CVE-2025-43723
📋 TL;DR
Dell PowerScale OneFS contains a broken cryptographic algorithm vulnerability that allows unauthenticated remote attackers to potentially access sensitive information. This affects OneFS versions prior to 9.10.1.3 and versions 9.11.0.0 through 9.12.0.0. Organizations using vulnerable versions are at risk of data exposure.
💻 Affected Systems
- Dell PowerScale OneFS
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of encrypted data, allowing attackers to decrypt sensitive information stored or transmitted by the system.
Likely Case
Partial information disclosure where attackers can recover some encrypted data, potentially exposing sensitive configuration or user information.
If Mitigated
Limited impact with proper network segmentation and access controls, but cryptographic weaknesses remain exploitable if systems are reachable.
🎯 Exploit Status
Exploitation requires cryptographic analysis and understanding of the specific broken algorithm implementation.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 9.10.1.3 or later for 9.10.x branch, 9.12.0.1 or later for 9.11.x/9.12.x branches
Vendor Advisory: https://www.dell.com/support/kbdoc/en-us/000390206/dsa-2025-381-security-update-for-dell-powerscale-onefs-multiple-vulnerabilities
Restart Required: Yes
Instructions:
1. Download the appropriate patch from Dell Support. 2. Apply the patch following Dell's upgrade procedures. 3. Reboot the PowerScale cluster to complete the update.
🔧 Temporary Workarounds
Network Segmentation
allRestrict access to PowerScale management interfaces to trusted networks only
Configure firewall rules to limit access to PowerScale nodes
Access Control
allImplement strict network access controls to prevent unauthorized access to vulnerable systems
Use network ACLs to restrict traffic to PowerScale clusters
🧯 If You Can't Patch
- Implement strict network segmentation to isolate PowerScale clusters from untrusted networks
- Monitor for unusual access patterns or cryptographic-related errors in system logs
🔍 How to Verify
Check if Vulnerable:
Check the OneFS version using the CLI command: 'isi version' or through the web administration interfaceCheck Version:
isi versionVerify Fix Applied:
Verify the version is 9.10.1.3 or higher for 9.10.x, or 9.12.0.1 or higher for 9.11.x/9.12.x branches📡 Detection & Monitoring
Log Indicators:
- Unusual cryptographic errors
- Failed authentication attempts from unexpected sources
- Unexpected network connections to PowerScale services
Network Indicators:
- Unusual traffic patterns to PowerScale management ports
- Multiple failed connection attempts from single sources
SIEM Query:
source="powerscale*" AND (event_type="auth_failure" OR event_type="crypto_error")