EUVD-2024-54692CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
3Description
Dell PowerScale OneFS, versions 9.5.0.0 through 9.10.0.1, contains a missing authorization vulnerability in the NFS export. An unauthenticated attacker with remote access could potentially exploit this vulnerability leading to unauthorized filesystem access. The attacker may be able to read, modify, and delete arbitrary files. This vulnerability is considered critical as it can be leveraged to fully compromise the system. Dell recommends customers to upgrade at the earliest opportunity.
Analysis
CVE-2024-53298 is a critical missing authorization vulnerability in Dell PowerScale OneFS NFS export functionality that allows unauthenticated remote attackers to gain unauthorized filesystem access without authentication. Affected versions range from 9.5.0.0 through 9.10.0.1, and successful exploitation enables arbitrary file read, modification, and deletion, leading to complete system compromise. With a CVSS score of 9.8 and network-based attack vector requiring no privileges or user interaction, this vulnerability poses severe risk to unpatched Dell PowerScale deployments; KEV status and active exploitation details require vendor advisory verification.
Technical Context
The vulnerability exists in the NFS (Network File System) export functionality of Dell PowerScale OneFS, a unified storage operating system. The root cause is classified as CWE-862 (Missing Authorization), indicating that the NFS export mechanism fails to properly validate user authentication and authorization before granting filesystem access. NFS is a stateless protocol operating at OSI layer 7 (application layer, typically over UDP/TCP port 2049), and the missing authorization check allows unauthenticated clients to mount and access exported filesystems that should require proper Kerberos, user/group mapping, or other authentication mechanisms. The affected product CPE would be cpe:2.3:a:dell:powerscale_onefs:*:*:*:*:*:*:*:* with version constraints 9.5.0.0 ≤ version ≤ 9.10.0.1. This represents a fundamental flaw in the NFS export ACL/permission enforcement layer, not a crypto or protocol-level issue.
Affected Products
Dell PowerScale OneFS versions 9.5.0.0, 9.5.0.1, 9.6.0.0, 9.6.0.1, 9.7.0.0, 9.7.0.1, 9.8.0.0, 9.8.0.1, 9.9.0.0, 9.9.0.1, 9.10.0.0, and 9.10.0.1 are affected. CPE identifier: cpe:2.3:a:dell:powerscale_onefs:*:*:*:*:*:*:*:* (9.5.0.0 through 9.10.0.1). This affects both physical PowerScale clusters and OneFS software deployments. All NFS export configurations in these versions are potentially vulnerable unless additional network segmentation or firewall controls are in place. Dell advisory documentation should be referenced for specific patch release versions and timelines.
Remediation
Immediate actions: (1) Apply Dell security patches for PowerScale OneFS—consult Dell Security Advisory for specific patch versions addressing CVE-2024-53298 (expected to be released in maintenance updates following 9.10.0.1); (2) Upgrade to PowerScale OneFS 9.11.0.0 or later if available and tested in your environment; (3) As interim mitigation, restrict NFS export access via firewall rules to trusted subnets only, and disable NFS exports if not required; (4) Implement network segmentation to isolate PowerScale storage from untrusted networks; (5) Review NFS export configurations and apply restrictive export ACLs (no_root_squash, security models); (6) Monitor NFS access logs for unauthorized mount attempts. Contact Dell support for patch availability timeline and validation in your specific deployment (physical cluster vs. software OneFS). Testing patches in non-production environments before production deployment is strongly recommended.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today