CVE-2024-0168

Vulnerability

Dell Unity, Dell Unity VSA, and Dell Unity XT versions prior to 5.4 contain a command injection vulnerability in the svc_oscheck utility [1]. This utility is used for system health checks. The vulnerability allows an authenticated user to inject arbitrary operating system commands into the service script's execution path.

Exploitation

An attacker must have authenticated access to the Dell Unity system, with at least low-level privileges (e.g., a user account). The attack vector is local (CVSS:3.1/AV:L) meaning the attacker must be able to execute the svc_oscheck utility or interact with it from a local shell. No user interaction is required beyond authentication [1]. By crafting specially crafted input to the utility, the attacker can inject arbitrary commands that are executed in the context of the script.

Impact

Successful exploitation allows the attacker to execute arbitrary OS commands with root privileges [1]. This results in full compromise of confidentiality, integrity, and availability of the affected system. The attacker can read, modify, or delete any data, install malware, or disrupt operations.

Mitigation

Dell has addressed this vulnerability in Dell Unity version 5.4. Users are advised to upgrade to version 5.4 or later as per Dell Security Advisory DSA-2024-042 [1]. No workarounds are provided by Dell. If upgrade is not possible, consider restricting local access to trusted users only.