Multiple vulnerabilities in Dell PowerFlex Rack



Risk Medium
Patch available YES
Number of vulnerabilities 39
CVE-ID CVE-2022-34416
CVE-2022-34407
CVE-2022-34408
CVE-2022-34409
CVE-2022-34410
CVE-2022-34411
CVE-2022-34412
CVE-2022-34414
CVE-2022-34415
CVE-2022-34417
CVE-2022-34377
CVE-2022-34418
CVE-2022-34419
CVE-2022-34413
CVE-2022-34420
CVE-2022-34421
CVE-2022-34422
CVE-2022-34423
CVE-2023-20050
CVE-2022-34406
CVE-2022-34376
CVE-2022-26837
CVE-2022-36416
CVE-2022-36797
CVE-2021-33126
CVE-2022-31705
CVE-2022-21216
CVE-2022-32231
CVE-2022-30704
CVE-2022-26343
CVE-2022-31697
CVE-2021-0187
CVE-2022-30539
CVE-2022-36348
CVE-2022-36794
CVE-2022-33972
CVE-2022-33196
CVE-2022-38090
CVE-2022-31696
CWE-ID CWE-119
CWE-78
CWE-20
CWE-693
CWE-284
CWE-787
CWE-665
CWE-532
CWE-416
CWE-749
CWE-755
CWE-682
CWE-276
CWE-653
Exploitation vector Network
Public exploit Public exploit code for vulnerability #26 is available.
Vulnerable software
PowerFlex rack
Other software / Other software solutions

Vendor Dell

Security Bulletin

This security bulletin contains information about 39 vulnerabilities.

1) Buffer overflow

EUVDB-ID: #VU79419

Risk: Low

CVSSv3.1: 5.8 [CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-34416

CWE-ID: CWE-119 - Memory corruption

Exploit availability: No

Description

The vulnerability allows a local privileged user to execute arbitrary code on the target system.

The vulnerability exists due to Improper SMM communication buffer verification. A local privileged user can send a specially crafted data, trigger memory corruption and execute arbitrary code on the target system.

Mitigation

Install update from vendor's website.

Vulnerable software versions

PowerFlex rack: before 3.6.3.2

CPE2.3 External links

http://www.dell.com/support/kbdoc/nl-nl/000213224/dsa-2023-145-dell-powerflex-rack-security-update-for-multiple-third-party-vulnerabilities


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Buffer overflow

EUVDB-ID: #VU79403

Risk: Low

CVSSv3.1: 5.8 [CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-34407

CWE-ID: CWE-119 - Memory corruption

Exploit availability: No

Description

The vulnerability allows a local privileged user to execute arbitrary code on the target system.

The vulnerability exists due to Improper SMM communication buffer verification. A local privileged user can send a specially crafted data, trigger memory corruption and execute arbitrary code on the target system.

Mitigation

Install update from vendor's website.

Vulnerable software versions

PowerFlex rack: before 3.6.3.2

CPE2.3 External links

http://www.dell.com/support/kbdoc/nl-nl/000213224/dsa-2023-145-dell-powerflex-rack-security-update-for-multiple-third-party-vulnerabilities


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

3) Buffer overflow

EUVDB-ID: #VU79405

Risk: Low

CVSSv3.1: 5.8 [CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-34408

CWE-ID: CWE-119 - Memory corruption

Exploit availability: No

Description

The vulnerability allows a local privileged user to execute arbitrary code on the target system.

The vulnerability exists due to Improper SMM communication buffer verification. A local privileged user can send a specially crafted data, trigger memory corruption and execute arbitrary code on the target system.

Mitigation

Install update from vendor's website.

Vulnerable software versions

PowerFlex rack: before 3.6.3.2

CPE2.3 External links

http://www.dell.com/support/kbdoc/nl-nl/000213224/dsa-2023-145-dell-powerflex-rack-security-update-for-multiple-third-party-vulnerabilities


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

4) Buffer overflow

EUVDB-ID: #VU79404

Risk: Low

CVSSv3.1: 5.8 [CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-34409

CWE-ID: CWE-119 - Memory corruption

Exploit availability: No

Description

The vulnerability allows a local privileged user to execute arbitrary code on the target system.

The vulnerability exists due to Improper SMM communication buffer verification. A local privileged user can send a specially crafted data, trigger memory corruption and execute arbitrary code on the target system.

Mitigation

Install update from vendor's website.

Vulnerable software versions

PowerFlex rack: before 3.6.3.2

CPE2.3 External links

http://www.dell.com/support/kbdoc/nl-nl/000213224/dsa-2023-145-dell-powerflex-rack-security-update-for-multiple-third-party-vulnerabilities


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

5) Buffer overflow

EUVDB-ID: #VU79411

Risk: Low

CVSSv3.1: 5.8 [CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-34410

CWE-ID: CWE-119 - Memory corruption

Exploit availability: No

Description

The vulnerability allows a local privileged user to execute arbitrary code on the target system.

The vulnerability exists due to Improper SMM communication buffer verification. A local privileged user can send a specially crafted data, trigger memory corruption and execute arbitrary code on the target system.

Mitigation

Install update from vendor's website.

Vulnerable software versions

PowerFlex rack: before 3.6.3.2

CPE2.3 External links

http://www.dell.com/support/kbdoc/nl-nl/000213224/dsa-2023-145-dell-powerflex-rack-security-update-for-multiple-third-party-vulnerabilities


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

6) Buffer overflow

EUVDB-ID: #VU79410

Risk: Low

CVSSv3.1: 5.8 [CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-34411

CWE-ID: CWE-119 - Memory corruption

Exploit availability: No

Description

The vulnerability allows a local privileged user to execute arbitrary code on the target system.

The vulnerability exists due to Improper SMM communication buffer verification. A local privileged user can send a specially crafted data, trigger memory corruption and execute arbitrary code on the target system.

Mitigation

Install update from vendor's website.

Vulnerable software versions

PowerFlex rack: before 3.6.3.2

CPE2.3 External links

http://www.dell.com/support/kbdoc/nl-nl/000213224/dsa-2023-145-dell-powerflex-rack-security-update-for-multiple-third-party-vulnerabilities


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

7) Buffer overflow

EUVDB-ID: #VU79409

Risk: Low

CVSSv3.1: 5.8 [CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-34412

CWE-ID: CWE-119 - Memory corruption

Exploit availability: No

Description

The vulnerability allows a local privileged user to execute arbitrary code on the target system.

The vulnerability exists due to Improper SMM communication buffer verification. A local privileged user can send a specially crafted data, trigger memory corruption and execute arbitrary code on the target system.

Mitigation

Install update from vendor's website.

Vulnerable software versions

PowerFlex rack: before 3.6.3.2

CPE2.3 External links

http://www.dell.com/support/kbdoc/nl-nl/000213224/dsa-2023-145-dell-powerflex-rack-security-update-for-multiple-third-party-vulnerabilities


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

8) Buffer overflow

EUVDB-ID: #VU79421

Risk: Low

CVSSv3.1: 5.8 [CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-34414

CWE-ID: CWE-119 - Memory corruption

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error when processing Microsoft Office files. A remote attacker can create a specially crafted Office document, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install update from vendor's website.

Vulnerable software versions

PowerFlex rack: before 3.6.3.2

CPE2.3 External links

http://www.dell.com/support/kbdoc/nl-nl/000213224/dsa-2023-145-dell-powerflex-rack-security-update-for-multiple-third-party-vulnerabilities


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

9) Buffer overflow

EUVDB-ID: #VU79420

Risk: Low

CVSSv3.1: 5.8 [CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-34415

CWE-ID: CWE-119 - Memory corruption

Exploit availability: No

Description

The vulnerability allows a local privileged user to execute arbitrary code on the target system.

The vulnerability exists due to Improper SMM communication buffer verification. A local privileged user can send a specially crafted data, trigger memory corruption and execute arbitrary code on the target system.

Mitigation

Install update from vendor's website.

Vulnerable software versions

PowerFlex rack: before 3.6.3.2

CPE2.3 External links

http://www.dell.com/support/kbdoc/nl-nl/000213224/dsa-2023-145-dell-powerflex-rack-security-update-for-multiple-third-party-vulnerabilities


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

10) Buffer overflow

EUVDB-ID: #VU79416

Risk: Low

CVSSv3.1: 5.8 [CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-34417

CWE-ID: CWE-119 - Memory corruption

Exploit availability: No

Description

The vulnerability allows a local privileged user to execute arbitrary code on the target system.

The vulnerability exists due to Improper SMM communication buffer verification. A local privileged user can send a specially crafted data, trigger memory corruption and execute arbitrary code on the target system.

Mitigation

Install update from vendor's website.

Vulnerable software versions

PowerFlex rack: before 3.6.3.2

CPE2.3 External links

http://www.dell.com/support/kbdoc/nl-nl/000213224/dsa-2023-145-dell-powerflex-rack-security-update-for-multiple-third-party-vulnerabilities


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

11) Buffer overflow

EUVDB-ID: #VU79427

Risk: Low

CVSSv3.1: 5.8 [CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-34377

CWE-ID: CWE-119 - Memory corruption

Exploit availability: No

Description

The vulnerability allows a local privileged user to execute arbitrary code on the target system.

The vulnerability exists due to Improper SMM communication buffer verification. A local privileged user can send a specially crafted data, trigger memory corruption and execute arbitrary code on the target system.

Mitigation

Install update from vendor's website.

Vulnerable software versions

PowerFlex rack: before 3.6.3.2

CPE2.3 External links

http://www.dell.com/support/kbdoc/nl-nl/000213224/dsa-2023-145-dell-powerflex-rack-security-update-for-multiple-third-party-vulnerabilities


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

12) Buffer overflow

EUVDB-ID: #VU79426

Risk: Low

CVSSv3.1: 5.8 [CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-34418

CWE-ID: CWE-119 - Memory corruption

Exploit availability: No

Description

The vulnerability allows a local privileged user to execute arbitrary code on the target system.

The vulnerability exists due to Improper SMM communication buffer verification. A local privileged user can send a specially crafted data, trigger memory corruption and execute arbitrary code on the target system.

Mitigation

Install update from vendor's website.

Vulnerable software versions

PowerFlex rack: before 3.6.3.2

CPE2.3 External links

http://www.dell.com/support/kbdoc/nl-nl/000213224/dsa-2023-145-dell-powerflex-rack-security-update-for-multiple-third-party-vulnerabilities


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

13) Buffer overflow

EUVDB-ID: #VU79425

Risk: Low

CVSSv3.1: 5.8 [CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-34419

CWE-ID: CWE-119 - Memory corruption

Exploit availability: No

Description

The vulnerability allows a local privileged user to execute arbitrary code on the target system.

The vulnerability exists due to Improper SMM communication buffer verification. A local privileged user can send a specially crafted data, trigger memory corruption and execute arbitrary code on the target system.

Mitigation

Install update from vendor's website.

Vulnerable software versions

PowerFlex rack: before 3.6.3.2

CPE2.3 External links

http://www.dell.com/support/kbdoc/nl-nl/000213224/dsa-2023-145-dell-powerflex-rack-security-update-for-multiple-third-party-vulnerabilities


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

14) Buffer overflow

EUVDB-ID: #VU79408

Risk: Low

CVSSv3.1: 5.8 [CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-34413

CWE-ID: CWE-119 - Memory corruption

Exploit availability: No

Description

The vulnerability allows a local privileged user to execute arbitrary code on the target system.

The vulnerability exists due to Improper SMM communication buffer verification. A local privileged user can send a specially crafted data, trigger memory corruption and execute arbitrary code on the target system.

Mitigation

Install update from vendor's website.

Vulnerable software versions

PowerFlex rack: before 3.6.3.2

CPE2.3 External links

http://www.dell.com/support/kbdoc/nl-nl/000213224/dsa-2023-145-dell-powerflex-rack-security-update-for-multiple-third-party-vulnerabilities


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

15) Buffer overflow

EUVDB-ID: #VU79424

Risk: Low

CVSSv3.1: 5.8 [CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-34420

CWE-ID: CWE-119 - Memory corruption

Exploit availability: No

Description

The vulnerability allows a local privileged user to execute arbitrary code on the target system.

The vulnerability exists due to Improper SMM communication buffer verification. A local privileged user can send a specially crafted data, trigger memory corruption and execute arbitrary code on the target system.

Mitigation

Install update from vendor's website.

Vulnerable software versions

PowerFlex rack: before 3.6.3.2

CPE2.3 External links

http://www.dell.com/support/kbdoc/nl-nl/000213224/dsa-2023-145-dell-powerflex-rack-security-update-for-multiple-third-party-vulnerabilities


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

16) Buffer overflow

EUVDB-ID: #VU79432

Risk: Low

CVSSv3.1: 5.8 [CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-34421

CWE-ID: CWE-119 - Memory corruption

Exploit availability: No

Description

The vulnerability allows a local privileged user to execute arbitrary code on the target system.

The vulnerability exists due to Improper SMM communication buffer verification. A local privileged user can send a specially crafted data, trigger memory corruption and execute arbitrary code on the target system.

Mitigation

Install update from vendor's website.

Vulnerable software versions

PowerFlex rack: before 3.6.3.2

CPE2.3 External links

http://www.dell.com/support/kbdoc/nl-nl/000213224/dsa-2023-145-dell-powerflex-rack-security-update-for-multiple-third-party-vulnerabilities


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

17) Buffer overflow

EUVDB-ID: #VU79431

Risk: Low

CVSSv3.1: 5.8 [CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-34422

CWE-ID: CWE-119 - Memory corruption

Exploit availability: No

Description

The vulnerability allows a local privileged user to execute arbitrary code on the target system.

The vulnerability exists due to Improper SMM communication buffer verification. A local privileged user can send a specially crafted data, trigger memory corruption and execute arbitrary code on the target system.

Mitigation

Install update from vendor's website.

Vulnerable software versions

PowerFlex rack: before 3.6.3.2

CPE2.3 External links

http://www.dell.com/support/kbdoc/nl-nl/000213224/dsa-2023-145-dell-powerflex-rack-security-update-for-multiple-third-party-vulnerabilities


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

18) Buffer overflow

EUVDB-ID: #VU79430

Risk: Low

CVSSv3.1: 5.8 [CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-34423

CWE-ID: CWE-119 - Memory corruption

Exploit availability: No

Description

The vulnerability allows a local privileged user to execute arbitrary code on the target system.

The vulnerability exists due to Improper SMM communication buffer verification. A local privileged user can send a specially crafted data, trigger memory corruption and execute arbitrary code on the target system.

Mitigation

Install update from vendor's website.

Vulnerable software versions

PowerFlex rack: before 3.6.3.2

CPE2.3 External links

http://www.dell.com/support/kbdoc/nl-nl/000213224/dsa-2023-145-dell-powerflex-rack-security-update-for-multiple-third-party-vulnerabilities


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

19) OS Command Injection

EUVDB-ID: #VU72512

Risk: Low

CVSSv3.1: 6.8 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-20050

CWE-ID: CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

Exploit availability: No

Description

The vulnerability allows a local user to execute arbitrary shell commands on the target system.

The vulnerability exists due to improper input validation in the CLI. A local user can pass specially crafted data to the application and execute arbitrary OS commands on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install update from vendor's website.

Vulnerable software versions

PowerFlex rack: before 3.6.3.2

CPE2.3 External links

http://www.dell.com/support/kbdoc/nl-nl/000213224/dsa-2023-145-dell-powerflex-rack-security-update-for-multiple-third-party-vulnerabilities


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

20) Buffer overflow

EUVDB-ID: #VU79401

Risk: Low

CVSSv3.1: 5.8 [CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-34406

CWE-ID: CWE-119 - Memory corruption

Exploit availability: No

Description

The vulnerability allows a local privileged user to execute arbitrary code on the target system.

The vulnerability exists due to Improper SMM communication buffer verification. A local privileged user can send a specially crafted data, trigger memory corruption and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install update from vendor's website.

Vulnerable software versions

PowerFlex rack: before 3.6.3.2

CPE2.3 External links

http://www.dell.com/support/kbdoc/nl-nl/000213224/dsa-2023-145-dell-powerflex-rack-security-update-for-multiple-third-party-vulnerabilities


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

21) Buffer overflow

EUVDB-ID: #VU79428

Risk: Low

CVSSv3.1: 5.8 [CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-34376

CWE-ID: CWE-119 - Memory corruption

Exploit availability: No

Description

The vulnerability allows a local privileged user to execute arbitrary code on the target system.

The vulnerability exists due to Improper SMM communication buffer verification. A local privileged user can send a specially crafted data, trigger memory corruption and execute arbitrary code on the target system.

Mitigation

Install update from vendor's website.

Vulnerable software versions

PowerFlex rack: before 3.6.3.2

CPE2.3 External links

http://www.dell.com/support/kbdoc/nl-nl/000213224/dsa-2023-145-dell-powerflex-rack-security-update-for-multiple-third-party-vulnerabilities


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

22) Input validation error

EUVDB-ID: #VU72452

Risk: Low

CVSSv3.1: 6.5 [CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-26837

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to insufficient validation of user-supplied input in the BIOS firmware. A local user can execute arbitrary code with elevated privileges.

Mitigation

Install update from vendor's website.

Vulnerable software versions

PowerFlex rack: before 3.6.3.2

CPE2.3 External links

http://www.dell.com/support/kbdoc/nl-nl/000213224/dsa-2023-145-dell-powerflex-rack-security-update-for-multiple-third-party-vulnerabilities


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

23) Protection Mechanism Failure

EUVDB-ID: #VU73109

Risk: Low

CVSSv3.1: 3.9 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-36416

CWE-ID: CWE-693 - Protection Mechanism Failure

Exploit availability: No

Description

The vulnerability allows a local user to bypass implemented security restrictions.

The vulnerability exists due to insufficient implementation of security measures. A local user can bypass implemented security restrictions and elevate privileges on the system.

Mitigation

Install update from vendor's website.

Vulnerable software versions

PowerFlex rack: before 3.6.3.2

CPE2.3 External links

http://www.dell.com/support/kbdoc/nl-nl/000213224/dsa-2023-145-dell-powerflex-rack-security-update-for-multiple-third-party-vulnerabilities


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

24) Protection Mechanism Failure

EUVDB-ID: #VU73110

Risk: Low

CVSSv3.1: 2.9 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-36797

CWE-ID: CWE-693 - Protection Mechanism Failure

Exploit availability: No

Description

The vulnerability allows a local user r to bypass implemented security restrictions.

The vulnerability exists due to insufficient implementation of security measures. A local user can bypass implemented security restrictions and perform a denial of service (DoS) attack.

Mitigation

Install update from vendor's website.

Vulnerable software versions

PowerFlex rack: before 3.6.3.2

CPE2.3 External links

http://www.dell.com/support/kbdoc/nl-nl/000213224/dsa-2023-145-dell-powerflex-rack-security-update-for-multiple-third-party-vulnerabilities


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

25) Improper access control

EUVDB-ID: #VU66488

Risk: Low

CVSSv3.1: 4.5 [CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-33126

CWE-ID: CWE-284 - Improper Access Control

Exploit availability: No

Description

The vulnerability allows a local user to gain unauthorized access to otherwise restricted functionality.

The vulnerability exists due to improper access restrictions in the firmware. A local administrator can bypass implemented security restrictions and perform a denial of service (DoS) attack.

Mitigation

Install update from vendor's website.

Vulnerable software versions

PowerFlex rack: before 3.6.3.2

CPE2.3 External links

http://www.dell.com/support/kbdoc/nl-nl/000213224/dsa-2023-145-dell-powerflex-rack-security-update-for-multiple-third-party-vulnerabilities


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

26) Out-of-bounds write

EUVDB-ID: #VU70156

Risk: Medium

CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C]

CVE-ID: CVE-2022-31705

CWE-ID: CWE-787 - Out-of-bounds write

Exploit availability: Yes

Description

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to a boundary error within the USB 2.0 controller (EHCI). A local privileged user on the guest OS can trigger an out-of-bounds write and execute arbitrary code as the virtual machine's VMX process running on the host.

Mitigation

Install update from vendor's website.

Vulnerable software versions

PowerFlex rack: before 3.6.3.2

CPE2.3 External links

http://www.dell.com/support/kbdoc/nl-nl/000213224/dsa-2023-145-dell-powerflex-rack-security-update-for-multiple-third-party-vulnerabilities


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

27) Improper access control

EUVDB-ID: #VU72448

Risk: Low

CVSSv3.1: 6.5 [CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:C/C:H/I:L/A:L/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-21216

CWE-ID: CWE-284 - Improper Access Control

Exploit availability: No

Description

The vulnerability allows a remote user to gain unauthorized access to otherwise restricted functionality.

The vulnerability exists due to improper access restrictions in out-of-band management in Intel processors. A remote privileged user on the local network can bypass implemented security restrictions and gain unauthorized access to the application.

Mitigation

Install update from vendor's website.

Vulnerable software versions

PowerFlex rack: before 3.6.3.2

CPE2.3 External links

http://www.dell.com/support/kbdoc/nl-nl/000213224/dsa-2023-145-dell-powerflex-rack-security-update-for-multiple-third-party-vulnerabilities


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated privileged user via the local network (LAN).

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

28) Improper Initialization

EUVDB-ID: #VU72451

Risk: Low

CVSSv3.1: 6.5 [CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-32231

CWE-ID: CWE-665 - Improper Initialization

Exploit availability: No

Description

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to improper initialization in the BIOS firmware. A local user can run a specially crafted application to execute arbitrary code with escalated privileges on the system.

Mitigation

Install update from vendor's website.

Vulnerable software versions

PowerFlex rack: before 3.6.3.2

CPE2.3 External links

http://www.dell.com/support/kbdoc/nl-nl/000213224/dsa-2023-145-dell-powerflex-rack-security-update-for-multiple-third-party-vulnerabilities


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

29) Improper Initialization

EUVDB-ID: #VU72453

Risk: Low

CVSSv3.1: 5 [CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-30704

CWE-ID: CWE-665 - Improper Initialization

Exploit availability: No

Description

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to improper initialization in the Intel(R) TXT SINIT ACM. A local user can run a specially crafted application to execute arbitrary code with escalated privileges on the system.

Mitigation

Install update from vendor's website.

Vulnerable software versions

PowerFlex rack: before 3.6.3.2

CPE2.3 External links

http://www.dell.com/support/kbdoc/nl-nl/000213224/dsa-2023-145-dell-powerflex-rack-security-update-for-multiple-third-party-vulnerabilities


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

30) Improper access control

EUVDB-ID: #VU72449

Risk: Low

CVSSv3.1: 6.9 [CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-26343

CWE-ID: CWE-284 - Improper Access Control

Exploit availability: No

Description

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to improper access restrictions in the BIOS firmware. A local privileged user can execute arbitrary code with elevated privileges.

Mitigation

Install update from vendor's website.

Vulnerable software versions

PowerFlex rack: before 3.6.3.2

CPE2.3 External links

http://www.dell.com/support/kbdoc/nl-nl/000213224/dsa-2023-145-dell-powerflex-rack-security-update-for-multiple-third-party-vulnerabilities


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

31) Inclusion of Sensitive Information in Log Files

EUVDB-ID: #VU70079

Risk: Low

CVSSv3.1: 4.8 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-31697

CWE-ID: CWE-532 - Information Exposure Through Log Files

Exploit availability: No

Description

The vulnerability allows a local user to gain access to sensitive information.

The vulnerability exists due to software stores credentials in plain text into log files. A local user with access to a workstation that invoked a vCenter Server Appliance ISO operation (Install/Upgrade/Migrate/Restore) can access plaintext passwords used during that operation.

Mitigation

Install update from vendor's website.

Vulnerable software versions

PowerFlex rack: before 3.6.3.2

CPE2.3 External links

http://www.dell.com/support/kbdoc/nl-nl/000213224/dsa-2023-145-dell-powerflex-rack-security-update-for-multiple-third-party-vulnerabilities


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

32) Improper access control

EUVDB-ID: #VU72455

Risk: Low

CVSSv3.1: 2.8 [CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-0187

CWE-ID: CWE-284 - Improper Access Control

Exploit availability: No

Description

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to improper access restrictions in the BIOS firmware. A local user can execute arbitrary code with elevated privileges.

Mitigation

Install update from vendor's website.

Vulnerable software versions

PowerFlex rack: before 3.6.3.2

CPE2.3 External links

http://www.dell.com/support/kbdoc/nl-nl/000213224/dsa-2023-145-dell-powerflex-rack-security-update-for-multiple-third-party-vulnerabilities


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

33) Use-after-free

EUVDB-ID: #VU72450

Risk: Low

CVSSv3.1: 7.1 [CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-30539

CWE-ID: CWE-416 - Use After Free

Exploit availability: No

Description

The vulnerability local user to escalate privileges on the system.

The vulnerability exists due to a use-after-free error in the BIOS firmware. A local user can execute arbitrary code with elevated privileges.

Mitigation

Install update from vendor's website.

Vulnerable software versions

PowerFlex rack: before 3.6.3.2

CPE2.3 External links

http://www.dell.com/support/kbdoc/nl-nl/000213224/dsa-2023-145-dell-powerflex-rack-security-update-for-multiple-third-party-vulnerabilities


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

34) Exposed dangerous method or function

EUVDB-ID: #VU72464

Risk: Low

CVSSv3.1: 7.7 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-36348

CWE-ID: CWE-749 - Exposed Dangerous Method or Function

Exploit availability: No

Description

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to usage of active debug code. A local user can execute arbitrary code with elevated privileges.

Mitigation

Install update from vendor's website.

Vulnerable software versions

PowerFlex rack: before 3.6.3.2

CPE2.3 External links

http://www.dell.com/support/kbdoc/nl-nl/000213224/dsa-2023-145-dell-powerflex-rack-security-update-for-multiple-third-party-vulnerabilities


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

35) Improper handling of exceptional conditions

EUVDB-ID: #VU72465

Risk: Low

CVSSv3.1: 3.9 [CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-36794

CWE-ID: CWE-755 - Improper Handling of Exceptional Conditions

Exploit availability: No

Description

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to improper handling of errors. A local user can perform a denial of service (DoS) attack.

Mitigation

Install update from vendor's website.

Vulnerable software versions

PowerFlex rack: before 3.6.3.2

CPE2.3 External links

http://www.dell.com/support/kbdoc/nl-nl/000213224/dsa-2023-145-dell-powerflex-rack-security-update-for-multiple-third-party-vulnerabilities


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

36) Incorrect calculation

EUVDB-ID: #VU72477

Risk: Low

CVSSv3.1: 2 [CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-33972

CWE-ID: CWE-682 - Incorrect Calculation

Exploit availability: No

Description

The vulnerability allows a local user to gain access to sensitive information.

The vulnerability exists due to incorrect calculation in microcode keying mechanism. A local user can gain access to sensitive information.

Mitigation

Install update from vendor's website.

Vulnerable software versions

PowerFlex rack: before 3.6.3.2

CPE2.3 External links

http://www.dell.com/support/kbdoc/nl-nl/000213224/dsa-2023-145-dell-powerflex-rack-security-update-for-multiple-third-party-vulnerabilities


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

37) Incorrect default permissions

EUVDB-ID: #VU72456

Risk: Low

CVSSv3.1: 6.3 [CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-33196

CWE-ID: CWE-276 - Incorrect Default Permissions

Exploit availability: No

Description

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to incorrect default permissions for memory controller configurations for some Intel Xeon processors when using Intel Software Guard Extensions. A local user escalate privileges on the system.

Mitigation

Install update from vendor's website.

Vulnerable software versions

PowerFlex rack: before 3.6.3.2

CPE2.3 External links

http://www.dell.com/support/kbdoc/nl-nl/000213224/dsa-2023-145-dell-powerflex-rack-security-update-for-multiple-third-party-vulnerabilities


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

38) Improper isolation or compartmentalization

EUVDB-ID: #VU72457

Risk: Low

CVSSv3.1: 5.2 [CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-38090

CWE-ID: CWE-653 - Improper isolation or compartmentalization

Exploit availability: No

Description

The vulnerability allows a local user to gain access to sensitive information.

The vulnerability exists due to improper isolation of shared resources in some Intel processors when using Intel Software Guard Extensions. A local user can gain access to sensitive information.

Mitigation

Install update from vendor's website.

Vulnerable software versions

PowerFlex rack: before 3.6.3.2

CPE2.3 External links

http://www.dell.com/support/kbdoc/nl-nl/000213224/dsa-2023-145-dell-powerflex-rack-security-update-for-multiple-third-party-vulnerabilities


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

39) Buffer overflow

EUVDB-ID: #VU70077

Risk: Low

CVSSv3.1: 5.6 [CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-31696

CWE-ID: CWE-119 - Memory corruption

Exploit availability: No

Description

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to a boundary error in the way network socket are handled. A local privileged user can trigger memory corruption and execute arbitrary code with elevated privileges.

Mitigation

Install update from vendor's website.

Vulnerable software versions

PowerFlex rack: before 3.6.3.2

CPE2.3 External links

http://www.dell.com/support/kbdoc/nl-nl/000213224/dsa-2023-145-dell-powerflex-rack-security-update-for-multiple-third-party-vulnerabilities


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###