CVE-2023-32485

Vulnerability

Dell SmartFabric Storage Software versions 1.3 and earlier contain an improper input validation vulnerability in the user authentication mechanism. This flaw allows a remote unauthenticated attacker to bypass authentication checks by sending specially crafted input. The affected versions are all releases before version 1.4.0 [1].

Exploitation

An attacker with network access to the vulnerable service can exploit this vulnerability without any prior authentication or user interaction. By sending a maliciously crafted request to the authentication endpoint, the attacker triggers the input validation flaw, which results in the authentication process being bypassed. No additional privileges or local access are required [1].

Impact

Successful exploitation grants the attacker the highest administration level privileges on the affected Dell SmartFabric Storage Software instance. This leads to a complete compromise of confidentiality, integrity, and availability, as the attacker can read, modify, or delete any data and execute arbitrary commands with full administrative control [1].

Mitigation

Dell has released version 1.4.0 which remediates this vulnerability. Customers are strongly advised to upgrade to this version or later. No workarounds are documented. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities (KEV) catalog as of the publication date [1].