CVE-2022-29089

Vulnerability

Dell Networking OS10 versions prior to October 2021 with Smart Fabric Services (SFS) enabled contain an information disclosure vulnerability [1]. The vulnerability exists in proprietary code and can be exploited by remote, unauthenticated attackers to retrieve sensitive information and access the REST API with admin privileges [1]. Affected versions are those released before October 2021; fixed versions are available starting with the October 2021 update [1].

Exploitation

An attacker with network access to an affected Dell Networking OS10 device can exploit this vulnerability by reverse engineering the firmware or software to extract embedded credentials or other sensitive data that allows REST API access [1]. No authentication is required, but the attacker must be adjacent to the device (AV:A) and the attack requires high complexity (AC:H) due to the need for reverse engineering [1]. Once the attacker obtains the needed information, they can authenticate to the REST API with admin privileges [1].

Impact

Successful exploitation allows a remote, unauthenticated attacker to retrieve sensitive information and gain admin-level access to the REST API [1]. This could lead to disclosure of confidential data, limited integrity impact (e.g., modifying configuration via the API), and a high availability impact (e.g., potential disruption of services) according to the CVSS vector (C:L/I:L/A:H) [1]. The confidentiality and integrity impacts are rated low, but availability impact is high [1].

Mitigation

Dell has released a security update for SmartFabric OS10 (the October 2021 release) that addresses this vulnerability; customers should upgrade to the latest fixed version as specified in DSA-2022-135 [1]. There are no workarounds reported; applying the update is the recommended mitigation [1]. This vulnerability is not listed in CISA’s Known Exploited Vulnerabilities catalog as of the publication date.