CVE-2024-0165

Vulnerability

An OS Command Injection vulnerability exists in the svc_acldb_dump utility of Dell Unity, Dell UnityVSA, and Dell Unity XT systems running versions prior to 5.4. The issue arises because the utility does not properly sanitize user-supplied input before passing it to the operating system shell, allowing an authenticated attacker to inject arbitrary commands. Affected versions include all Dell Unity releases before 5.4 [1].

Exploitation

An attacker must have valid authentication credentials and local access to the Dell Unity system. No special privileges beyond authenticated access are required. The attacker can exploit the vulnerability by triggering the svc_acldb_dump utility with crafted input that includes OS command injection payloads. The utility executes the injected commands with the privileges of the underlying process [1].

Impact

Successful exploitation allows the attacker to execute arbitrary operating system commands on the underlying OS with root privileges. This results in complete compromise of confidentiality, integrity, and availability (CIA) of the affected system. The attacker gains full control over the Unity storage array and all data it manages [1].

Mitigation

Dell has addressed this vulnerability in Dell Unity release version 5.4 and later. Users should upgrade to version 5.4 or newer as soon as possible. No workarounds are documented. The vulnerability is not currently listed on the CISA Known Exploited Vulnerabilities (KEV) catalog [1].