SB2024062113 - Multiple vulnerabilities in Dell PowerScale OneFS
Published: June 21, 2024
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 3 vulnerabilities.
1) Improper Authentication (CVE-ID: CVE-2023-42465)
CWE-ID: CWE-287 - Improper Authentication
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to bypass authentication process.
The vulnerability exists due to insufficient resistance to rowhammer attacks. A local user can bypass authentication process and gain unauthorized access to the system.
2) Error Handling (CVE-ID: CVE-2023-23931)
CWE-ID: CWE-388 - Error Handling
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows an attacker to misuse Python API.
The vulnerability exists due to a soundness bug within the Cipher.update_into function, which can allow immutable objects (such as bytes) to be mutated. A malicious programmer can misuse Python API to introduce unexpected behavior into the application.
3) Use of hard-coded credentials (CVE-ID: CVE-2024-29170)
CWE-ID: CWE-798 - Use of Hard-coded Credentials
CVSSv4: CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows an adjacent network attacker to gain full access to vulnerable system.
The vulnerability exists due to presence of hard-coded credentials in application code. An adjacent network unauthenticated attacker can potentially exploit this vulnerability, leading to information disclosure of network traffic and denial of service.
Remediation
Install update from vendor's website.