CVE-2023-44277

Name

OS command injection vulnerability in the CLI

CVSS score

7.8 (High)

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Product name

Dell PowerProtect DD

Confirmed exploitable versions

prior to: 7.13.0.10, LTS 7.7.5.25, LTS 7.10.1.15, 6.2.1.110

Researcher

Jakub Brzozowski (redfr0g), Franciszek Kalinowski, Stanisław Koza

Description

Dell PowerProtect DD, versions prior to 7.13.0.10, LTS 7.7.5.25, LTS 7.10.1.15, and 6.2.1.110 contain an improper access control vulnerability. A local malicious user with low privileges could potentially exploit this vulnerability, leading to privilege escalation.

Proof-of-concept

PoC: TBA

Timeline

05-10-2023 - vulnerability reported to vendor
10-01-2024 - public security advisory released

References

https://www.dell.com/support/kbdoc/en-us/000220264/dsa-2023-412-dell-technologies-powerprotect-security-update-for-multiple-security-vulnerabilities
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-44277