Buffer overflow and out of bounds reading zero-day vulnerabilities in Dell PowerPath for Windows

Cybersecurity specialists report the detection of two vulnerabilities in Dell PowerPath for Windows, a family of software products that ensures consistent application availability and performance across I/O paths on physical and virtual platforms. According to the report, successful exploitation of these flaws would allow deploy multiple attack variants.

Below are brief reports of the reported failures, in addition to their respective tracking keys and scores assigned according to the Common Vulnerability Scoring System (CVSS). It is worth mentioning that so far no official updates have been released to address these problems, as well as no alternative solutions are known.

CVE-2021-3711: A boundary error in the EVP_PKEY_decrypt() function for SM2 decryption would allow remote threat actors to send SM2 content specially crafted to decrypt it, triggering a 62-byte buffer overflow and allowing arbitrary code execution.

This vulnerability received a CVSS score of 9/10 and its successful exploitation would allow threat actors to fully compromise the target system. The flaw resides in all versions of Dell PowerPath for Windows.

CVE-2021-3712: On the other hand, this flaw exists due to a limit condition when processing ASN.1 strings related to a confusion with the NULL termination of strings in the array.

Malicious hackers could pass specially crafted data to the affected application and access the contents of system memory and even deploy denial of service (DoS) attacks.

This flaw resides in all Dell PowerPath for Windows versions and received a CVSS score of 6/10.

Flaws can be exploited remotely by unauthenticated threat actors; however, at the time of writing, no active exploitation attempts were detected. Still, cybersecurity specialists recommend users of affected implementations be aware of any developers’ update considering that these flaws have not been patched yet.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.