Multiple Flaws in Dell PowerProtect Products Let Attackers Execute OS Commands
Multiple vulnerabilities have been discovered in Dell’s PowerProtect, which were associated with SQL injection, cross-site scripting (XSS), privilege escalation, command injection, and path tracing. The severity for these vulnerabilities ranges between 4.3 (Medium) and 8.8 (High).
Relevant CVEs have been assigned to all these vulnerabilities, with CVE-2023-44286 associated with Cross-Site Scripting having the highest severity (8.8) and CVE-2023-44284 with the lowest severity (4.3) among the discovered vulnerabilities in Dell PowerProtect.
Multiple Flaws in Dell PowerProtect Products
Nearly 8 vulnerabilities have been disclosed, including 4 OS command injections, 1 Path Traversal, 1 SQL injection, 1 Cross-site scripting (XSS), and 1 Privilege Escalation. These vulnerabilities exist on Dell PowerProtect DD versions before 7.13.0.10, LTS 7.7.5.5, LTS 7.10.1.15, and 6.2.1.1110.
OS Command Injection
CVE-2023-48668 (8.8), CVE-2023-44277 (7.8), CVE-2023-48667 (7.2), and CVE-2023-44279 (6.7) were related to OS command injection vulnerability which can be exploited by a threat actor to potentially execute arbitrary OS commands or bypass security restrictions.
A threat actor could also potentially exploit some of these vulnerabilities and perform various activities such as taking over the system, executing OS commands with vulnerable application privileges, and many others.
Path Traversal
CVE-2023-44278 is related to the Path Traversal vulnerability, which threat actors can exploit to gain unauthorized read and write access to the OS files stored on the server filesystem. The severity for this vulnerability is given as 6.7 (Medium).
SQL Injection
CVE-2023-44284 is related to SQL injection vulnerability, which a threat actor could exploit to execute SQL commands on the application’s backend database, resulting in unauthorized read access to the application data. The severity for this vulnerability has been given as 4.3 (Low).
Cross-Site Scripting (XSS)
CVE-2023-44286 is related to cross-site scripting vulnerability, which the threat actor can potentially exploit to execute Javascript code in a victim user’s DOM environment of the browser.
Successful exploitation could lead to information disclosure, session theft, or client-side request forgery. The severity of this vulnerability has been given as 8.8 (High).
Privilege Escalation
CVE-2023-44285 is linked with a Privilege Escalation vulnerability, which a threat actor can exploit with low privilege to escalate their privilege due to improper access control. The severity for this vulnerability has been given as 7.8 (High).
Affected Products & Remediation
| CVEs Addressed | Product | Affected Versions | Remediated Versions |
| CVE-2023-44286, CVE-2023-44285, CVE-2023-44277, CVE-2023-48667, CVE-2023-44279, CVE-2023-44278, CVE-2023-44284 | Dell PowerProtect DD series appliancesDell PowerProtect DD Virtual EditionDell APEX Protection Storage | 7.0 to 7.12.0.0 | 7.13.0.10 and aboveor7.10.1.15 and above to stay on LTS2023 7.10or7.7.5.25 and above to stay on LTS2022 7.7 |
| 6.2.1.100 and below | 6.2.1.110 and above | ||
| CVE-2023-44286, CVE-2023-48668, CVE-2023-44285, CVE-2023-44277, CVE-2023-48667, CVE-2023-44279, CVE-2023-44278 | Dell PowerProtect DD management Center | 7.0 to 7.12.0.0 | 7.13.0.10 and aboveor7.10.1.15 and above to stay on LTS2023 7.10or7.7.5.25 and above to stay on LTS2022 7.7 |
| 6.2.1.100 and below | 6.2.1.110 and above | ||
| CVE-2023-44286, CVE-2023-44285, CVE-2023-44277, CVE-2023-48667, CVE-2023-44279, CVE-2023-44278, CVE-2023-44284 | PowerProtect DP Series Appliance (IDPA): All Models | 2.7.4 and below | 2.7.6 and above |
| CVE-2023-44284 | PowerProtect Data Manager Appliance model: DM5500 | 5.14 and below | 5.15.0.0 and above |
| CVE-2023-44286, CVE-2023-44285, CVE-2023-44277, CVE-2023-48667, CVE-2023-44279, CVE-2023-44278, CVE-2023-44284 | Dell PowerProtect DD series appliances and Dell PowerProtect DD Virtual Edition leveraged in the Disk Library for Mainframe (DLm) environment | 7.0 to 7.12.0.0 | 7.13.0.10 and aboveor7.10.1.15 and above to stay on LTS2023 7.10or7.7.5.25 and above to stay on LTS2022 7.7 |
| 6.2.1.100 and below | 6.2.1.110 and above |
Furthermore, the security advisory published by Dell provides detailed information about these vulnerabilities, their CVSS vector and other information.
