Various Dell Unity storage array products need a driver patch to take care of an authentication bug in the Unisphere UI.
The company’s advisory explains that the systems don’t block excessive authentication attempts.
This gives an attacker the chance to launch brute force attacks against Dell Unity, UnityVSA and Unity XT versions before 5.2.0.0.5.173 and take over accounts with weak passwords.
The bug, designated CVE-2022-29084, has a Common Vulnerability Scoring System (CVSS) score of 8.1.
A second authentication vulnerability included in the advisory, CVE-2022-29085, has a CVSS score of 6.4.
The advisory states that “certain off-array tools” store high-privilege user credentials in plain text.
However, the credentials are only accessible to a local malicious user with high privileges.
The update also includes patches for more than 100 third-party products and libraries dating back to a pair of sqlite3 fixes from 2015, and 14 OpenSSL bugs from this year.