CVE-2024-28967
📋 TL;DR
Dell Secure Connect Gateway (SCG) versions before 5.24.00.00 have an improper access control vulnerability in an internal maintenance REST API. If an administrator enables this API via the UI, a remote low-privileged attacker could execute admin-only API calls, potentially accessing restricted resources or changing system state. This affects Dell SCG deployments with the vulnerable API enabled.
💻 Affected Systems
- Dell Secure Connect Gateway (SCG)
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
An attacker gains administrative access to the SCG backend database, leading to data theft, configuration changes, or complete system compromise.
Likely Case
Unauthorized access to sensitive configuration data or limited system state changes due to API restrictions.
If Mitigated
No impact if the vulnerable API is disabled or the system is patched.
🎯 Exploit Status
Attack requires low-privileged access and the API to be enabled; no public exploits known.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 5.24.00.00
Vendor Advisory: https://www.dell.com/support/kbdoc/en-us/000225910/dsa-2024-181-security-update-for-dell-secure-connect-gateway-application-and-appliance-vulnerabilities
Restart Required: Yes
Instructions:
1. Download Dell SCG version 5.24.00.00 or later from Dell support. 2. Follow Dell's upgrade procedures for SCG appliances or software. 3. Restart the system as required after patching.
🔧 Temporary Workarounds
Disable the internal maintenance REST API
allPrevent exploitation by disabling the vulnerable API if not needed.
Access the SCG admin UI, navigate to the API settings, and disable the internal maintenance REST API.
🧯 If You Can't Patch
- Disable the internal maintenance REST API via the admin UI to remove the attack surface.
- Restrict network access to the SCG to trusted IPs only using firewall rules.
🔍 How to Verify
Check if Vulnerable:
Check the SCG version via the admin UI or CLI; if below 5.24.00.00 and the internal maintenance REST API is enabled, the system is vulnerable.Check Version:
Use the SCG admin UI or CLI command specific to the appliance (e.g., 'show version' or similar).Verify Fix Applied:
Confirm the SCG version is 5.24.00.00 or higher and verify the API is disabled or patched per vendor guidance.📡 Detection & Monitoring
Log Indicators:
- Unusual API access logs from non-admin users to internal maintenance endpoints.
- Failed authentication attempts or access denied errors for admin-only APIs.
Network Indicators:
- Suspicious HTTP requests to SCG REST API endpoints from unauthorized sources.
SIEM Query:
source="dell-scg" AND (event_type="api_access" AND user_role!="admin") OR (http_request LIKE "%maintenance%" AND response_code=200)🔗 References
- https://www.dell.com/support/kbdoc/en-us/000225910/dsa-2024-181-security-update-for-dell-secure-connect-gateway-application-and-appliance-vulnerabilities
- https://www.dell.com/support/kbdoc/en-us/000225910/dsa-2024-181-security-update-for-dell-secure-connect-gateway-application-and-appliance-vulnerabilities
