CVE-2024-22224

Vulnerability

The vulnerability exists in the svc_nas utility component of Dell Unity, Dell UnityVSA, and Dell Unity XT storage systems running versions prior to 5.4. The utility fails to properly sanitize user-supplied input before passing it to operating system commands, resulting in an OS command injection flaw. An authenticated attacker can exploit this to break out of the intended restricted shell and inject arbitrary commands.

Exploitation

An attacker must first obtain valid authentication credentials for the Dell Unity system. No special privileges beyond standard user access are required. The attacker then invokes the svc_nas utility with crafted arguments that contain shell metacharacters. The underlying code passes the unsanitized input to a shell command, allowing the injected commands to execute. Authentication is required, but no further user interaction or race condition is needed.

Impact

Successful exploitation allows the attacker to execute arbitrary operating system commands with root privileges. This gives full control over the storage system, including the ability to read, modify, or delete all data, install malware, disrupt operations, and pivot to other network resources. The confidentiality, integrity, and availability of the affected system are completely compromised.

Mitigation

Dell released a security update to address this vulnerability. The fix is included in Dell Unity Operating Environment (OE) version 5.4 or later [1]. Administrators should upgrade to version 5.4 or the latest available release. No workarounds have been published; upgrading is the only mitigation. This CVE is also listed as CVE-2024-22224 among other related CVEs (CVE-2024-22223, CVE-2024-22222, CVE-2024-0166, CVE-2024-0168, CVE-2024-0167) which are all fixed in the same release [1].