CVE-2024-0166

Vulnerability

Dell Unity, versions prior to 5.4, contains an OS command injection vulnerability in the svc_tcpdump utility [1]. The utility fails to properly sanitize user-supplied input before passing it to a shell command, allowing an authenticated attacker to inject arbitrary OS commands. All versions before 5.4 are affected.

Exploitation

An attacker must have authenticated access to the system with low privileges (PR:L). No user interaction is required (UI:N). The attack vector is local (AV:L), meaning the attacker must have local shell access or the ability to invoke the vulnerable utility. The attacker can craft input to the svc_tcpdump utility that includes shell metacharacters, leading to execution of arbitrary commands [1].

Impact

Successful exploitation allows the attacker to execute arbitrary OS commands with elevated privileges (likely root). This results in full compromise of confidentiality, integrity, and availability, as reflected by the CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) [1].

Mitigation

Dell has addressed this vulnerability in Unity version 5.4. Users should upgrade to version 5.4 or later as specified in Dell Security Advisory DSA-2024-042 [1]. No workarounds are documented; upgrading is the recommended action.