SB2024013049 - Dell Platform BIOS update for OpenSSL

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2024013049

SB2024013049 - Dell Platform BIOS update for OpenSSL

Published: January 30, 2024

Security Bulletin ID SB2024013049
Severity
Medium
Patch available
YES
Number of vulnerabilities 7
Exploitation vector Remote access
Highest impact Denial of service

Breakdown by Severity

Medium 43% Low 57%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 7 secuirty vulnerabilities.


1) Input validation error (CVE-ID: CVE-2023-4807)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient validation of user-supplied input within the POLY1305 MAC (message authentication code) implementation. A remote attacker can send specially crafted input to the application and corrupt MM registers on Windows 64 platform, resulting in a denial of service condition.


2) Resource management error (CVE-ID: CVE-2023-3817)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to improper management of internal resources within the application when checking the long DH keys. A remote attacker can pass specially crafted data to the application and perform a denial of service (DoS) attack.


3) Resource management error (CVE-ID: CVE-2023-3446)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to improper management of internal resources within the DH_check(), DH_check_ex() and EVP_PKEY_param_check() function when processing a DH key or DH parameters. A remote attacker can pass specially crafted data to the application and perform a denial of service (DoS) attack.


4) Resource management error (CVE-ID: CVE-2023-2650)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to improper management of internal resources within the application when processing OCSP, PKCS7/SMIME, CMS, CMP/CRMF or TS subsystems with no message size limit. A remote attacker can send specially crafted data to the application and perform a denial of service (DoS) attack.


5) Improper Verification of Cryptographic Signature (CVE-ID: CVE-2023-0465)

The vulnerability allows a remote attacker to perform MitM attack.

The vulnerability exists due to an error when validating certificate policies in leaf certificates. A remote attacker that controls a malicious CA server can issue a certificate that will be validated by the application.


6) Security features bypass (CVE-ID: CVE-2023-0466)

The vulnerability allows a remote attacker to perform MitM attack.

The vulnerability exists due to an error within the X509_VERIFY_PARAM_add0_policy() function, which does not perform the certificate policy check despite being implicitly enabled. A remote attacker can bypass expected security restrictions and perform MitM attack.


7) Resource exhaustion (CVE-ID: CVE-2023-0464)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to application does not properly control consumption of internal resources when verifying X.509 certificate chains that include policy constraints. A remote attacker can create a specially crafted certificate to trigger resource exhaustion and perform a denial of service (DoS) attack.


Remediation

Install update from vendor's website.

References