CVE-2022-34437 Dell PowerScale OneFS versions 8.2.2-9.3 have an OS command injection vulnerability that a malicious local user can exploit to compromise the system.

All versions of Dell PowerEdge servers, including the following models, are impacted: - PowerEdge R620 - PowerEdge R720 - PowerEdge R720xd - PowerEdge R720xd Rack servers - PowerEdge T630 - PowerEdge T630xd - PowerEdge T630xd Rack servers - PowerEdge M630 - PowerEdge M630xd - PowerEdge M630xd Rack servers - PowerEdge C630 - PowerEdge C630xd - PowerEdge C630xd Rack servers - PowerEdge T420 - PowerEdge T420xd - PowerEdge T420xd Rack servers - PowerEdge M420 - PowerEdge M420xd - PowerEdge M420xd Rack servers - PowerEdge C210 - PowerEdge C210xi - PowerEdge C210xi Rack servers - PowerEdge C210xB - PowerEdge C210xB Rack servers - PowerEdge C210xA - PowerEdge C210xA Rack servers - PowerEdge M100 - PowerEdge M100xi - PowerEdge M100xi Rack servers - PowerEdge M110 - PowerEdge M110xi - PowerEdge M110xi Rack servers - PowerEdge M130 - PowerEdge M130xi - PowerEdge M130xi Rack servers - PowerEdge M210 - PowerEdge M210xi - PowerEdge M210xi Rack servers - PowerEdge M220 - PowerEdge M220xi - PowerEdge M220xi Rack servers - PowerEdge M230 - PowerEdge M230xi - PowerEdge M230xi Rack servers

Affected Software

The Dell PowerEdge servers listed below are impacted by the CVE-2022-34437 vulnerability. The following versions of firmware were affected:
- R620/R720 - R720xd/R720xd Rack servers - T630/T630xd - T630xd Rack servers - M630/M630xd - M630xd Rack servers - C630/C630xd - T420/T420xd - M420/M420xd - C210/C210xi - C210xi Rack servers

Default passwords for SSH server and root user

The default password for the root user and SSH server on Dell PowerEdge servers is dell.

Parts of Dell PowerEdge Servers That Could Compromise Security

Dell says the following parts of their PowerEdge servers are impacted:
- Management processor
- System ROM
- NIC card
- Storage controller
- System devices such as RAID controllers, power supplies, and cooling fans
- Network interface cards in Intel adapters and Cisco 2nd generation adapters
The following components were not impacted by this vulnerability:
- CPU
- Memory modules
- Hard disk drives

Timeline

Published on: 10/21/2022 18:15:00 UTC
Last modified on: 10/24/2022 15:43:00 UTC

References

• https://www.dell.com/support/kbdoc/en-us/000204053/dsa-2022-245-dell-emc-powerscale-onefs-security-update-for-multiple-security-updates
• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-34437