CVE-2023-32491
📋 TL;DR
Dell PowerScale OneFS versions 9.5.0.x have a vulnerability where SNMPv3 logs sensitive information that low-privilege users can access. This allows unauthorized information disclosure from system logs. Only Dell PowerScale OneFS 9.5.0.x installations with SNMPv3 enabled are affected.
💻 Affected Systems
- Dell PowerScale OneFS
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Sensitive SNMPv3 credentials or configuration data could be extracted from logs, potentially enabling further system compromise or credential reuse attacks.
Likely Case
Low-privilege users accessing log files could obtain sensitive SNMPv3 information, leading to information disclosure about system configuration.
If Mitigated
With proper log file permissions and access controls, only authorized administrators could access logs, limiting exposure.
🎯 Exploit Status
Exploitation requires a low-privilege user account with access to log files containing SNMPv3 information.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Apply updates as specified in DSA-2023-269
Vendor Advisory: https://www.dell.com/support/kbdoc/en-us/000216717/dsa-2023-269-security-update-for-dell-powerscale-onefs-for-multiple-security-vulnerabilities
Restart Required: Yes
Instructions:
1. Review DSA-2023-269 advisory. 2. Download appropriate OneFS update from Dell support. 3. Apply update following Dell's PowerScale update procedures. 4. Restart affected systems as required.
🔧 Temporary Workarounds
Restrict log file access
linuxImplement strict file permissions on SNMPv3 log files to prevent low-privilege users from accessing them.
chmod 640 /var/log/snmp*
chown root:admin /var/log/snmp*
Disable SNMPv3 if not required
linuxTemporarily disable SNMPv3 service until patching can be completed.
isi services -a snmp disable
🧯 If You Can't Patch
- Implement strict access controls on log directories to prevent low-privilege users from reading SNMPv3 logs.
- Disable SNMPv3 entirely if it's not required for operations, or use SNMPv1/v2c with community strings if acceptable.
🔍 How to Verify
Check if Vulnerable:
Check OneFS version with 'isi version' command and verify if SNMPv3 is enabled in configuration.Check Version:
isi versionVerify Fix Applied:
Verify updated version with 'isi version' and confirm SNMPv3 logs no longer contain sensitive information.📡 Detection & Monitoring
Log Indicators:
- Unauthorized access attempts to SNMP log files
- User accounts with low privileges accessing /var/log/snmp*
Network Indicators:
- Unusual SNMPv3 traffic patterns from non-admin users
SIEM Query:
source="/var/log/snmp*" AND (user!="root" AND user!="admin")