CVE-2023-32462 (CVSS 9.8): Patch Dell Switches to Block Takeover

If your data center relies on Dell SmartFabric OS10, a security checkup is non-negotiable. Recently disclosed vulnerabilities (CVE-2023-28078 and CVE-2023-32462) pose a severe threat. They range from sensitive data exposure, and service disruption, all the way to the potential complete takeover of your critical network switches. The delay leaves your company open to unacceptable risks.

Dell SmartFabric OS10 is a network operating system specifically designed for data center fabrics. It’s the software intelligence powering several of Dell’s modern modular and PowerSwitch series network switches.

• CVE-2023-28078 (CVSS 9.1): If Virtual Link Trunking (VLT) is actively used, this flaw compromises zeroMQ security measures, enabling:
  • Unauthorized information disclosure: Sensitive network communications become accessible to attackers.
  • Potential Denial of Service (DoS): An influx of requests could be used to disrupt your switches.
• CVE-2023-32462 (CVSS 9.8): This vulnerability is exceptionally severe. Targeting remote user authentication potentially gives attackers elevated privileges to the underlying operating system of a network switch. Exploitation could enable the ability to:
  • Execute arbitrary commands remotely.
  • Modify or wipe configuration files, causing service interruption.
  • Install malware/backdoors within your network.

“A remote unauthenticated attacker could potentially exploit this vulnerability, leading to the execution of arbitrary OS commands and possible system takeover. This is a critical vulnerability as it allows an attacker to cause severe damage. Dell recommends customers to upgrade at the earliest opportunity,” Dell wrote in its security advisory.

Affected Products and Remediation