CVE-2024-49560

Improper Neutralization of Special Elements used in a Command ('Command Injection') (CWE-77)

Published: Nov 12, 2024 / Updated: 8d ago

010
CVSS 7.8EPSS 0.04%High
CVE info copied to clipboard

Summary

Dell SmartFabric OS10 Software, versions 10.5.6.x, 10.5.5.x, 10.5.4.x, and 10.5.3.x, contain a command injection vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to command execution.

Impact

The impact of this vulnerability is severe. If exploited, it could allow an attacker with low privileges and local access to execute arbitrary commands on the affected system. This could lead to unauthorized access, data theft, system manipulation, or disruption of services. The vulnerability has been assigned a CVSS v3.1 base score of 7.8, indicating a high severity. The impact on confidentiality, integrity, and availability is rated as HIGH, meaning the attacker could potentially gain full read and write access to sensitive data, modify or delete critical information, and cause a total shutdown of the affected resource.

Exploitation

There is no evidence that a public proof-of-concept exists. There is no evidence of proof of exploitation at the moment.

Patch

A patch is available. Dell has released a security update to address this vulnerability. The patch details can be found in the Dell support article DSA-2024-425, available at https://www.dell.com/support/kbdoc/en-us/000247217/dsa-2024-425-security-update-for-dell-networking-os10-vulnerabilities.

Mitigation

1. Apply the security update provided by Dell as soon as possible. 2. Limit local access to the affected systems to only trusted users. 3. Monitor systems for any suspicious activities or unauthorized command executions. 4. Implement the principle of least privilege to minimize the potential impact of the vulnerability. 5. If immediate patching is not possible, consider isolating affected systems or implementing additional access controls as temporary measures. 6. Ensure that all Dell SmartFabric OS10 Software installations are updated to the latest patched versions: 10.5.4.13 or later for the 10.5.4.x branch, 10.5.5.12 or later for the 10.5.5.x branch, and 10.5.6.6 or later for the 10.5.6.x branch.

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Timeline

First Article

Feedly found the first article mentioning CVE-2024-49560. See article

Nov 11, 2024 at 11:42 PM / Dell Security Advisories and Notices
CVSS Estimate

Feedly estimated the CVSS score as HIGH

Nov 12, 2024 at 3:31 AM
CVSS Estimate

Feedly estimated the CVSS score as MEDIUM

Nov 12, 2024 at 3:44 AM
CVE Assignment

NVD published the first details for CVE-2024-49560

Nov 12, 2024 at 4:15 AM
CVSS

A CVSS base score of 7.8 has been assigned.

Nov 12, 2024 at 4:20 AM / nvd
CVSS Estimate

Feedly estimated the CVSS score as HIGH

Nov 12, 2024 at 4:38 AM
EPSS

EPSS Score was set to: 0.04% (Percentile: 10.1%)

Nov 12, 2024 at 9:54 AM
Static CVE Timeline Graph

Affected Systems

Dell/smartfabric_os10
+null more

Patches

www.dell.com
+null more

Attack Patterns

CAPEC-136: LDAP Injection
+null more

References

DSA-2024-425: Security Update for Dell Networking OS10 Vulnerabilities
Dell SmartFabric OS10 Software, version(s) 10.5.6.x, 10.5.5.x, 10.5.4.x, 10.5.3.x, contain(s) an Improper Privilege Management vulnerability. Dell SmartFabric OS10 Software, version(s) 10.5.6.x, 10.5.5.x, 10.5.4.x, 10.5.3.x, contain(s) an Execution with Unnecessary Privileges vulnerability.

News

Dell SmartFabric OS10 Receives Important Security Updates
The vulnerabilities affect several versions of OS10 and range from code execution and privilege escalation to unauthorized file access. The most severe vulnerability, CVE-2024-48837, allows a low-privileged attacker with local access to execute arbitrary code.
Dell SmartFabric OS10: Attackers can execute malicious code | heise online
If admins do not install the security updates, attackers can exploit the vulnerabilities and gain higher user rights or even execute malicious code. However, network admins should not put off installing the security updates.
NA - CVE-2024-49560 - Dell SmartFabric OS10 Software, version(s)...
Dell SmartFabric OS10 Software, version(s) 10.5.6.x, 10.5.5.x, 10.5.4.x, 10.5.3.x, contain(s) a command injection vulnerability. A low privileged attacker with local access could potentially...
CVE-2024-49560 | Dell SmartFabric OS10 Software 10.5.4.x/10.5.5.x/10.5.6.x command injection (dsa-2024-425)
A vulnerability classified as critical has been found in Dell SmartFabric OS10 Software 10.5.4.x/10.5.5.x/10.5.6.x . Affected is an unknown function. The manipulation leads to command injection. This vulnerability is traded as CVE-2024-49560 . Attacking locally is a requirement. There is no exploit available.
CVE-2024-49560
High Severity Description Dell SmartFabric OS10 Software, version(s) 10.5.6.x, 10.5.5.x, 10.5.4.x, 10.5.3.x, contain(s) a command injection vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to Command execution. Read more at https://www.tenable.com/cve/CVE-2024-49560
See 6 more articles and social media posts

CVSS V3.1

Attack Vector:Local
Attack Complexity:Low
Privileges Required:Low
User Interaction:None
Scope:Unchanged
Confidentiality:High
Integrity:High
Availability Impact:High

Categories

Be the first to know about critical vulnerabilities

Collect, analyze, and share vulnerability reports faster using AI