Critical Dell PowerScale Vulnerability Allows Attackers Unauthorized Access to Filesystem
Dell Technologies has issued a critical security advisory (DSA-2025-208) for its PowerScale OneFS operating system, addressing multiple vulnerabilities that could allow malicious actors to compromise affected systems.
The most severe of these vulnerabilities, tracked as CVE-2024-53298, involves a missing authorization flaw in the NFS export functionality.
This critical vulnerability, with a CVSS base score of 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), allows unauthenticated attackers with remote access to gain unauthorized access to the file system, potentially enabling them to read, modify, or delete arbitrary files.
Such a flaw could lead to full system compromise if exploited.
Another significant vulnerability, CVE-2025-32753, is an SQL injection issue (CWE-89) in OneFS, rated with a CVSS base score of 5.3.
This flaw allows a low-privileged local attacker to execute arbitrary SQL queries, potentially resulting in denial of service, information disclosure, or tampering with system data.
Notably, this SQL injection can be triggered by sending specially crafted requests to the affected application, exploiting insufficient sanitization of user-supplied data.
The vulnerabilities affect multiple components, including third-party libraries (FreeBSD, SupportAssist) and proprietary Dell code.
Below is a summary of the key CVEs, their impact, and recommended remediation steps:
| CVE ID | Description | CVSS Score | Affected Versions | Remediated Version |
|---|---|---|---|---|
| CVE-2024-53298 | Missing authorization in NFS export allows remote, unauthenticated access to the filesystem. | 9.8 | 9.5.0.0 – 9.10.0.1 | 9.10.1.2 or later |
| CVE-2025-32753 | SQL injection vulnerability enables local attackers to execute arbitrary SQL commands. | 5.3 | 9.5.0.0 – 9.10.0.1 | 9.10.1.2 or later |
| CVE-2024-53580 | FreeBSD third-party component vulnerability. | – | 9.5.0.0 – 9.10.0.1 | 9.10.1.2 or later |
| CVE-2024-39689 | SupportAssist third-party component vulnerability. | – | 9.5.0.0 – 9.10.0.1 | 9.10.1.2 or later |
| CVE-2024-51538 | SupportAssist third-party component vulnerability. | – | 9.5.0.0 – 9.10.0.1 | 9.10.1.2 or later |
Dell recommends all customers upgrade to the latest Long-Term Support (LTS) release, specifically version 9.10.1.2 or later, to ensure all known vulnerabilities are addressed.
For customers running older code lines, targeted updates (such as 9.7.1.8 or 9.5.1.3) are also available.
Workarounds, Mitigations, and Acknowledgements
For organizations unable to immediately upgrade, Dell provides a temporary workaround for CVE-2024-53298: administrators should reload each zone with configured NFS exports using the following command:
bashisi nfs export reload --zone=zone_name
This action resolves the immediate issue without disrupting client connections, but does not prevent future exploitation until a full upgrade is applied.
Dell acknowledges the contribution of zzcentury from Ubisectech Sirius Team for reporting CVE-2025-32753, emphasizing the importance of coordinated vulnerability disclosure in maintaining product security.
Administrators are urged to review the official advisory, apply the necessary patches, and consult Dell’s security resources for ongoing updates.
The security of PowerScale OneFS environments depends on prompt remediation and adherence to best practices in vulnerability management.
The information provided is “as is” without warranty of any kind.
Dell Technologies disclaims all warranties, including merchantability and fitness for a particular purpose. In no event shall Dell be liable for any damages arising from the use of this information.
To Upgrade Your Cybersecurity Skills, Take Diamond Membership With 150+ Practical Cybersecurity Courses Online – Enroll Here
Source link
