CVE-2023-43074

Vulnerability

Dell Unity (including Unity VSA and Unity XT) version 5.3 contains an arbitrary file creation vulnerability. An unauthenticated remote attacker can craft a request to the server that results in the creation of arbitrary files on the system [1]. The exact affected components and configuration conditions are not detailed but the vulnerability is present in the base installation of Dell Unity 5.3.

Exploitation

An attacker can exploit this vulnerability without authentication and from a remote network position by sending a crafted HTTP request to the Dell Unity management interface. No user interaction or special privileges are required. The specific endpoint and request parameters are not publicly disclosed, but the advisory confirms that arbitrary file creation is possible [1].

Impact

Successful exploitation allows an attacker to create arbitrary files on the Dell Unity system. This could lead to further compromise, such as overwriting critical configuration files, deploying malicious scripts, or escalating privileges. The exact impact depends on the attacker's ability to control the file content and location, but the vulnerability is rated as critical by Dell [1].

Mitigation

Dell has released a security update as part of DSA-2023-141 to address this vulnerability. Users should apply the latest firmware update for Dell Unity, Unity VSA, and Unity XT systems. The advisory recommends updating to a fixed version (details in the Dell support article). No workarounds are provided, and the vulnerability is not listed in CISA's KEV at this time [1].