CVE-2023-25544 – Dell NetWorker versions 19.5 and earlier expose... (How to Fix)

Q: What is the severity of CVE-2023-25544?

CVE-2023-25544 has a CVSS score of 7.5 (HIGH). Dell NetWorker versions 19.5 and earlier expose Apache Tomcat version information, allowing attackers to fingerprint the software. This vulnerability affects users with remote access to NetWorker clients, potentially enabling targeted attacks based on known vulnerabilities in specific Tomcat versions.

📋 TL;DR

Dell NetWorker versions 19.5 and earlier expose Apache Tomcat version information, allowing attackers to fingerprint the software. This vulnerability affects users with remote access to NetWorker clients, potentially enabling targeted attacks based on known vulnerabilities in specific Tomcat versions.

💻 Affected Systems

Products:

Dell NetWorker

Versions: 19.5 and earlier

Operating Systems: All supported OS for Dell NetWorker

Default Config Vulnerable: ⚠️ Yes

Notes: Requires remote access to NetWorker clients; Apache Tomcat is embedded in NetWorker.

📦 What is this software?

Emc Networker by Dell

View all CVEs affecting Emc Networker →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers use version information to launch targeted exploits against known vulnerabilities in the exposed Apache Tomcat version, potentially leading to remote code execution or data exfiltration.

🟠

Likely Case

Attackers gather intelligence about the system to plan targeted attacks, increasing the success rate of subsequent exploitation attempts.

🟢

If Mitigated

Limited information disclosure with no direct exploitation path, though it still provides reconnaissance value to attackers.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires prior access and additional steps to leverage version information for attacks.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Update to NetWorker version 19.6 or later

Vendor Advisory: https://www.dell.com/support/kbdoc/en-us/000210471/dsa-2023-058-dell-networker-security-update-for-version-disclosure-vulnerability

Restart Required: Yes

Instructions:

1. Download the latest NetWorker update from Dell support. 2. Apply the patch following Dell's installation guide. 3. Restart NetWorker services to apply changes.

🔧 Temporary Workarounds

Restrict Access to NetWorker Clients

all

Limit network access to NetWorker clients to trusted IPs only.

Use firewall rules to restrict inbound connections to NetWorker ports (e.g., iptables for Linux, Windows Firewall for Windows).

Disable Version Headers in Tomcat

all

Configure Apache Tomcat to suppress version information in HTTP headers.

Modify Tomcat's server.xml to set server="" or a generic value in the Connector configuration.

🧯 If You Can't Patch

Implement strict network segmentation to isolate NetWorker clients from untrusted networks.
Monitor for unusual access patterns or reconnaissance attempts targeting NetWorker systems.

🔍 How to Verify

Check if Vulnerable:

Check NetWorker version via administrative interface or command line; if version is 19.5 or earlier, it is vulnerable.

Check Version:

On NetWorker server, run 'nsr_version' command or check via NetWorker Management Console.

Verify Fix Applied:

Confirm NetWorker version is 19.6 or later after patching.

📡 Detection & Monitoring

Log Indicators:

Unusual HTTP requests to NetWorker endpoints, especially those probing for version information.

Network Indicators:

Traffic to NetWorker ports (default 9000-9001) from unauthorized sources.

SIEM Query:

source="NetWorker" AND (event="version_disclosure" OR http_user_agent CONTAINS "scanner")

📊 Metadata

CVE ID: CVE-2023-25544

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE: CWE-200

Published: March 1, 2023

Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-25544, you might also want to check these: