Warning: Critical Privilege Escalation Vulnerability in Dell SmartFabric Storage Software, Patch Immediately!
CVE-2023-32485: CVSS 9.8(CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
The Dell SmartFabric Storage Software is a Standards-based Centralized Discovery Controller for NVMe/TCP block storage solutions. Potential impacts of this vulnerability can be a data breach including business-critical information, intellectual property, financial records and customer data.
Additionally, it can have impact in the integrity of the data stored in these storage solutions, can cause service disruption due to the (temporary) data loss, as well as financial loss, reputation damage and have regulatory and legal consequences.
If the compromised NVMe/TCP storage system has connections to other parts of the network, this vulnerability can be used for initial access to later pivot and target other systems within the organization.
Although exploitation in the wild hasn't been observed at the time of writing, patching this vulnerability is strongly advised considering the impact it can have.
CVE-2023-32485 is a critical improper input validation vulnerability that can lead to a privilege escalation up to the highest administration level. It can be exploited by a remote unauthenticated attacker and requires no user interaction. The vulnerability has a severe impact in the confidentiality, integrity and availability of the affected systems.
The Centre for Cybersecurity Belgium strongly recommends system administrators to take the following actions:
- Upgrade to version 1.4.0 according to the vendor's instructions, after thorough testing.
Vendor's advisory: https://www.dell.com/support/kbdoc/en-us/000216587/dsa-2023-283-security...