CVE-2023-28078 : Dell OS10 Networking Switches running 10.5.2.x and above contain a vulnerability

Dell OS10 Networking Switches running 10.5.2.x and above contain a vulnerability with zeroMQ when VLT is configured. A remote unauthenticated attacker could potentially exploit this vulnerability leading to information disclosure and a possible Denial of Service when a huge number of requests are sent to the switch. This is a high severity vulnerability as it allows an attacker to view sensitive data. Dell recommends customers to upgrade at the earliest opportunity.

Published 2024-02-15 13:15:45

Updated 2025-01-23 17:03:49

Source Dell

View at NVD, CVE.org

Vulnerability category: Denial of serviceInformation leak

Products affected by CVE-2023-28078

Dell » Smartfabric Os10
Versions from including (>=) 10.5.2.0 and before (<) 10.5.2.12
cpe:2.3:o:dell:smartfabric_os10:*:*:*:*:*:*:*:*
Matching versions
Dell » Smartfabric Os10
Versions from including (>=) 10.5.3.0 and before (<) 10.5.3.8
cpe:2.3:o:dell:smartfabric_os10:*:*:*:*:*:*:*:*
Matching versions
Dell » Smartfabric Os10
Versions from including (>=) 10.5.4.0 and before (<) 10.5.4.8
cpe:2.3:o:dell:smartfabric_os10:*:*:*:*:*:*:*:*
Matching versions
Dell » Smartfabric Os10 » Version: 10.5.5.0
cpe:2.3:o:dell:smartfabric_os10:10.5.5.0:*:*:*:*:*:*:*
Matching versions
Dell » Smartfabric Os10 » Version: 10.5.5.3
cpe:2.3:o:dell:smartfabric_os10:10.5.5.3:*:*:*:*:*:*:*
Matching versions
Dell » Smartfabric Os10 » Version: 10.5.5.1
cpe:2.3:o:dell:smartfabric_os10:10.5.5.1:*:*:*:*:*:*:*
Matching versions
Dell » Smartfabric Os10 » Version: 10.5.5.2
cpe:2.3:o:dell:smartfabric_os10:10.5.5.2:*:*:*:*:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2023-28078

EPSS FAQ

0.25%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 46 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2023-28078

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source	First Seen
9.1	CRITICAL	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H	3.9	5.2	NIST	2025-01-23
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: High Integrity: None Availability: High
9.1	CRITICAL	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H	3.9	5.2	Dell	2024-02-15
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: High Integrity: None Availability: High

CWE ids for CVE-2023-28078

CWE-923 Improper Restriction of Communication Channel to Intended Endpoints

The product establishes a communication channel to (or from) an endpoint for privileged or protected operations, but it does not properly ensure that it is communicating with the correct endpoint.

Assigned by: security_alert@emc.com (Secondary)

References for CVE-2023-28078

https://www.dell.com/support/kbdoc/en-us/000216584/dsa-2023-124-security-update-for-dell-smartfabric-os10-multiple-vulnerabilities

DSA-2023-124: Security Update for Dell SmartFabric OS10 Multiple Vulnerabilities. | Dell US
Vendor Advisory

CVEs referencing this url

Jump to

Vulnerability Details : CVE-2023-28078

Products affected by CVE-2023-28078

Exploit prediction scoring system (EPSS) score for CVE-2023-28078

CVSS scores for CVE-2023-28078

CWE ids for CVE-2023-28078

References for CVE-2023-28078