CVE-2022-31232

Vulnerability

SmartFabric Storage Software version 1.0.0 contains a command injection vulnerability [1]. The flaw exists in the software's handling of user-supplied input, which is improperly sanitized before being passed to system commands. No authentication or special configuration is required for the vulnerable code path to be reachable [1].

Exploitation

An unauthenticated remote attacker can exploit this vulnerability by sending specially crafted network requests to the affected system [1]. The exact injection point is not disclosed, but the attacker can inject arbitrary operating system commands that are executed with the privileges of the SmartFabric service [1].

Impact

Successful exploitation allows the attacker to execute arbitrary commands on the underlying system [1]. This can lead to unauthorized access, modification of data, and disruption of services. The CVSS v3.1 base score is 8.6 (High) with vector AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H, indicating low confidentiality and integrity impact but high availability impact [1].

Mitigation

Dell Technologies has released SmartFabric Storage Software version 1.1.0 which addresses this vulnerability [1]. Users should upgrade to the fixed version. As a workaround, if RADIUS and TACACS authentication are not required, administrators can run the command rm /etc/ham/libnss_sac.enable to mitigate the risk [1]. No other workarounds are documented.