CVE-2022-22555

Vulnerability

Dell EMC PowerStore contains an OS command injection vulnerability (CVE-2022-22555) in the underlying operating system. Affected versions include PowerStore T OS before Upgrade 3.0.0.0-1732745 [1]. The vulnerability allows a locally authenticated attacker to inject OS commands, which are then executed with the privileges of the vulnerable application.

Exploitation

An attacker must have local authentication to the PowerStore appliance. By crafting specific input to a vulnerable component, the attacker can inject arbitrary OS commands. No additional user interaction or network position beyond authenticated local access is required. The exact injection point is not publicly detailed in the available references.

Impact

Successful exploitation allows the attacker to execute arbitrary OS commands on the PowerStore underlying OS with the privileges of the vulnerable application. This can lead to an elevation of privilege, potentially enabling full control of the system or access to sensitive data.

Mitigation

Dell has released PowerStore T OS Upgrade 3.0.0.0-1732745 to address this vulnerability and all associated CVEs (except CVE-2022-32498, which affects the CLI tool) [1]. Users should apply the update from the Dell support site to mitigate the risk. No other workarounds are documented in the available references.