Dell is urging customers of its PowerProtect products to review a newly released security advisory and patch a series of potentially serious vulnerabilities.
The vulnerabilities impact PowerProtect Data Domain (DD) series appliances, which are designed to help organizations protect, manage and recover data at scale. APEX Protect Storage, PowerProtect DD Management Center, PowerProtect DP series appliances, and PowerProtect Data Manager appliances are also affected.
The most serious of the flaws — based on its CVSS score of 8.8 — is CVE-2023-44286, described as a DOM-based cross-site scripting (XSS) issue that allows a remote, unauthenticated attacker to inject malicious code into the targeted user’s browser.
Exploitation could lead to client-side request forgery, session theft and information disclosure. While it’s not specified in Dell’s advisory, exploiting these types of flaws typically involves the attacker tricking the victim into clicking on a malicious link.
Several other vulnerabilities have been assigned a ‘high severity’ rating, including OS command injection and improper access control flaws.
The command injection bugs can be exploited to execute arbitrary commands on the underlying operating system with the privileges of the vulnerable exploitation, and they could allow an attacker to take over the targeted system.
Exploitation requires local access and either low or elevated privileges. However, it may be possible for an attacker to exploit a vulnerability such as CVE-2023-44286 to achieve the authentication requirement.
The three medium-severity flaws found in PowerProtect products can be exploited by an authenticated attacker to bypass security restrictions and take over the system, gain read and write access to OS files, and execute arbitrary SQL commands on the application’s backend database and gain read access to app data.
“Dell Technologies released remediations for vulnerabilities that impact certain Dell PowerProtect Data Domain products. We encourage customers to immediately review and implement the remediation steps in Dell Security Advisory (DSA-2023-412) for affected products, versions and additional information. The security of our products is a top priority and critical to protecting our customers,” Dell said in a statement shared with SecurityWeek.
The company said it worked quickly to remediate the vulnerability and it’s currently not aware of any active exploitation.
It’s worth noting that Dell product vulnerabilities are known to have been exploited by sophisticated threat actors in their attacks.
Dell recently also informed customers about a high-severity privilege escalation vulnerability in PowerEdge Server BIOS, dozens of flaws in PowerMax and Unisphere products, and dozens of vulnerabilities impacting third-party components of VxRail Manager.