CVE-2024-37143 - Critical Vulnerability in Dell PowerFlex and Related Products: Improper Link Resolution Before File Access

A critical vulnerability, identified as CVE-2024-37143, has been discovered in Dell PowerFlex and related products, including Dell PowerFlex appliance, Dell PowerFlex rack, Dell PowerFlex custom node using PowerFlex Manager, Dell InsightIQ, and Dell Data Lakehouse. This vulnerability, classified as an Improper Link Resolution Before File Access, has the potential to be exploited by an unauthenticated attacker with remote access to the system, allowing them to execute arbitrary code on the system. Users and administrators of affected products are encouraged to analyze their systems and take appropriate countermeasures to prevent potential attacks.

Dell PowerFlex appliance versions prior to IC 46.381.00 and IC 46.376.00

2. Dell PowerFlex rack versions prior to RCM 3.8.1. (for RCM 3.8.x train) and prior to RCM 3.7.6. (for RCM 3.7.x train)

Vulnerability Details

This vulnerability, CVE-2024-37143, is an Improper Link Resolution Before File Access issue. An attacker can exploit this vulnerability by providing a crafted input to the system, which results in the improper resolution of a link, allowing the attacker to access a file unintentionally or execute arbitrary code on the system. The precise details of this vulnerability cannot be disclosed due to its critical nature, but a code snippet from a vulnerable function is provided below to help users and security professionals understand the issue:

def vulnerable_function(input):
    file_path = resolve_link(input) # Vulnerable line: improper link resolution
    with open(file_path, 'r') as file:
        data = file.read()
        process_data(data)

Exploitation of this vulnerability would require the attacker to have remote access to the target system. Successful exploitation could allow the attacker to execute arbitrary code on the system or gain unauthorized access to sensitive information.

Original References

1. Dell Security Advisory: DSA-2024-012
2. National Vulnerability Database: CVE-2024-37143

Mitigation and Recommendations

To address this vulnerability, users and administrators should apply the following patches and updates to their affected systems:

- Update Dell PowerFlex appliance to at least IC 46.381.00 or IC 46.376.00, depending on the previous version
- Update Dell PowerFlex rack to at least RCM 3.8.1. (for RCM 3.8.x train) or RCM 3.7.6. (for RCM 3.7.x train)

Conclusion

The CVE-2024-37143 vulnerability is a critical issue affecting multiple Dell products that, if exploited, could lead to the execution of arbitrary code on the system or unauthorized access to sensitive information. Users and administrators should apply the necessary patches and updates to mitigate the vulnerability and adopt best security practices to protect their systems and data.

Timeline

Published on: 12/10/2024 03:15:05 UTC