CVE-2024-0170

Vulnerability

Dell Unity versions prior to 5.4 contain an OS command injection vulnerability in the svc_cava utility. An authenticated attacker can inject arbitrary operating system commands through this utility, escaping the restricted shell environment. The vulnerability exists due to insufficient input validation in the svc_cava utility, which is accessible to authenticated users with local access [1].

Exploitation

To exploit this vulnerability, an attacker must have authenticated access to the Dell Unity system with local privileges. The attacker can then invoke the svc_cava utility with crafted input that contains OS command sequences, leading to command injection. No user interaction is required beyond the initial authentication [1].

Impact

Successful exploitation allows the attacker to execute arbitrary operating system commands with root privileges. This results in complete compromise of the affected Dell Unity system, including unauthorized access to sensitive data, modification of system configurations, and potential denial of service [1].

Mitigation

Dell has released version 5.4 of Dell Unity, Dell Unity VSA, and Dell Unity XT to address this vulnerability. Users should upgrade to version 5.4 or later as soon as possible. No workarounds are documented in the available references [1].