SB2025052051 - Multiple vulnerabilities in Dell Networking Products

Description

This security bulletin contains information about 6 vulnerabilities.

1) Information exposure through microarchitectural state after transient execution (CVE-ID: CVE-2022-40982)

CWE-ID: CWE-1342 - Information Exposure through Microarchitectural State after Transient Execution

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N/E:U/U:Green

The vulnerability allows a malicious guest to escalate privileges on the system.

The vulnerability exists due to the way data is shared between threads whereby the AVX GATHER instructions on Intel processors can forward the content of stale vector registers to dependent instructions. A malicious guest can infer data from different contexts on the same core and execute arbitrary code with elevated privileges.

2) Input validation error (CVE-ID: CVE-2022-44611)

CWE-ID: CWE-20 - Improper input validation

CVSSv4: CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote attacker to compromise the affected system.

The vulnerability exists due to insufficient validation of user-supplied input in the BIOS firmware. A remote attacker on the local network can send specially crafted input to the application and compromise the affected system.

3) Insufficient control flow management (CVE-ID: CVE-2022-43505)

CWE-ID: CWE-691 - Insufficient Control Flow Management

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient control flow management in the BIOS firmware. A local user can perform a denial of service (DoS) attack.

4) Improper access control (CVE-ID: CVE-2022-37343)

CWE-ID: CWE-284 - Improper Access Control

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to improper access restrictions. A local user can execute arbitrary code with elevated privileges.

5) Improper access control (CVE-ID: CVE-2023-23908)

CWE-ID: CWE-284 - Improper Access Control

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a local user to gain access to sensitive information.

The vulnerability exists due to improper access restrictions. A local privileged user can gain access to sensitive information.

6) Unauthorized error injection (CVE-ID: CVE-2022-41804)

CWE-ID: CWE-1334 - Unauthorized Error Injection Can Degrade Hardware Redundancy

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to unauthorized error injection in some Intel Xeon Processors with Intel Software Guard Extensions (SGX). A local user can execute arbitrary code with elevated privileges.

Remediation

Install update from vendor's website.

References

• https://www.dell.com/support/kbdoc/nl-nl/000317839/dsa-2025-183-security-update-for-dell-networking-products-for-multiple-vulnerabilities