Dell Technologies has released a critical security update addressing multiple vulnerabilities in its products, which could be exploited by malicious users to compromise affected systems.
The update, identified as DSA-2024-405, provides remediation for these vulnerabilities, ensuring the security and integrity of systems running Dell software.
Critical Vulnerabilities Identified
The security advisory highlights two major vulnerabilities identified CVE-2024-37143 and CVE-2024-37144.
Both vulnerabilities affect several Dell products, including PowerFlex appliances, PowerFlex racks, custom nodes, InsightIQ, and Data Lakehouse.
- CVE-2024-37143: This vulnerability involves improper link resolution before file access. It affects older versions of Dell PowerFlex appliances, racks, and custom nodes using PowerFlex Manager, InsightIQ, and Data Lakehouse.
- An unauthenticated attacker with remote access could exploit this flaw to execute arbitrary code on the system. This vulnerability has been assigned a CVSS base score of 10.0, indicating its critical nature.
- CVE-2024-37144: This vulnerability pertains to the insecure storage of sensitive information. It affects the same range of products as CVE-2024-37143.
- A highly privileged attacker with local access could exploit this vulnerability to disclose sensitive information and gain unauthorized access to pods within the cluster. The CVSS base score for this vulnerability is 8.2.
Affected Products and Remediation
Dell has provided remediation for all affected products through software or firmware updates.
The affected versions and their corresponding remediated versions are as follows:
- Dell PowerFlex Appliance: Versions before IC 46.381.00 and IC 46.376.00 should be updated to version 46.381.00 or later.
- Dell PowerFlex Rack: Versions before RCM 3.8.1.0 (for RCM 3.8.x train) and before RCM 3.7.6.0 (for RCM 3.7.x train) should be updated to version 3.8.1.0 or later.
- Dell PowerFlex Custom Node using PowerFlex Manager: Versions before 4.6.1.0 should be updated to version 4.6.1.0 or later.
- Dell InsightIQ: Versions before 5.1.1 should be updated to version 5.1.1 or later.
- Dell Data Lakehouse: Versions before 1.2.0.0 should be updated to version 1.2.0.0 or later.
Customers are urged to apply these updates promptly to mitigate potential risks associated with these vulnerabilities.
Recommendations and Impact
Dell Technologies recommends that all customers consider both the CVSS base score and any relevant temporal and environmental scores that may influence the potential severity of these vulnerabilities in their specific environments.
The impact of these vulnerabilities is deemed critical due to their potential to allow unauthorized access and execution of arbitrary code on affected systems, posing significant risks to data integrity and system security.
Dell’s security advisory underscores the importance of maintaining up-to-date systems and applying security patches promptly to protect against potential exploits that could compromise sensitive information and system operations.
For more detailed information on the vulnerabilities and remediation steps, Dell customers are encouraged to consult the official Dell Security Advisories and Notices or contact Dell support for assistance in implementing these critical updates effectively.
Also Read: