CVE-2024-0167

Vulnerability

CVE-2024-0167 is an OS command injection vulnerability in the svc_topstats utility of Dell Unity, Dell Unity VSA, and Dell Unity XT storage systems. All versions prior to 5.4 are affected. The flaw resides in how the utility processes user-supplied input when constructing OS commands, allowing an authenticated user to inject arbitrary commands. [1]

Exploitation

An attacker must have authenticated access to the affected Dell Unity system. No special privileges beyond standard user authentication are required. The attacker can then invoke the svc_topstats utility with crafted input that includes command injection payloads, which the utility passes unsanitized to the operating system for execution. [1]

Impact

Successful exploitation allows the attacker to execute arbitrary OS commands with root privileges. This can lead to overwriting arbitrary files on the file system, compromising the confidentiality, integrity, and availability of the storage system. [1]

Mitigation

Dell has released a security update (version 5.4 or later) that addresses this vulnerability. Users should upgrade to Dell Unity OE version 5.4 or later as soon as possible. There are no workarounds disclosed in the available references. [1]