CVE-2023-32478

Vulnerability

An insertion of sensitive information into log file vulnerability exists in Dell PowerStore, affecting all versions prior to 3.5.0.1 [1]. The vulnerability occurs when the product logs sensitive data, such as credentials or configuration secrets, in plaintext. An attacker with high-privileged access to the system can exploit this flaw to read log files that contain this sensitive information.

Exploitation

To exploit CVE-2023-32478, an attacker must already have high-privileged (administrative) access to the PowerStore appliance [1]. The attacker can then view log files that were written by the system; no additional privileges or user interaction beyond the attacker's existing high privileges are required. The exact log file location and content vary by deployment.

Impact

Successful exploitation leads to the disclosure of sensitive information, such as passwords, tokens, or other secrets embedded in log entries [1]. The attacker gains knowledge of confidential data but does not directly obtain code execution or privilege escalation from this vulnerability alone.

Mitigation

Dell has released PowerStore version 3.5.0.1 which fixes the log sanitization issue [1]. Users should upgrade to this version or later. There is no workaround listed for systems that cannot immediately apply the update.