CVE-2022-33923

Vulnerability

CVE-2022-33923 is an OS command injection vulnerability in the Dell PowerStore T environment. Affected versions are PowerStore T OS versions prior to 3.0.0.0-1732745 [1]. The flaw allows a locally authenticated attacker to inject arbitrary OS commands into the underlying operating system through a vulnerable input field or command parameter [1].

Exploitation

An attacker must have local authentication to the PowerStore T appliance. No special privileges beyond standard user access are required. By crafting a malicious input that includes command separators or shell metacharacters, the attacker can cause the application to execute attacker-controlled commands on the PowerStore underlying OS [1]. The attacker then runs arbitrary commands at the OS level.

Impact

Successful exploitation results in arbitrary OS command execution with the privileges of the PowerStore application process. This can lead to full system takeover, including access to all data, modification of system configuration, and potential lateral movement within the network [1]. The impact is critical.

Mitigation

Dell has released PowerStore T OS Upgrade version 3.0.0.0-1732745 to address this vulnerability [1]. Users should upgrade to this version or later. There is no known workaround for the vulnerability. The advisory recommends immediate patching as the sole mitigation [1].