CVE-2023-24576 – CVE-2023-24576 is an unauthenticated remote cod... (How to Fix)

Q: What is the severity of CVE-2023-24576?

CVE-2023-24576 has a CVSS score of 7.5 (HIGH). CVE-2023-24576 is an unauthenticated remote code execution vulnerability in EMC NetWorker's nsrexecd service. This allows attackers to execute arbitrary code on affected systems without authentication, potentially compromising the entire NetWorker environment. All systems running vulnerable versions of NetWorker are affected.

📋 TL;DR

CVE-2023-24576 is an unauthenticated remote code execution vulnerability in EMC NetWorker's nsrexecd service. This allows attackers to execute arbitrary code on affected systems without authentication, potentially compromising the entire NetWorker environment. All systems running vulnerable versions of NetWorker are affected.

💻 Affected Systems

Products:

EMC NetWorker
Dell NetWorker

Versions: Versions prior to 19.10.0.2

Operating Systems: All supported operating systems for NetWorker

Default Config Vulnerable: ⚠️ Yes

Notes: The nsrexecd service runs by default on NetWorker installations and listens on TCP port 7937-9937 range.

📦 What is this software?

Emc Networker by Dell

View all CVEs affecting Emc Networker →

Emc Networker by Dell

View all CVEs affecting Emc Networker →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise allowing attackers to execute arbitrary code, steal backup data, deploy ransomware, and pivot to other systems in the network.

🟠

Likely Case

Attackers gain initial foothold on backup infrastructure, potentially accessing sensitive backup data and using the compromised system as a launch point for further attacks.

🟢

If Mitigated

With proper network segmentation and access controls, impact is limited to the backup environment, though data exfiltration remains possible.

🌐 Internet-Facing: HIGH - The vulnerability is unauthenticated and affects a network service, making internet-exposed systems extremely vulnerable to exploitation.

🏢 Internal Only: HIGH - Even internally, the unauthenticated nature makes this easily exploitable by any attacker who gains network access.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

The vulnerability is in the nsrdump component of nsrexecd service, allowing unauthenticated attackers to trigger code execution through specially crafted requests.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 19.10.0.2 and later

Vendor Advisory: https://www.dell.com/support/kbdoc/en-us/000208258/dsa-2023-041-dell-networker-security-update-for-nsrdump-vulnerability

Restart Required: Yes

Instructions:

1. Download the patch from Dell Support site. 2. Apply the patch following Dell's installation guide. 3. Restart NetWorker services. 4. Verify the patch is applied correctly.

🔧 Temporary Workarounds

Network Access Restriction

linux

Restrict network access to nsrexecd service (ports 7937-9937) to only trusted management systems.

iptables -A INPUT -p tcp --dport 7937:9937 -s <trusted_ip> -j ACCEPT
iptables -A INPUT -p tcp --dport 7937:9937 -j DROP

Service Disablement

linux

Temporarily disable the nsrexecd service if not required for operations.

systemctl stop nsrexecd
systemctl disable nsrexecd

🧯 If You Can't Patch

Implement strict network segmentation to isolate NetWorker systems from untrusted networks
Deploy host-based firewalls to restrict access to nsrexecd ports (7937-9937) to only authorized management systems

🔍 How to Verify

Check if Vulnerable:

Check NetWorker version: nsr -v or check installed packages. If version is below 19.10.0.2, system is vulnerable.

Check Version:

nsr -v

Verify Fix Applied:

Verify version is 19.10.0.2 or higher and check that nsrexecd service is running with the updated binary.

📡 Detection & Monitoring

Log Indicators:

Unusual connections to port 7937-9937
Unexpected process execution from nsrexecd
Failed authentication attempts to nsrexecd service

Network Indicators:

Unusual traffic patterns to/from port 7937-9937
Connection attempts from unauthorized IPs to nsrexecd ports

SIEM Query:

source_port:7937-9937 OR destination_port:7937-9937 AND (process_name:nsrexecd OR service_name:nsrexecd)

📊 Metadata

CVE ID: CVE-2023-24576

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE: CWE-94

Published: February 3, 2023

Last Updated: November 21, 2024

🔗 References

https://www.dell.com/support/kbdoc/en-us/000208258/dsa-2023-041-dell-networker-security-update-for-nsrdump-vulnerability Patch,Vendor Advisory
https://www.dell.com/support/kbdoc/en-us/000208258/dsa-2023-041-dell-networker-security-update-for-nsrdump-vulnerability Patch,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-24576, you might also want to check these: