CVE-2023-43073

Vulnerability

Dell SmartFabric Storage Software versions v1.4.0 and prior (the Debian package for ESXi/KVM and the ESXi and Linux KVM packages) contain an Improper Input Validation vulnerability in the RADIUS configuration functionality [1]. This flaw occurs during the processing of RADIUS configuration inputs, which are not correctly validated before being used. The vulnerable code path is reachable when an attacker has authenticated access to the management interface of the SmartFabric Storage Software VM.

Exploitation

An attacker must first authenticate to the SmartFabric Storage Software management interface. The attacker then sends specially crafted input to the RADIUS configuration endpoint. Due to the improper input validation, the crafted data bypasses expected checks and triggers the vulnerability [1]. No user interaction beyond the authenticated session is required.

Impact

Successful exploitation leads to unauthorized access to data stored or managed by the SmartFabric Storage Software [1]. The confidentiality of the data is compromised, potentially exposing sensitive storage-related information. The privilege level of the attacker remains as authenticated, but the attack allows access beyond normal authorization boundaries.

Mitigation

Dell has released SmartFabric Storage Software version v1.4.1 for Debian, ESXi, and Linux KVM that addresses this vulnerability [1]. Users should upgrade to v1.4.1 or later. No workarounds are documented for versions prior to the fix. The fixed versions and upgrade details are available in Dell Security Advisory DSA-2023-347 [1].