Summary: Dell has issued a critical security update to address severe vulnerabilities in its enterprise products, which could lead to remote code execution and information disclosure. Organizations are urged to upgrade to the latest versions to mitigate these risks.
Threat Actor: Unauthenticated attackers | unauthenticated attackers
Victim: Dell enterprise product users | Dell enterprise product users
Key Point :
- Two critical vulnerabilities identified as CVE-2024-37143 and CVE-2024-37144 have been reported.
- CVE-2024-37143 allows unauthenticated remote attackers to execute arbitrary code on affected systems.
- CVE-2024-37144 involves insecure storage of sensitive information, enabling high-privileged local attackers to disclose sensitive data.
- The vulnerabilities affect several versions of Dell PowerFlex, InsightIQ, and Data Lakehouse products.
- Dell has released updated versions and strongly advises immediate upgrades to mitigate risks.
Dell has released a critical security update to address multiple vulnerabilities impacting several of its enterprise products, including PowerFlex, InsightIQ, and Data Lakehouse. These vulnerabilities, identified as CVE-2024-37143 and CVE-2024-37144, pose significant risks, ranging from remote code execution to information disclosure, with CVSS scores of 10.0 and 8.2, respectively.
- CVE-2024-37143
This vulnerability involves improper link resolution before file access, allowing unauthenticated attackers with remote access to execute arbitrary code on affected systems. Dell emphasizes the gravity of the issue: “An unauthenticated attacker with remote access could potentially exploit this vulnerability to execute arbitrary code on the system.” The vulnerability affects several versions of Dell PowerFlex, InsightIQ, and Data Lakehouse products. - CVE-2024-37144
This flaw is related to insecure storage of sensitive information, which could enable high-privileged attackers with local access to disclose sensitive information. Dell warns: “The attacker may be able to use information disclosed to gain unauthorized access to pods within the cluster.”
The vulnerabilities impact multiple products and versions, including:
- Dell PowerFlex appliance: Versions prior to IC 46.381.00 and IC 46.376.00.
- Dell PowerFlex rack: RCM versions prior to 3.8.1.0 and 3.7.6.0.
- Dell PowerFlex custom node: PowerFlex Manager versions prior to 4.6.1.0.
- Dell InsightIQ: Versions prior to 5.1.1.
- Dell Data Lakehouse: Versions prior to 1.2.0.0.
Updated versions of these products have been released, and Dell strongly advises customers to upgrade to the latest versions immediately. For detailed guidance, refer to Dell’s support resources, including KB Article 000231116.
Given the critical severity of these vulnerabilities, organizations are urged to prioritize patching their systems.