CVE-2024-28965
📋 TL;DR
Dell Secure Connect Gateway (SCG) versions before 5.24.00.00 have an improper access control vulnerability in an internal REST API. A remote low-privileged attacker can exploit this to execute admin-only API calls, potentially accessing restricted resources and changing system state. Only systems where the internal REST API has been enabled by an admin are affected.
💻 Affected Systems
- Dell Secure Connect Gateway (SCG)
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Unauthorized attacker gains administrative access to the SCG backend database, leading to data theft, configuration changes, or complete system compromise.
Likely Case
Low-privileged user escalates privileges to perform unauthorized administrative actions within the SCG application.
If Mitigated
If the internal REST API is disabled (default), the vulnerability cannot be exploited.
🎯 Exploit Status
Exploitation requires a low-privileged account (not unauthenticated) and the internal REST API to be enabled.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 5.24.00.00
Vendor Advisory: https://www.dell.com/support/kbdoc/en-us/000225910/dsa-2024-181-security-update-for-dell-secure-connect-gateway-application-and-appliance-vulnerabilities
Restart Required: Yes
Instructions:
1. Download SCG version 5.24.00.00 from Dell Support. 2. Backup current configuration. 3. Apply the update following Dell's upgrade procedures. 4. Restart the SCG appliance/service.
🔧 Temporary Workarounds
Disable Internal REST API
allIf the internal REST API is enabled, disable it through the SCG administrative UI to prevent exploitation.
No CLI commands - use SCG web interface
🧯 If You Can't Patch
- Ensure the internal REST API is disabled in SCG configuration.
- Restrict network access to SCG management interfaces to authorized administrators only.
🔍 How to Verify
Check if Vulnerable:
Check SCG version via web interface or CLI. If version is below 5.24.00.00 AND internal REST API is enabled, system is vulnerable.Check Version:
Specific command varies by deployment. Typically available via SCG web interface under System Information or via appliance CLI.Verify Fix Applied:
Confirm SCG version is 5.24.00.00 or higher via version check command or web interface.📡 Detection & Monitoring
Log Indicators:
- Unauthorized access attempts to internal REST API endpoints
- Privilege escalation events in SCG audit logs
- Unexpected administrative actions from low-privileged accounts
Network Indicators:
- Unusual API calls to SCG internal REST endpoints from non-admin sources
SIEM Query:
source="dell_scg" AND (event_type="api_access" AND user_privilege="low" AND api_endpoint CONTAINS "internal")🔗 References
- https://www.dell.com/support/kbdoc/en-us/000225910/dsa-2024-181-security-update-for-dell-secure-connect-gateway-application-and-appliance-vulnerabilities
- https://www.dell.com/support/kbdoc/en-us/000225910/dsa-2024-181-security-update-for-dell-secure-connect-gateway-application-and-appliance-vulnerabilities
