DSA-2019-019: Dell Networking OS10 OS Command Injection Vulnerability

Vulnerability

Dell OS10 versions prior to 10.4.2.1 contain an OS command injection vulnerability in the command-line interface (CLI) due to insufficient input validation. The affected products are all Dell OS10 versions before 10.4.2.1. The vulnerability resides in the CLI parsing logic, which does not properly sanitize user-supplied input before passing it to the operating system for execution [1].

Exploitation

An attacker must have authenticated access to the Dell OS10 CLI. The attacker can craft a malicious command that includes operating system commands embedded within CLI arguments. By providing specially crafted input, the injected commands are executed with the privileges of the CLI process [1].

Impact

Successful exploitation allows the attacker to execute arbitrary operating system commands on the affected Dell OS10 system. This can lead to full compromise of the system, including data disclosure, modification, or denial of service, depending on the commands executed [1].

Mitigation

Dell has released the following fixed versions: 10.4.0-R3S, 10.4.1.4, and 10.4.2.1 and later. Dell recommends all customers apply available patches at the earliest opportunity. No workaround is mentioned in the advisory [1].