Multiple vulnerabilities in Dell PowerPath for Windows



Published: 2023-05-26
Risk Low
Patch available YES
Number of vulnerabilities 3
CVE-ID CVE-2023-28079
CVE-2023-28080
CVE-2023-32448
CWE-ID CWE-276
CWE-427
CWE-312
Exploitation vector Local
Public exploit N/A
Vulnerable software
Subscribe 		PowerPath Windows
Other software / Other software solutions

Vendor Dell

Security Bulletin

This security bulletin contains information about 3 vulnerabilities.

1) Incorrect default permissions

EUVDB-ID: #VU76581

Risk: Low

CVSSv3.1:

CVE-ID: CVE-2023-28079

CWE-ID:

Exploit availability:

Description

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to incorrect default permissions for files and folders that are set by the application. A local user with access to the system can view contents of files and directories or modify them.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

PowerPath Windows: 7.0 - 7.2

Fixed software versions

CPE2.3 External links

http://www.dell.com/support/kbdoc/nl-nl/000214248/dsa-2023-154-powerpath-windows-security-update-for-security-update-for-multiple-vulnerabilities


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

2) Insecure DLL loading

EUVDB-ID: #VU76582

Risk: Low

CVSSv3.1:

CVE-ID: CVE-2023-28080

CWE-ID:

Exploit availability:

Description

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to the application loads DLL libraries in an insecure manner. A local user can place a specially crafted .dll file on the system and execute arbitrary code with elevated privileges.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

PowerPath Windows: 7.0 - 7.2

Fixed software versions

CPE2.3 External links

http://www.dell.com/support/kbdoc/nl-nl/000214248/dsa-2023-154-powerpath-windows-security-update-for-security-update-for-multiple-vulnerabilities


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

3) Cleartext storage of sensitive information

EUVDB-ID: #VU76583

Risk: Low

CVSSv3.1:

CVE-ID: CVE-2023-32448

CWE-ID:

Exploit availability:

Description

The vulnerability allows a local user to gain access to sensitive information.

The vulnerability exists due to the application stores its license key stored locally in clear text. A local user with access to the installation directory can retrieve the license key of the product and use it to install and license PowerPath on different systems.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

PowerPath Windows: 7.0 - 7.2

Fixed software versions

CPE2.3 External links

http://www.dell.com/support/kbdoc/nl-nl/000214248/dsa-2023-154-powerpath-windows-security-update-for-security-update-for-multiple-vulnerabilities


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?



###SIDEBAR###