header banner
Default

Dell PowerProtect Products Have Several Flaws That Allow Attackers to Run OS Commands


Multiple vulnerabilities have been discovered in Dell’s PowerProtect, which were associated with SQL injection, cross-site scripting (XSS), privilege escalation, command injection, and path tracing. The severity for these vulnerabilities ranges between 4.3 (Medium) and 8.8 (High).

Relevant CVEs have been assigned to all these vulnerabilities, with CVE-2023-44286 associated with Cross-Site Scripting having the highest severity (8.8) and CVE-2023-44284 with the lowest severity (4.3) among the discovered vulnerabilities in Dell PowerProtect.

Nearly 8 vulnerabilities have been disclosed, including 4 OS command injections, 1 Path Traversal, 1 SQL injection, 1 Cross-site scripting (XSS), and 1 Privilege Escalation. These vulnerabilities exist on Dell PowerProtect DD versions before 7.13.0.10, LTS 7.7.5.5, LTS 7.10.1.15, and 6.2.1.1110.

OS Command Injection

CVE-2023-48668 (8.8), CVE-2023-44277 (7.8), CVE-2023-48667 (7.2), and CVE-2023-44279 (6.7) were related to OS command injection vulnerability which can be exploited by a threat actor to potentially execute arbitrary OS commands or bypass security restrictions. 

A threat actor could also potentially exploit some of these vulnerabilities and perform various activities such as taking over the system, executing OS commands with vulnerable application privileges, and many others.

Path Traversal

CVE-2023-44278 is related to the Path Traversal vulnerability, which threat actors can exploit to gain unauthorized read and write access to the OS files stored on the server filesystem. The severity for this vulnerability is given as 6.7 (Medium).

SQL Injection

CVE-2023-44284 is related to SQL injection vulnerability, which a threat actor could exploit to execute SQL commands on the application’s backend database, resulting in unauthorized read access to the application data. The severity for this vulnerability has been given as 4.3 (Low).

Cross-Site Scripting (XSS)

CVE-2023-44286 is related to cross-site scripting vulnerability, which the threat actor can potentially exploit to execute Javascript code in a victim user’s DOM environment of the browser. 

Successful exploitation could lead to information disclosure, session theft, or client-side request forgery. The severity of this vulnerability has been given as 8.8 (High).

Privilege Escalation

CVE-2023-44285 is linked with a Privilege Escalation vulnerability, which a threat actor can exploit with low privilege to escalate their privilege due to improper access control. The severity for this vulnerability has been given as 7.8 (High).

CVEs AddressedProductAffected VersionsRemediated Versions
CVE-2023-44286, CVE-2023-44285, CVE-2023-44277, CVE-2023-48667, CVE-2023-44279, CVE-2023-44278, CVE-2023-44284Dell PowerProtect DD series appliancesDell PowerProtect DD Virtual EditionDell APEX Protection Storage7.0 to 7.12.0.07.13.0.10 and aboveor7.10.1.15 and above to stay on LTS2023 7.10or7.7.5.25 and above to stay on LTS2022 7.7
6.2.1.100 and below6.2.1.110 and above
CVE-2023-44286, CVE-2023-48668, CVE-2023-44285, CVE-2023-44277, CVE-2023-48667, CVE-2023-44279, CVE-2023-44278Dell PowerProtect DD management Center7.0 to 7.12.0.07.13.0.10 and aboveor7.10.1.15 and above to stay on LTS2023 7.10or7.7.5.25 and above to stay on LTS2022 7.7
6.2.1.100 and below6.2.1.110 and above
CVE-2023-44286, CVE-2023-44285, CVE-2023-44277, CVE-2023-48667, CVE-2023-44279, CVE-2023-44278, CVE-2023-44284PowerProtect DP Series Appliance (IDPA): All Models2.7.4 and below2.7.6 and above
CVE-2023-44284PowerProtect Data Manager Appliance model: DM55005.14 and below5.15.0.0 and above
CVE-2023-44286, CVE-2023-44285, CVE-2023-44277, CVE-2023-48667, CVE-2023-44279, CVE-2023-44278, CVE-2023-44284Dell PowerProtect DD series appliances and Dell PowerProtect DD Virtual Edition leveraged in the Disk Library for Mainframe (DLm) environment7.0 to 7.12.0.07.13.0.10 and aboveor7.10.1.15 and above to stay on LTS2023 7.10or7.7.5.25 and above to stay on LTS2022 7.7
6.2.1.100 and below6.2.1.110 and above

Furthermore, the security advisory published by Dell provides detailed information about these vulnerabilities, their CVSS vector and other information.

Sources


Article information

Author: Michael Harrell

Last Updated: 1704625922

Views: 2063

Rating: 4.5 / 5 (114 voted)

Reviews: 83% of readers found this page helpful

Author information

Name: Michael Harrell

Birthday: 2010-04-27

Address: 699 Robert Tunnel Apt. 420, Velezland, OH 02702

Phone: +4246023599976633

Job: Electrician

Hobby: Dancing, Running, Swimming, Chess, Writing, Cycling, Scuba Diving

Introduction: My name is Michael Harrell, I am a persistent, Open, sincere, cherished, unreserved, accessible, lively person who loves writing and wants to share my knowledge and understanding with you.