CVE-2023-4401

Vulnerability

An OS command injection vulnerability exists in the more command of the Dell SmartFabric Storage Software CLI. Affected versions are v1.4.0 and prior, as identified in the Dell advisory [1]. The flaw resides in the Debian package used for upgrading the SmartFabric Storage Software VM deployed on ESXi or Linux KVM, as well as in the standalone packages for ESXi and Linux KVM [1].

Exploitation

An attacker must be authenticated (either locally or remotely) to the SmartFabric Storage Software CLI. By supplying crafted input to the more command, the attacker can inject arbitrary OS commands. The injection occurs because user-supplied data is not properly sanitized before being passed to the operating system shell.

Impact

Successful exploitation allows the attacker to execute arbitrary OS commands with root-level privileges. This results in full compromise of the affected system, including the ability to read, modify, or delete sensitive data, install malware, or pivot to other systems.

Mitigation

Dell has released version v1.4.1 which addresses this vulnerability. Users should upgrade to v1.4.1 using the appropriate package for their deployment (ESXi or Linux KVM) as detailed in the advisory [1]. No workarounds are documented; upgrading is the recommended action.