CVE-2024-22227

Vulnerability

Dell Unity, Dell Unity VSA, and Dell Unity XT systems running versions prior to 5.4 are affected by an OS command injection vulnerability in the svc_dc utility. The flaw exists because the utility does not properly sanitize user-supplied input before using it in system calls, allowing an attacker with valid credentials to inject arbitrary operating system commands [1].

Exploitation

An attacker must first have authenticated access to the affected Dell Unity system. No additional privileges or local console access are required; the attacker can exploit the vulnerability remotely over the management network. By crafting a malicious input to the svc_dc utility, the attacker causes the unsanitized input to be passed directly to a shell command, resulting in command injection [1].

Impact

Successful exploitation allows the attacker to execute arbitrary OS commands with root privileges. This gives the attacker full control over the affected system, including the ability to read, modify, or delete sensitive data, install malware, or disrupt operations. The confidentiality, integrity, and availability of the system are all compromised [1].

Mitigation

Dell has released a security update (Unity version 5.4) that addresses this vulnerability. Customers should upgrade to Unity 5.4 or later as soon as possible. There are no known workarounds; the only mitigation is applying the available patch. This CVE is not listed in the CISA Known Exploited Vulnerabilities catalog as of the publication date [1].