SB2023051945 - Multiple vulnerabilities in Dell PowerFlex Appliance
Published: May 19, 2023
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 19 secuirty vulnerabilities.
1) Improper access control (CVE-ID: CVE-2021-0187)
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to improper access restrictions in the BIOS firmware. A local user can execute arbitrary code with elevated privileges.
2) OS Command Injection (CVE-ID: CVE-2023-20050)
The vulnerability allows a local user to execute arbitrary shell commands on the target system.
The vulnerability exists due to improper input validation in the CLI. A local user can pass specially crafted data to the application and execute arbitrary OS commands on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
3) Inclusion of Sensitive Information in Log Files (CVE-ID: CVE-2022-31697)
The vulnerability allows a local user to gain access to sensitive information.
The vulnerability exists due to software stores credentials in plain text into log files. A local user with access to a workstation that invoked a vCenter Server Appliance ISO operation (Install/Upgrade/Migrate/Restore) can access plaintext passwords used during that operation.
4) Buffer overflow (CVE-ID: CVE-2022-31696)
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to a boundary error in the way network socket are handled. A local privileged user can trigger memory corruption and execute arbitrary code with elevated privileges.
5) Improper isolation or compartmentalization (CVE-ID: CVE-2022-38090)
The vulnerability allows a local user to gain access to sensitive information.
The vulnerability exists due to improper isolation of shared resources in some Intel processors when using Intel Software Guard Extensions. A local user can gain access to sensitive information.
6) Improper access control (CVE-ID: CVE-2022-21216)
The vulnerability allows a remote user to gain unauthorized access to otherwise restricted functionality.
The vulnerability exists due to improper access restrictions in out-of-band management in Intel processors. A remote privileged user on the local network can bypass implemented security restrictions and gain unauthorized access to the application.
7) Incorrect calculation (CVE-ID: CVE-2022-33972)
The vulnerability allows a local user to gain access to sensitive information.
The vulnerability exists due to incorrect calculation in microcode keying mechanism. A local user can gain access to sensitive information.
8) Incorrect default permissions (CVE-ID: CVE-2022-33196)
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to incorrect default permissions for memory controller configurations for some Intel Xeon processors when using Intel Software Guard Extensions. A local user escalate privileges on the system.
9) Exposed dangerous method or function (CVE-ID: CVE-2022-36348)
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to usage of active debug code. A local user can execute arbitrary code with elevated privileges.
10) Improper access control (CVE-ID: CVE-2022-26343)
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to improper access restrictions in the BIOS firmware. A local privileged user can execute arbitrary code with elevated privileges.
11) Improper Initialization (CVE-ID: CVE-2022-30704)
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to improper initialization in the Intel(R) TXT SINIT ACM. A local user can run a specially crafted application to execute arbitrary code with escalated privileges on the system.
12) Input validation error (CVE-ID: CVE-2022-26837)
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to insufficient validation of user-supplied input in the BIOS firmware. A local user can execute arbitrary code with elevated privileges.
13) Improper Initialization (CVE-ID: CVE-2022-32231)
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to improper initialization in the BIOS firmware. A local user can run a specially crafted application to execute arbitrary code with escalated privileges on the system.
14) Use-after-free (CVE-ID: CVE-2022-30539)
The vulnerability local user to escalate privileges on the system.
The vulnerability exists due to a use-after-free error in the BIOS firmware. A local user can execute arbitrary code with elevated privileges.
15) Improper handling of exceptional conditions (CVE-ID: CVE-2022-36794)
The vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to improper handling of errors. A local user can perform a denial of service (DoS) attack.
16) Out-of-bounds write (CVE-ID: CVE-2022-31705)
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to a boundary error within the USB 2.0 controller (EHCI). A local privileged user on the guest OS can trigger an out-of-bounds write and execute arbitrary code as the virtual machine's VMX process running on the host.
17) Improper access control (CVE-ID: CVE-2021-33126)
The vulnerability allows a local user to gain unauthorized access to otherwise restricted functionality.
The vulnerability exists due to improper access restrictions in the firmware. A local administrator can bypass implemented security restrictions and perform a denial of service (DoS) attack.
18) Protection Mechanism Failure (CVE-ID: CVE-2022-36797)
The vulnerability allows a local user r to bypass implemented security restrictions.
The vulnerability exists due to insufficient implementation of security measures. A local user can bypass implemented security restrictions and perform a denial of service (DoS) attack.
19) Protection Mechanism Failure (CVE-ID: CVE-2022-36416)
The vulnerability allows a local user to bypass implemented security restrictions.
The vulnerability exists due to insufficient implementation of security measures. A local user can bypass implemented security restrictions and elevate privileges on the system.
Remediation
Install update from vendor's website.