Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Data Protection

Dell Urges Customers to Patch Vulnerabilities in PowerProtect Products

Dell is informing PowerProtect DD product customers about 8 vulnerabilities, including many rated ‘high severity’, and urging them to install patches.

Dell is urging customers of its PowerProtect products to review a newly released security advisory and patch a series of potentially serious vulnerabilities.

The vulnerabilities impact PowerProtect Data Domain (DD) series appliances, which are designed to help organizations protect, manage and recover data at scale. APEX Protect Storage, PowerProtect DD Management Center, PowerProtect DP series appliances, and PowerProtect Data Manager appliances are also affected.

The most serious of the flaws — based on its CVSS score of 8.8 — is CVE-2023-44286, described as a DOM-based cross-site scripting (XSS) issue that allows a remote, unauthenticated attacker to inject malicious code into the targeted user’s browser. 

Exploitation could lead to client-side request forgery, session theft and information disclosure. While it’s not specified in Dell’s advisory, exploiting these types of flaws typically involves the attacker tricking the victim into clicking on a malicious link.  

Several other vulnerabilities have been assigned a ‘high severity’ rating, including OS command injection and improper access control flaws. 

The command injection bugs can be exploited to execute arbitrary commands on the underlying operating system with the privileges of the vulnerable exploitation, and they could allow an attacker to take over the targeted system. 

Exploitation requires local access and either low or elevated privileges. However, it may be possible for an attacker to exploit a vulnerability such as CVE-2023-44286 to achieve the authentication requirement.

The three medium-severity flaws found in PowerProtect products can be exploited by an authenticated attacker to bypass security restrictions and take over the system, gain read and write access to OS files, and execute arbitrary SQL commands on the application’s backend database and gain read access to app data. 

Advertisement. Scroll to continue reading.

“Dell Technologies released remediations for vulnerabilities that impact certain Dell PowerProtect Data Domain products. We encourage customers to immediately review and implement the remediation steps in Dell Security Advisory (DSA-2023-412) for affected products, versions and additional information. The security of our products is a top priority and critical to protecting our customers,” Dell said in a statement shared with SecurityWeek.

The company said it worked quickly to remediate the vulnerability and it’s currently not aware of any active exploitation. 

It’s worth noting that Dell product vulnerabilities are known to have been exploited by sophisticated threat actors in their attacks. 

Dell recently also informed customers about a high-severity privilege escalation vulnerability in PowerEdge Server BIOS, dozens of flaws in PowerMax and Unisphere products, and dozens of vulnerabilities impacting third-party components of VxRail Manager

Related: Enterprise, Consumer Devices Exposed to Attacks via Malicious UEFI Logo Images

Related: High-Severity UEFI Vulnerabilities Patched in Dell Enterprise Laptops

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Learn how to utilize tools, controls, and design models needed to properly secure cloud environments.

Register

Event: ICS Cybersecurity Conference

The leading industrial cybersecurity conference for Operations, Control Systems and IT/OT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.

Register

People on the Move

Check Point Software has appointed Nadav Zafrir as Chief Executive Officer.

BlackFog has named Brenda Robb as President, John Sarantakes as CRO, and Mark Griffith as VP of Strategic Sales.

Former NSA cybersecurity chief Rob Joyce has joined Sandfly Security's Advisory Board.

More People On The Move

Expert Insights