Dell Enterprise SONIC OS Patches Critical Security Vulnerabilities
Dell has released security updates for its Enterprise SONIC operating system to address multiple vulnerabilities, including critical ones that could allow attackers to compromise affected systems.
The vulnerabilities, identified as CVE-2024-45763, CVE-2024-45764, and CVE-2024-45765, affect Dell Enterprise SONIC OS versions 4.1.x and 4.2.x. The vulnerabilities reported by the TIANGONG Team of Legendsec at QI-ANXIN
- CVE-2024-45763: An OS Command Injection vulnerability in the affected SONiC versions could enable “a high privileged attacker with remote access [to] exploit this vulnerability, leading to Command execution.” Dell strongly advises upgrading to patched versions to mitigate this 9.1 CVSS-scored risk
- CVE-2024-45764: A Missing Critical Step in Authentication flaw allows “an unauthenticated attacker with remote access [to] potentially exploit this vulnerability, leading to Protection mechanism bypass.” With a 9.0 CVSS score, this vulnerability also underscores the need for an immediate upgrade
- CVE-2024-45765: Another OS Command Injection vulnerability with a CVSS score of 9.1 enables high-privilege commands to be executed under a less privileged role, which could lead to command execution.
“This is a critical severity vulnerability so Dell recommends customers to upgrade at the earliest opportunity,” the advisory states.
Dell has released updated versions of its Enterprise SONIC OS to address these vulnerabilities. Users are urged to upgrade to versions 4.1.6 or 4.2.2 as soon as possible.