Dell PowerProtect Data Domain Argument Injection Vulnerability Allowing Arbitrary Command Execution and Privilege Escalation
Vulnerability
A vulnerability allowing improper neutralization of argument delimiters in a command, known as argument injection, has been identified in Dell PowerProtect Data Domain systems running Data Domain Operating System (DD OS) versions 7.7.1.0 prior to 8.1.0.10, as well as LTS2024 release versions 7.13.1.0 through 7.13.1.25 and LTS2023 release versions 7.10.1.0 through 7.10.1.50. This vulnerability could be exploited by a high-privileged attacker with local access, potentially leading to arbitrary command execution. Exploitation of this vulnerability may allow privilege escalation to root.
Impact
Exploitation of this vulnerability could lead to arbitrary command execution with root privileges, allowing for unauthorized access and control over the system.
Remediation
Users can upgrade to Dell PowerProtect Data Domain DD OS versions 8.3.0.10 or later, or version 7.13.1.30 or later. Instructions for upgrading the Data Domain Operating System are available on the Dell Support website.