CVE-2024-22228

Vulnerability

An OS command injection vulnerability exists in the svc_cifssupport utility of Dell Unity, Dell Unity VSA, and Dell Unity XT software versions prior to 5.4 [1]. The flaw allows an authenticated attacker to inject arbitrary operating system commands, escaping the restricted shell provided by the utility. The affected versions are those before the 5.4 release [1].

Exploitation

An attacker needs to have authenticated access to the Dell Unity system, with local access or the ability to run the svc_cifssupport utility [1]. The attacker can then craft a malicious input that, when processed by the utility, injects additional OS commands. No user interaction beyond standard authentication is required, and the attack does not require any special privileges beyond basic authentication [1].

Impact

Successful exploitation allows the attacker to execute arbitrary operating system commands with root-level privileges on the underlying system [1]. This results in full compromise of confidentiality, integrity, and availability (CIA) of the affected Unity storage system [1]. The CVSS v3.1 base score is 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) [1].

Mitigation

Dell has released a security update (version 5.4) that addresses this vulnerability. Users are advised to upgrade to Dell Unity Operating Environment version 5.4 or later [1]. No workarounds have been disclosed [1].