CVE-2024-49557

Improper Neutralization of Special Elements used in a Command ('Command Injection') (CWE-77)

Published: Nov 12, 2024 / Updated: 8d ago

010
CVSS 7.8EPSS 0.04%High
CVE info copied to clipboard

Summary

Dell SmartFabric OS10 Software, versions 10.5.6.x, 10.5.5.x, 10.5.4.x, and 10.5.3.x, contain an Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability. This vulnerability allows a low-privileged attacker with local access to potentially execute code on the affected system.

Impact

If exploited, this vulnerability could lead to code execution on the affected Dell SmartFabric OS10 systems. The attacker could potentially gain unauthorized access, execute arbitrary commands, or elevate privileges. Given the CVSS v3.1 base score of 7.8 (High severity) and the impact ratings of High for Confidentiality, Integrity, and Availability, this vulnerability could significantly compromise the security of affected systems.

Exploitation

There is no evidence that a public proof-of-concept exists. There is no evidence of proof of exploitation at the moment.

Patch

A patch is available. Dell has released a security update to address this vulnerability, which can be found in the Dell Security Advisory (DSA-2024-425) at https://www.dell.com/support/kbdoc/en-us/000247217/dsa-2024-425-security-update-for-dell-networking-os10-vulnerabilities

Mitigation

1. Apply the security update provided by Dell as soon as possible. 2. Limit local access to the affected systems to only trusted users. 3. Monitor systems for any suspicious activities or unauthorized access attempts. 4. Implement the principle of least privilege to minimize the potential impact of the vulnerability. 5. Consider network segmentation to isolate affected systems until patching is complete. 6. Regularly review and update access controls on affected systems.

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Timeline

First Article

Feedly found the first article mentioning CVE-2024-49557. See article

Nov 11, 2024 at 11:42 PM / Dell Security Advisories and Notices
CVSS Estimate

Feedly estimated the CVSS score as HIGH

Nov 12, 2024 at 4:00 AM
CVE Assignment

NVD published the first details for CVE-2024-49557

Nov 12, 2024 at 4:15 AM
CVSS

A CVSS base score of 7.8 has been assigned.

Nov 12, 2024 at 4:20 AM / nvd
EPSS

EPSS Score was set to: 0.04% (Percentile: 10.1%)

Nov 12, 2024 at 9:54 AM
Static CVE Timeline Graph

Affected Systems

Dell/smartfabric_os10
+null more

Patches

www.dell.com
+null more

Attack Patterns

CAPEC-136: LDAP Injection
+null more

References

DSA-2024-425: Security Update for Dell Networking OS10 Vulnerabilities
Dell SmartFabric OS10 Software, version(s) 10.5.6.x, 10.5.5.x, 10.5.4.x, 10.5.3.x, contain(s) an Improper Privilege Management vulnerability. Dell SmartFabric OS10 Software, version(s) 10.5.6.x, 10.5.5.x, 10.5.4.x, 10.5.3.x, contain(s) an Execution with Unnecessary Privileges vulnerability.

News

Dell SmartFabric OS10 Receives Important Security Updates
The vulnerabilities affect several versions of OS10 and range from code execution and privilege escalation to unauthorized file access. The most severe vulnerability, CVE-2024-48837, allows a low-privileged attacker with local access to execute arbitrary code.
Dell SmartFabric OS10: Attackers can execute malicious code | heise online
If admins do not install the security updates, attackers can exploit the vulnerabilities and gain higher user rights or even execute malicious code. However, network admins should not put off installing the security updates.
NA - CVE-2024-49557 - Dell SmartFabric OS10 Software, version(s)...
Dell SmartFabric OS10 Software, version(s) 10.5.6.x, 10.5.5.x, 10.5.4.x, 10.5.3.x, contain(s) an Improper Neutralization of Special Elements used in a Command ('Command Injection')...
CVE-2024-49557 | Dell SmartFabric OS10 Software 10.5.4.x/10.5.5.x/10.5.6.x command injection (dsa-2024-425)
A vulnerability was found in Dell SmartFabric OS10 Software 10.5.4.x/10.5.5.x/10.5.6.x and classified as critical . Affected by this issue is some unknown functionality. The manipulation leads to command injection. This vulnerability is handled as CVE-2024-49557 . It is possible to launch the attack on the local host. There is no exploit available.
CVE-2024-49557
High Severity Description Dell SmartFabric OS10 Software, version(s) 10.5.6.x, 10.5.5.x, 10.5.4.x, 10.5.3.x, contain(s) an Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to Code execution. Read more at https://www.tenable.com/cve/CVE-2024-49557
See 6 more articles and social media posts

CVSS V3.1

Attack Vector:Local
Attack Complexity:Low
Privileges Required:Low
User Interaction:None
Scope:Unchanged
Confidentiality:High
Integrity:High
Availability Impact:High

Categories

Be the first to know about critical vulnerabilities

Collect, analyze, and share vulnerability reports faster using AI