CVE-2023-28078

15.02.2024, 13:15

Dell OS10 Networking Switches running 10.5.2.x and above contain a vulnerability with zeroMQ when VLT is configured. A remote unauthenticated attacker could potentially exploit this vulnerability leading to information disclosure and a possible Denial of Service when a huge number of requests are sent to the switch. This is a high severity vulnerability as it allows an attacker to view sensitive data. Dell recommends customers to upgrade at the earliest opportunity.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	9.1 CRITICAL	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
dell	CNA	9.1 CRITICAL	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
CVE	ADP	---				---
CISA-ADP	ADP	---				---

Base Score

CVSS 3.x

EPSS Score

Percentile: 43%

Vendor	Product	Version
dell	smartfabric_os10	10.5.2.0 ≤ 𝑥 < 10.5.2.12
dell	smartfabric_os10	10.5.3.0 ≤ 𝑥 < 10.5.3.8
dell	smartfabric_os10	10.5.4.0 ≤ 𝑥 < 10.5.4.8
dell	smartfabric_os10	10.5.5.0
dell	smartfabric_os10	10.5.5.1
dell	smartfabric_os10	10.5.5.2
dell	smartfabric_os10	10.5.5.3

𝑥

= Vulnerable software versions

Common Weakness Enumeration

CWE-923 - Improper Restriction of Communication Channel to Intended Endpoints
The software establishes a communication channel to (or from) an endpoint for privileged or protected operations, but it does not properly ensure that it is communicating with the correct endpoint.

References

https://www.dell.com/support/kbdoc/en-us/000216584/dsa-2023-124-security-update-for-dell-smartfabric-os10-multiple-vulnerabilities