-2022-073-dell-unisphere-for-powermax-dell-unisphere-for-powermax-vapp-dell-solutions-enabler-vapp-dell-unisphere-360-dell-vasa-provider-vapp-and-dell-powermax-embedded-management-security-update-for-multiple-vulnerabilities


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

118) Information disclosure

EUVDB-ID: #VU58941

Risk: Low

CVSSv3.1: 5.7 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-43244

CWE-ID: CWE-200 - Information exposure

Exploit availability: No

Description

The vulnerability allows a local user to gain access to potentially sensitive information.

The vulnerability exists due to excessive data output by the application in Windows Kernel. A local user can gain unauthorized access to sensitive information on the system.

Mitigation

Install update from vendor's website.

Vulnerable software versions

VASA Provider Standalone: before 9.2.3.10

Solutions Enabler Virtual Appliance: before 9.2.3.1

Solutions Enabler: before 9.2.3.1

Unisphere 360: before 9.2.3.4

Unisphere for PowerMax Virtual Appliance: before 9.2.3.11

Unisphere for PowerMax: before 9.2.3.11

External links

http://www.dell.com/support/kbdoc/en-us/000197693/dsa-2022-073-dell-unisphere-for-powermax-dell-unisphere-for-powermax-vapp-dell-solutions-enabler-vapp-dell-unisphere-360-dell-vasa-provider-vapp-and-dell-powermax-embedded-management-security-update-for-multiple-vulnerabilities


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

119) Permissions, Privileges, and Access Controls

EUVDB-ID: #VU58943

Risk: Low

CVSSv3.1: 6.8 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-43247

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Exploit availability: No

Description

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to application does not properly impose security restrictions in Windows TCP/IP Driver, which leads to security restrictions bypass and privilege escalation.

Mitigation

Install update from vendor's website.

Vulnerable software versions

VASA Provider Standalone: before 9.2.3.10

Solutions Enabler Virtual Appliance: before 9.2.3.1

Solutions Enabler: before 9.2.3.1

Unisphere 360: before 9.2.3.4

Unisphere for PowerMax Virtual Appliance: before 9.2.3.11

Unisphere for PowerMax: before 9.2.3.11

External links

http://www.dell.com/support/kbdoc/en-us/000197693/dsa-2022-073-dell-unisphere-for-powermax-dell-unisphere-for-powermax-vapp-dell-solutions-enabler-vapp-dell-unisphere-360-dell-vasa-provider-vapp-and-dell-powermax-embedded-management-security-update-for-multiple-vulnerabilities


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

120) Permissions, Privileges, and Access Controls

EUVDB-ID: #VU58944

Risk: Low

CVSSv3.1: 6.8 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-43248

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Exploit availability: No

Description

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to application does not properly impose security restrictions in Windows Digital Media Receiver, which leads to security restrictions bypass and privilege escalation.

Mitigation

Install update from vendor's website.

Vulnerable software versions

VASA Provider Standalone: before 9.2.3.10

Solutions Enabler Virtual Appliance: before 9.2.3.1

Solutions Enabler: before 9.2.3.1

Unisphere 360: before 9.2.3.4

Unisphere for PowerMax Virtual Appliance: before 9.2.3.11

Unisphere for PowerMax: before 9.2.3.11

External links

http://www.dell.com/support/kbdoc/en-us/000197693/dsa-2022-073-dell-unisphere-for-powermax-dell-unisphere-for-powermax-vapp-dell-solutions-enabler-vapp-dell-unisphere-360-dell-vasa-provider-vapp-and-dell-powermax-embedded-management-security-update-for-multiple-vulnerabilities


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

121) Permissions, Privileges, and Access Controls

EUVDB-ID: #VU58951

Risk: Low

CVSSv3.1: 7 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C]

CVE-ID: CVE-2021-43883

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Exploit availability: Yes

Description

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to application does not properly impose security restrictions in Windows Installer, which leads to security restrictions bypass and privilege escalation.

Mitigation

Install update from vendor's website.

Vulnerable software versions

VASA Provider Standalone: before 9.2.3.10

Solutions Enabler Virtual Appliance: before 9.2.3.1

Solutions Enabler: before 9.2.3.1

Unisphere 360: before 9.2.3.4

Unisphere for PowerMax Virtual Appliance: before 9.2.3.11

Unisphere for PowerMax: before 9.2.3.11

External links

http://www.dell.com/support/kbdoc/en-us/000197693/dsa-2022-073-dell-unisphere-for-powermax-dell-unisphere-for-powermax-vapp-dell-solutions-enabler-vapp-dell-unisphere-360-dell-vasa-provider-vapp-and-dell-powermax-embedded-management-security-update-for-multiple-vulnerabilities


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

122) Permissions, Privileges, and Access Controls

EUVDB-ID: #VU58952

Risk: Medium

CVSSv3.1: 6.7 [CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C]

CVE-ID: CVE-2021-43893

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Exploit availability: Yes

Description

The vulnerability allows a remote authenticated attacker to escalate privileges on the system.

The vulnerability exists due to application does not properly impose security restrictions in Windows Encrypting File System (EFS), which leads to security restrictions bypass and privilege escalation.

Mitigation

Install update from vendor's website.

Vulnerable software versions

VASA Provider Standalone: before 9.2.3.10

Solutions Enabler Virtual Appliance: before 9.2.3.1

Solutions Enabler: before 9.2.3.1

Unisphere 360: before 9.2.3.4

Unisphere for PowerMax Virtual Appliance: before 9.2.3.11

Unisphere for PowerMax: before 9.2.3.11

External links

http://www.dell.com/support/kbdoc/en-us/000197693/dsa-2022-073-dell-unisphere-for-powermax-dell-unisphere-for-powermax-vapp-dell-solutions-enabler-vapp-dell-unisphere-360-dell-vasa-provider-vapp-and-dell-powermax-embedded-management-security-update-for-multiple-vulnerabilities


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

123) Input validation error

EUVDB-ID: #VU58966

Risk: Medium

CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-43228

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient validation of user-supplied input in SymCrypt. A remote attacker can pass specially crafted input to the application and perform a denial of service (DoS) attack.

Mitigation

Install update from vendor's website.

Vulnerable software versions

VASA Provider Standalone: before 9.2.3.10

Solutions Enabler Virtual Appliance: before 9.2.3.1

Solutions Enabler: before 9.2.3.1

Unisphere 360: before 9.2.3.4

Unisphere for PowerMax Virtual Appliance: before 9.2.3.11

Unisphere for PowerMax: before 9.2.3.11

External links

http://www.dell.com/support/kbdoc/en-us/000197693/dsa-2022-073-dell-unisphere-for-powermax-dell-unisphere-for-powermax-vapp-dell-solutions-enabler-vapp-dell-unisphere-360-dell-vasa-provider-vapp-and-dell-powermax-embedded-management-security-update-for-multiple-vulnerabilities


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

124) Permissions, Privileges, and Access Controls

EUVDB-ID: #VU58931

Risk: Low

CVSSv3.1: 7.5 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:H/RL:O/RC:C]

CVE-ID: CVE-2021-43226

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Exploit availability: No

Description

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to application does not properly impose security restrictions in Windows Common Log File System Driver, which leads to security restrictions bypass and privilege escalation.

Mitigation

Install update from vendor's website.

Vulnerable software versions

VASA Provider Standalone: before 9.2.3.10

Solutions Enabler Virtual Appliance: before 9.2.3.1

Solutions Enabler: before 9.2.3.1

Unisphere 360: before 9.2.3.4

Unisphere for PowerMax Virtual Appliance: before 9.2.3.11

Unisphere for PowerMax: before 9.2.3.11

External links

http://www.dell.com/support/kbdoc/en-us/000197693/dsa-2022-073-dell-unisphere-for-powermax-dell-unisphere-for-powermax-vapp-dell-solutions-enabler-vapp-dell-unisphere-360-dell-vasa-provider-vapp-and-dell-powermax-embedded-management-security-update-for-multiple-vulnerabilities


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

Yes. This vulnerability is being exploited in the wild.

125) Permissions, Privileges, and Access Controls

EUVDB-ID: #VU58061

Risk: Low

CVSSv3.1: 5.3 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:H/RL:O/RC:C]

CVE-ID: CVE-2021-41379

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Exploit availability: No

Description

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to application does not properly impose security restrictions in Windows Installer, which leads to security restrictions bypass and delete targeted files on a system.

Mitigation

Install update from vendor's website.

Vulnerable software versions

VASA Provider Standalone: before 9.2.3.10

Solutions Enabler Virtual Appliance: before 9.2.3.1

Solutions Enabler: before 9.2.3.1

Unisphere 360: before 9.2.3.4

Unisphere for PowerMax Virtual Appliance: before 9.2.3.11

Unisphere for PowerMax: before 9.2.3.11

External links

http://www.dell.com/support/kbdoc/en-us/000197693/dsa-2022-073-dell-unisphere-for-powermax-dell-unisphere-for-powermax-vapp-dell-solutions-enabler-vapp-dell-unisphere-360-dell-vasa-provider-vapp-and-dell-powermax-embedded-management-security-update-for-multiple-vulnerabilities


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

Yes. This vulnerability is being exploited in the wild.

126) Permissions, Privileges, and Access Controls

EUVDB-ID: #VU58039

Risk: Low

CVSSv3.1: 6.8 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-42285

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Exploit availability: No

Description

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to application does not properly impose security restrictions in Windows Kernel, which leads to security restrictions bypass and privilege escalation.

Mitigation

Install update from vendor's website.

Vulnerable software versions

VASA Provider Standalone: before 9.2.3.10

Solutions Enabler Virtual Appliance: before 9.2.3.1

Solutions Enabler: before 9.2.3.1

Unisphere 360: before 9.2.3.4

Unisphere for PowerMax Virtual Appliance: before 9.2.3.11

Unisphere for PowerMax: before 9.2.3.11

External links

http://www.dell.com/support/kbdoc/en-us/000197693/dsa-2022-073-dell-unisphere-for-powermax-dell-unisphere-for-powermax-vapp-dell-solutions-enabler-vapp-dell-unisphere-360-dell-vasa-provider-vapp-and-dell-powermax-embedded-management-security-update-for-multiple-vulnerabilities


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

127) Code Injection

EUVDB-ID: #VU58059

Risk: Medium

CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-42275

CWE-ID: CWE-94 - Improper Control of Generation of Code ('Code Injection')

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to improper input validation in Microsoft COM for Windows. A remote authenticated attacker can send a specially crafted request and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install update from vendor's website.

Vulnerable software versions

VASA Provider Standalone: before 9.2.3.10

Solutions Enabler Virtual Appliance: before 9.2.3.1

Solutions Enabler: before 9.2.3.1

Unisphere 360: before 9.2.3.4

Unisphere for PowerMax Virtual Appliance: before 9.2.3.11

Unisphere for PowerMax: before 9.2.3.11

External links

http://www.dell.com/support/kbdoc/en-us/000197693/dsa-2022-073-dell-unisphere-for-powermax-dell-unisphere-for-powermax-vapp-dell-solutions-enabler-vapp-dell-unisphere-360-dell-vasa-provider-vapp-and-dell-powermax-embedded-management-security-update-for-multiple-vulnerabilities


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

128) Code Injection

EUVDB-ID: #VU58057

Risk: High

CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-42276

CWE-ID: CWE-94 - Improper Control of Generation of Code ('Code Injection')

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to improper input validation in Microsoft Windows Media Foundation. A remote attacker can send a specially crafted request and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install update from vendor's website.

Vulnerable software versions

VASA Provider Standalone: before 9.2.3.10

Solutions Enabler Virtual Appliance: before 9.2.3.1

Solutions Enabler: before 9.2.3.1

Unisphere 360: before 9.2.3.4

Unisphere for PowerMax Virtual Appliance: before 9.2.3.11

Unisphere for PowerMax: before 9.2.3.11

External links

http://www.dell.com/support/kbdoc/en-us/000197693/dsa-2022-073-dell-unisphere-for-powermax-dell-unisphere-for-powermax-vapp-dell-solutions-enabler-vapp-dell-unisphere-360-dell-vasa-provider-vapp-and-dell-powermax-embedded-management-security-update-for-multiple-vulnerabilities


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

129) Permissions, Privileges, and Access Controls

EUVDB-ID: #VU58032

Risk: Low

CVSSv3.1: 4.8 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-42277

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Exploit availability: No

Description

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to application does not properly impose security restrictions in Diagnostics Hub Standard Collector. A local user can delete targeted files on a system.

Mitigation

Install update from vendor's website.

Vulnerable software versions

VASA Provider Standalone: before 9.2.3.10

Solutions Enabler Virtual Appliance: before 9.2.3.1

Solutions Enabler: before 9.2.3.1

Unisphere 360: before 9.2.3.4

Unisphere for PowerMax Virtual Appliance: before 9.2.3.11

Unisphere for PowerMax: before 9.2.3.11

External links

http://www.dell.com/support/kbdoc/en-us/000197693/dsa-2022-073-dell-unisphere-for-powermax-dell-unisphere-for-powermax-vapp-dell-solutions-enabler-vapp-dell-unisphere-360-dell-vasa-provider-vapp-and-dell-powermax-embedded-management-security-update-for-multiple-vulnerabilities


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

130) Buffer overflow

EUVDB-ID: #VU58056

Risk: Medium

CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-42279

CWE-ID: CWE-119 - Memory corruption

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error in Chakra Scripting Engine. A remote attacker can trigger memory corruption and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install update from vendor's website.

Vulnerable software versions

VASA Provider Standalone: before 9.2.3.10

Solutions Enabler Virtual Appliance: before 9.2.3.1

Solutions Enabler: before 9.2.3.1

Unisphere 360: before 9.2.3.4

Unisphere for PowerMax Virtual Appliance: before 9.2.3.11

Unisphere for PowerMax: before 9.2.3.11

External links

http://www.dell.com/support/kbdoc/en-us/000197693/dsa-2022-073-dell-unisphere-for-powermax-dell-unisphere-for-powermax-vapp-dell-solutions-enabler-vapp-dell-unisphere-360-dell-vasa-provider-vapp-and-dell-powermax-embedded-management-security-update-for-multiple-vulnerabilities


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

131) Permissions, Privileges, and Access Controls

EUVDB-ID: #VU58054

Risk: Low

CVSSv3.1: 4.8 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-42280

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Exploit availability: No

Description

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to application does not properly impose security restrictions in Windows Feedback Hub, which leads to security restrictions bypass and privilege escalation.

Mitigation

Install update from vendor's website.

Vulnerable software versions

VASA Provider Standalone: before 9.2.3.10

Solutions Enabler Virtual Appliance: before 9.2.3.1

Solutions Enabler: before 9.2.3.1

Unisphere 360: before 9.2.3.4

Unisphere for PowerMax Virtual Appliance: before 9.2.3.11

Unisphere for PowerMax: before 9.2.3.11

External links

http://www.dell.com/support/kbdoc/en-us/000197693/dsa-2022-073-dell-unisphere-for-powermax-dell-unisphere-for-powermax-vapp-dell-solutions-enabler-vapp-dell-unisphere-360-dell-vasa-provider-vapp-and-dell-powermax-embedded-management-security-update-for-multiple-vulnerabilities


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

132) Permissions, Privileges, and Access Controls

EUVDB-ID: #VU58024

Risk: Low

CVSSv3.1: 7.7 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-42283

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Exploit availability: No

Description

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to application does not properly impose security restrictions in NTFS, which leads to security restrictions bypass and privilege escalation.

Mitigation

Install update from vendor's website.

Vulnerable software versions

VASA Provider Standalone: before 9.2.3.10

Solutions Enabler Virtual Appliance: before 9.2.3.1

Solutions Enabler: before 9.2.3.1

Unisphere 360: before 9.2.3.4

Unisphere for PowerMax Virtual Appliance: before 9.2.3.11

Unisphere for PowerMax: before 9.2.3.11

External links

http://www.dell.com/support/kbdoc/en-us/000197693/dsa-2022-073-dell-unisphere-for-powermax-dell-unisphere-for-powermax-vapp-dell-solutions-enabler-vapp-dell-unisphere-360-dell-vasa-provider-vapp-and-dell-powermax-embedded-management-security-update-for-multiple-vulnerabilities


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

133) Security features bypass

EUVDB-ID: #VU58073

Risk: Low

CVSSv3.1: 5 [CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-42288

CWE-ID: CWE-254 - Security Features

Exploit availability: No

Description

The vulnerability allows a local attacker to bypass authentication process.

The vulnerability exists due to security feature bypass issue in Windows Hello. An attacker with physical access can bypass the target application

Mitigation

Install update from vendor's website.

Vulnerable software versions

VASA Provider Standalone: before 9.2.3.10

Solutions Enabler Virtual Appliance: before 9.2.3.1

Solutions Enabler: before 9.2.3.1

Unisphere 360: before 9.2.3.4

Unisphere for PowerMax Virtual Appliance: before 9.2.3.11

Unisphere for PowerMax: before 9.2.3.11

External links

http://www.dell.com/support/kbdoc/en-us/000197693/dsa-2022-073-dell-unisphere-for-powermax-dell-unisphere-for-powermax-vapp-dell-solutions-enabler-vapp-dell-unisphere-360-dell-vasa-provider-vapp-and-dell-powermax-embedded-management-security-update-for-multiple-vulnerabilities


Q & A

Can this vulnerability be exploited remotely?

No. The attacker should have physical access to the system in order to successfully exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

134) Information disclosure

EUVDB-ID: #VU58932

Risk: Low

CVSSv3.1: 5 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C]

CVE-ID: CVE-2021-43224

CWE-ID: CWE-200 - Information exposure

Exploit availability: Yes

Description

The vulnerability allows a local user to gain access to potentially sensitive information.

The vulnerability exists due to excessive data output by the application in Windows Common Log File System Driver. A local user can gain unauthorized access to sensitive information on the system.

Mitigation

Install update from vendor's website.

Vulnerable software versions

VASA Provider Standalone: before 9.2.3.10

Solutions Enabler Virtual Appliance: before 9.2.3.1

Solutions Enabler: before 9.2.3.1

Unisphere 360: before 9.2.3.4

Unisphere for PowerMax Virtual Appliance: before 9.2.3.11

Unisphere for PowerMax: before 9.2.3.11

External links

http://www.dell.com/support/kbdoc/en-us/000197693/dsa-2022-073-dell-unisphere-for-powermax-dell-unisphere-for-powermax-vapp-dell-solutions-enabler-vapp-dell-unisphere-360-dell-vasa-provider-vapp-and-dell-powermax-embedded-management-security-update-for-multiple-vulnerabilities


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

135) Permissions, Privileges, and Access Controls

EUVDB-ID: #VU58930

Risk: Low

CVSSv3.1: 6.8 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-43207

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Exploit availability: No

Description

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to application does not properly impose security restrictions in Windows Common Log File System Driver, which leads to security restrictions bypass and privilege escalation.

Mitigation

Install update from vendor's website.

Vulnerable software versions

VASA Provider Standalone: before 9.2.3.10

Solutions Enabler Virtual Appliance: before 9.2.3.1

Solutions Enabler: before 9.2.3.1

Unisphere 360: before 9.2.3.4

Unisphere for PowerMax Virtual Appliance: before 9.2.3.11

Unisphere for PowerMax: before 9.2.3.11

External links

http://www.dell.com/support/kbdoc/en-us/000197693/dsa-2022-073-dell-unisphere-for-powermax-dell-unisphere-for-powermax-vapp-dell-solutions-enabler-vapp-dell-unisphere-360-dell-vasa-provider-vapp-and-dell-powermax-embedded-management-security-update-for-multiple-vulnerabilities


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

136) Buffer overflow

EUVDB-ID: #VU58957

Risk: High

CVSSv3.1: 8.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-43215

CWE-ID: CWE-119 - Memory corruption

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error in iSNS Server. A remote attacker can send a specially crafted request, trigger memory corruption and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install update from vendor's website.

Vulnerable software versions

VASA Provider Standalone: before 9.2.3.10

Solutions Enabler Virtual Appliance: before 9.2.3.1

Solutions Enabler: before 9.2.3.1

Unisphere 360: before 9.2.3.4

Unisphere for PowerMax Virtual Appliance: before 9.2.3.11

Unisphere for PowerMax: before 9.2.3.11

External links

http://www.dell.com/support/kbdoc/en-us/000197693/dsa-2022-073-dell-unisphere-for-powermax-dell-unisphere-for-powermax-vapp-dell-solutions-enabler-vapp-dell-unisphere-360-dell-vasa-provider-vapp-and-dell-powermax-embedded-management-security-update-for-multiple-vulnerabilities


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

137) Information disclosure

EUVDB-ID: #VU58958

Risk: Medium

CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-43216

CWE-ID: CWE-200 - Information exposure

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to excessive data output by the application in Microsoft Local Security Authority Server (lsasrv). A remote authenticated attacker can gain unauthorized access to sensitive information on the system.

Mitigation

Install update from vendor's website.

Vulnerable software versions

VASA Provider Standalone: before 9.2.3.10

Solutions Enabler Virtual Appliance: before 9.2.3.1

Solutions Enabler: before 9.2.3.1

Unisphere 360: before 9.2.3.4

Unisphere for PowerMax Virtual Appliance: before 9.2.3.11

Unisphere for PowerMax: before 9.2.3.11

External links

http://www.dell.com/support/kbdoc/en-us/000197693/dsa-2022-073-dell-unisphere-for-powermax-dell-unisphere-for-powermax-vapp-dell-solutions-enabler-vapp-dell-unisphere-360-dell-vasa-provider-vapp-and-dell-powermax-embedded-management-security-update-for-multiple-vulnerabilities


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

138) Out-of-bounds write

EUVDB-ID: #VU58953

Risk: High

CVSSv3.1: 7.1 [CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-43217

CWE-ID: CWE-787 - Out-of-bounds write

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a boundary error when processing untrusted input in Windows Encrypting File System (EFS). A remote attacker can trigger out-of-bounds write and execute arbitrary code on the target system.

Mitigation

Install update from vendor's website.

Vulnerable software versions

VASA Provider Standalone: before 9.2.3.10

Solutions Enabler Virtual Appliance: before 9.2.3.1

Solutions Enabler: before 9.2.3.1

Unisphere 360: before 9.2.3.4

Unisphere for PowerMax Virtual Appliance: before 9.2.3.11

Unisphere for PowerMax: before 9.2.3.11

External links

http://www.dell.com/support/kbdoc/en-us/000197693/dsa-2022-073-dell-unisphere-for-powermax-dell-unisphere-for-powermax-vapp-dell-solutions-enabler-vapp-dell-unisphere-360-dell-vasa-provider-vapp-and-dell-powermax-embedded-management-security-update-for-multiple-vulnerabilities


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

139) Input validation error

EUVDB-ID: #VU58959

Risk: Low

CVSSv3.1: 6.4 [CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-43219

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient validation of user-supplied input in DirectX Graphics Kernel File. A remote attacker on the local network can pass specially crafted input to the application and perform a denial of service (DoS) attack.

Mitigation

Install update from vendor's website.

Vulnerable software versions

VASA Provider Standalone: before 9.2.3.10

Solutions Enabler Virtual Appliance: before 9.2.3.1

Solutions Enabler: before 9.2.3.1

Unisphere 360: before 9.2.3.4

Unisphere for PowerMax Virtual Appliance: before 9.2.3.11

Unisphere for PowerMax: before 9.2.3.11

External links

http://www.dell.com/support/kbdoc/en-us/000197693/dsa-2022-073-dell-unisphere-for-powermax-dell-unisphere-for-powermax-vapp-dell-solutions-enabler-vapp-dell-unisphere-360-dell-vasa-provider-vapp-and-dell-powermax-embedded-management-security-update-for-multiple-vulnerabilities


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the local network (LAN).

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

140) Information disclosure

EUVDB-ID: #VU58960

Risk: Medium

CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-43222

CWE-ID: CWE-200 - Information exposure

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to excessive data output by the application in Microsoft Message Queuing. A remote attacker can gain unauthorized access to sensitive information on the system.

Mitigation

Install update from vendor's website.

Vulnerable software versions

VASA Provider Standalone: before 9.2.3.10

Solutions Enabler Virtual Appliance: before 9.2.3.1

Solutions Enabler: before 9.2.3.1

Unisphere 360: before 9.2.3.4

Unisphere for PowerMax Virtual Appliance: before 9.2.3.11

Unisphere for PowerMax: before 9.2.3.11

External links

http://www.dell.com/support/kbdoc/en-us/000197693/dsa-2022-073-dell-unisphere-for-powermax-dell-unisphere-for-powermax-vapp-dell-solutions-enabler-vapp-dell-unisphere-360-dell-vasa-provider-vapp-and-dell-powermax-embedded-management-security-update-for-multiple-vulnerabilities


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

141) Permissions, Privileges, and Access Controls

EUVDB-ID: #VU58962

Risk: Low

CVSSv3.1: 6.8 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-43223

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Exploit availability: No

Description

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to application does not properly impose security restrictions in Windows Remote Access Connection Manager, which leads to security restrictions bypass and privilege escalation.

Mitigation

Install update from vendor's website.

Vulnerable software versions

VASA Provider Standalone: before 9.2.3.10

Solutions Enabler Virtual Appliance: before 9.2.3.1

Solutions Enabler: before 9.2.3.1

Unisphere 360: before 9.2.3.4

Unisphere for PowerMax Virtual Appliance: before 9.2.3.11

Unisphere for PowerMax: before 9.2.3.11

External links

http://www.dell.com/support/kbdoc/en-us/000197693/dsa-2022-073-dell-unisphere-for-powermax-dell-unisphere-for-powermax-vapp-dell-solutions-enabler-vapp-dell-unisphere-360-dell-vasa-provider-vapp-and-dell-powermax-embedded-management-security-update-for-multiple-vulnerabilities


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###