Multiple Flaws in Dell PowerProtect Products Let Attackers Execute OS Commands
Multiple vulnerabilities had been found in Dell’s PowerProtect, which were connected with SQL injection, pass-space scripting (XSS), privilege escalation, uncover injection, and route tracing. The severity for these vulnerabilities ranges between 4.3 (Medium) and eight.8 (Excessive).
Relevant CVEs had been assigned to all these vulnerabilities, with CVE-2023-44286 connected with Execrable-Dwelling Scripting having the ideal severity (8.8) and CVE-2023-44284 with the lowest severity (4.3) amongst the found vulnerabilities in Dell PowerProtect.
Multiple Flaws in Dell PowerProtect Merchandise
Practically 8 vulnerabilities had been disclosed, alongside side 4 OS uncover injections, 1 Course Traversal, 1 SQL injection, 1 Execrable-space scripting (XSS), and 1 Privilege Escalation. These vulnerabilities exist on Dell PowerProtect DD versions sooner than 7.13.0.10, LTS 7.7.5.5, LTS 7.10.1.15, and 6.2.1.1110.
OS Voice Injection
CVE-2023-48668 (8.8), CVE-2023-44277 (7.8), CVE-2023-48667 (7.2), and CVE-2023-44279 (6.7) were connected to OS uncover injection vulnerability which is in a space to be exploited by a chance actor to doubtlessly attain arbitrary OS instructions or bypass security restrictions.
A chance actor would possibly perhaps also doubtlessly exploit a majority of these vulnerabilities and develop diverse activities equivalent to taking on the system, executing OS instructions with susceptible utility privileges, and rather a lot of others.
Course Traversal
CVE-2023-44278 is connected to the Course Traversal vulnerability, which chance actors can exploit to manufacture unauthorized study and write entry to the OS data stored on the server filesystem. The severity for this vulnerability is given as 6.7 (Medium).
SQL Injection
CVE-2023-44284 is connected to SQL injection vulnerability, which a chance actor would possibly perhaps exploit to realize SQL instructions on the utility’s backend database, ensuing in unauthorized study entry to the utility data. The severity for this vulnerability has been given as 4.3 (Low).
Execrable-Dwelling Scripting (XSS)
CVE-2023-44286 is connected to pass-space scripting vulnerability, which the chance actor can doubtlessly exploit to realize Javascript code in a victim person’s DOM ambiance of the browser.
A success exploitation would possibly perhaps lead to data disclosure, session theft, or client-facet put a query to forgery. The severity of this vulnerability has been given as 8.8 (Excessive).
Privilege Escalation
CVE-2023-44285 is linked with a Privilege Escalation vulnerability, which a chance actor can exploit with low privilege to escalate their privilege as a result of depraved entry administration. The severity for this vulnerability has been given as 7.8 (Excessive).
Affected Merchandise & Remediation
CVEs Addressed | Product | Affected Variations | Remediated Variations |
CVE-2023-44286, CVE-2023-44285, CVE-2023-44277, CVE-2023-48667, CVE-2023-44279, CVE-2023-44278, CVE-2023-44284 | Dell PowerProtect DD sequence appliancesDell PowerProtect DD Virtual EditionDell APEX Safety Storage | 7.0 to 7.12.0.0 | 7.13.0.10 and aboveor7.10.1.15 and above to stay to it LTS2023 7.10or7.7.5.25 and above to stay to it LTS2022 7.7 |
6.2.1.100 and below | 6.2.1.110 and above | ||
CVE-2023-44286, CVE-2023-48668, CVE-2023-44285, CVE-2023-44277, CVE-2023-48667, CVE-2023-44279, CVE-2023-44278 | Dell PowerProtect DD administration Heart | 7.0 to 7.12.0.0 | 7.13.0.10 and aboveor7.10.1.15 and above to stay to it LTS2023 7.10or7.7.5.25 and above to stay to it LTS2022 7.7 |
6.2.1.100 and below | 6.2.1.110 and above | ||
CVE-2023-44286, CVE-2023-44285, CVE-2023-44277, CVE-2023-48667, CVE-2023-44279, CVE-2023-44278, CVE-2023-44284 | PowerProtect DP Series Appliance (IDPA): All Fashions | 2.7.4 and below | 2.7.6 and above |
CVE-2023-44284 | PowerProtect Records Supervisor Appliance mannequin: DM5500 | 5.14 and below | 5.15.0.0 and above |
CVE-2023-44286, CVE-2023-44285, CVE-2023-44277, CVE-2023-48667, CVE-2023-44279, CVE-2023-44278, CVE-2023-44284 | Dell PowerProtect DD sequence dwelling equipment and Dell PowerProtect DD Virtual Edition leveraged within the Disk Library for Mainframe (DLm) ambiance | 7.0 to 7.12.0.0 | 7.13.0.10 and aboveor7.10.1.15 and above to stay to it LTS2023 7.10or7.7.5.25 and above to stay to it LTS2022 7.7 |
6.2.1.100 and below | 6.2.1.110 and above |
Moreover, the protection advisory printed by Dell affords detailed data about these vulnerabilities, their CVSS vector and other data.
Source credit : cybersecuritynews.com