Security Advisory

Dell Product Line Security Update Advisory

  • Dec 17 2024

Overview

 

An update has been released to address vulnerabilities in Dell Product Line. Users of the affected versions are advised to update to the latest version.
 

 

Affected Products

 

CVE-2024-22461

  • RecoverPoint for Virtual Machines versions: 6.0 SP1, 6.0 SP1 P1

 

CVE-2024-47238

  • Dell Edge Gateway 5000 versions: ~ 1.29.0 (excluded)
  • Edge Gateway 3000 series versions: ~ 1.19.0 (excluded)
  • Embedded Box PC 3000 versions: ~ 1.25.0 (excluded)

 

CVE-2024-53292

  • VxRail versions: ~ x.40.405 (excluded)

 

CVE-2024-53289, CVE-2024-53290
 

  • ThinOS 2411 version: ThinOS 2408

 

CVE-2024-47480

  • Dell Inventory Collector versions: ~ 12.7.0 (excluded)

 

CVE-2024-51532

  • PowerStore 500T versions: ~ 4.0.1.0-2408234 (excluded)
  • PowerStore 1000T versions: ~ 4.0.1.0-2408234 (excluded)
  • PowerStore 1200T versions: ~ 4.0.1.0-2408234 (excluded)
  • PowerStore 3000T versions: ~ 4.0.1.0-2408234 (excluded)
  • PowerStore 3200Q versions: ~ 4.0.1.0-2408234 (excluded)
  • PowerStore 3200T versions: ~ 4.0.1.0-2408234 (excluded)
  • PowerStore 5000T versions: ~ 4.0.1.0-2408234 (excluded)
  • PowerStore 5200T versions: ~ 4.0.1.0-2408234 (excluded)
  • PowerStore 7000T versions: ~ 4.0.1.0-2408234 (excluded)
  • PowerStore 9000T versions: ~ 4.0.1.0-2408234 (excluded)
  • PowerStore 9200T versions: ~ 4.0.1.0-2408234 (excluded)

 

 

Resolved Vulnerabilities

 

OS command injection vulnerability (CVE-2024-22461) that allows a remote attacker with low privileges to execute commands with root privileges and possibly compromise the system

Improper input validation vulnerability that could allow a local attacker with high privileges to execute arbitrary code (CVE-2024-47238)

Plaintext password storage vulnerability in the shell wrapper could allow a local, high privileged attacker to steal user credentials (CVE-2024-53292)

TOCTOU race condition vulnerability that could allow a low privileged attacker with local access to escalate privileges (CVE-2024-53289)

Command injection vulnerability that could allow an unauthenticated attacker with local access to execute commands (CVE-2024-53290)

Improper link resolution before file access vulnerability that could allow a low privilege attacker with local access to cause privilege escalation and unauthorized file system access (CVE-2024-47480)

Improper neutralization of argument delimiter vulnerability that could allow a low-privileged attacker with local access to modify arbitrary system files (CVE-2024-51532)

 

Vulnerability Patches

Vulnerability Patches have been made available in the latest updates. Please follow the instructions on the Referenced Sites to update to the latest Vulnerability Patches version.

 

CVE-2024-22461

  • RecoverPoint for Virtual Machines version: 6.0 SP1 P2 or later version

 

CVE-2024-47238

  • Dell Edge Gateway 5000 version: 1.29.0 or later version
  • Edge Gateway 3000 series version: 1.19.0 or later version
  • Embedded Box PC 3000 version: 1.25.0 or later version

 

CVE-2024-53292

  • VxRail version: x.40.405 or later version

 

CVE-2024-53289, CVE-2024-53290

  • ThinOS 2411 version: ThinOS 2411

 

CVE-2024-47480

  • Dell Inventory Collector versions: 12.7.0 or later version

 

CVE-2024-51532

  • PowerStore 500T version: 4.0.1.0-2408234 or later version
  • PowerStore 1000T version: 4.0.1.0-2408234 or later version
  • PowerStore 1200T version: 4.0.1.0-2408234 or later version
  • PowerStore 3000T version: 4.0.1.0-2408234 or later version
  • PowerStore 3200Q version: 4.0.1.0-2408234 or later version
  • PowerStore 3200T version: 4.0.1.0-2408234 or later version
  • PowerStore 5000T version: 4.0.1.0-2408234 or later version
  • PowerStore 5200T version: 4.0.1.0-2408234 or later version
  • PowerStore 7000T version: 4.0.1.0-2408234 or later version
  • PowerStore 9000T version: 4.0.1.0-2408234 or later version
  • PowerStore 9200T version: 4.0.1.0-2408234 or later version

 

 

Referenced Sites

 

[1] DSA-2024-429 : Security Update for Dell RecoverPoint for Virtual Machines Multiple Third-Party Component Vulnerabilities

https://www.dell.com/support/kbdoc/en-us/000259765/dsa-2024-429-security-update-for-dell-recoverpoint-for-virtual-machines-multiple-third-party-component-vulnerabilities

[2] DSA-2024-355: Security Update for Dell Client Platform BIOS for an Improper Input Validation Vulnerability

https://www.dell.com/support/kbdoc/en-us/000227595/dsa-2024-355

[3] DSA-2024-492 : Security Update Dell VxVerify on VxRail Plaintext Password Storage Vulnerabilities

https://www.dell.com/support/kbdoc/en-us/000258964/dsa-2024-492-security-update-dell-vxverify-on-vxrail-plaintext-password-storage-vulnerabilities

[4] DSA-2024-463: Dell ThinOS Security Update for Multiple Third-Party Vulnerabilities

https://www.dell.com/support/kbdoc/en-us/000248475/dsa-2024-463

[5] DSA-2024-475: Security Update for Dell Command| Update, Dell Update, Alienware Update, and Dell SupportAssist for an Improper Link Resolution Before File Access Vulnerability

https://www.dell.com/support/kbdoc/en-us/000255700/dsa-2024-475

[6] DSA-2024-462: Dell PowerStore T Security Update for Multiple Vulnerabilities

https://www.dell.com/support/kbdoc/ko-kr/000250483/dsa-2024-462-dell-powerstore-t-security-update-for-multiple-vulnerabilities

Tags:

Previous Post

Next Post