CVE-2023-39248

Vulnerability

Dell OS10 Networking Switches running version 10.5.2 and above are affected by an uncontrolled resource consumption vulnerability (CVE-2023-39248). The issue manifests when switches are configured with both Virtual Link Trunking (VLT) and Virtual Router Redundancy Protocol (VRRP). Affected versions include 10.5.5.5 and 10.5.5.4(MX), among others in the 10.5.2.x series [1].

Exploitation

An unauthenticated remote attacker can exploit this vulnerability by sending specially crafted network traffic targeting switches in a VLT+VRRP configuration. No authentication or user interaction is required, and the attack does not require any special network position beyond standard network access. The exploitation causes the switch to consume excessive resources, resulting in network flooding [1].

Impact

Successful exploitation leads to a denial of service (DoS) condition on the affected switch, causing network flooding that disrupts normal network traffic for legitimate users. The impact is limited to availability (CIA: none on confidentiality or integrity, high on availability), with a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) [1].

Mitigation

Dell has released remediated versions to address this vulnerability. For affected products running OS10 version 10.5.5.5, the fix is included in version 10.5.5.6. For version 10.5.5.4(MX), the fix is in version 10.5.5.7(MX). Customers should upgrade to the appropriate remediated version at their earliest opportunity [1].