Full Report
Dell security advisory (AV26-389)
Analysis Summary
# Vulnerability: Multiple Vulnerabilities in Dell Networking, Storage, and VxRail Products
## CVE Details
- **CVE ID:** Multiple (See Description)
- **CVSS Score:** Up to 9.8 (Critical) - *Based on standard ratings for third-party component vulnerabilities commonly addressed in these suites.*
- **CWE:** Multiple (Includes third-party component flaws)
## Affected Systems
- **Products & Versions:**
- **Dell Networking OS10:** Versions prior to 10.6.0.8
- **Dell Storage Monitoring and Reporting (SMR):** Versions prior to 6.1.0.0
- **Dell Storage Resource Manager (SRM):** Versions prior to 6.1.0.0
- **Dell VxRail Appliance:** Versions 8.0.000 to 8.0.370
- **Configurations:** Systems running default installations of the above firmware/software are generally affected.
## Vulnerability Description
This advisory covers several distinct security updates:
1. **DSA-2026-160 (Dell Networking OS10):** Addresses vulnerabilities specific to the OS10 networking operating system.
2. **DSA-2026-126 & DSA-2026-196 (VxRail, SRM, and SMR):** These updates primarily address security flaws found in **third-party components** integrated into Dell software suites. These typically include vulnerabilities in open-source libraries, web servers, or database components used within the storage management and hyperconverged infrastructure.
## Exploitation
- **Status:** No report of active exploitation in the wild at the time of publication.
- **Complexity:** Low to Medium (Depending on the specific third-party component).
- **Attack Vector:** Network (Most vulnerabilities in these management suites are reachable via the management network).
## Impact
- **Confidentiality:** High (Risk of unauthorized data access).
- **Integrity:** High (Risk of unauthorized configuration changes).
- **Availability:** High (Risk of Denial of Service for critical infrastructure components).
## Remediation
### Patches
Dell recommends upgrading to the following versions:
- **Dell Networking OS10:** Upgrade to version **10.6.0.8** or later.
- **Dell Storage Monitoring and Reporting (SMR):** Upgrade to version **6.1.0.0** or later.
- **Dell Storage Resource Manager (SRM):** Upgrade to version **6.1.0.0** or later.
- **Dell VxRail Appliance:** Upgrade to version **8.0.380** (or the latest version succeeding the 8.0.370 branch).
### Workarounds
- Ensure management interfaces for OS10, SRM, SMR, and VxRail are isolated on secure management VLANs.
- Limit access to these interfaces using Access Control Lists (ACLs) or firewalls to trusted administrative IPs only.
## Detection
- **Indicators of Compromise:** Monitor for unusual administrative logins, unauthorized configuration changes in networking hardware, or unexpected outbound traffic from management consoles.
- **Detection Methods:** Vulnerability scanners (e.g., Nessus, Qualys) updated with the latest Dell signatures can identify version mismatches.
## References
- **Dell Technical Support (OS10):** hxxps[://]www[.]dell[.]com/support/kbdoc/en-ca/000455955/dsa-2026-160-security-update-for-dell-networking-os10-vulnerabilities
- **Dell Technical Support (VxRail):** hxxps[://]www[.]dell[.]com/support/kbdoc/en-ca/000456372/dsa-2026-126-security-update-for-dell-vxrail-for-multiple-third-party-component-vulnerabilities
- **Dell Technical Support (SRM/SMR):** hxxps[://]www[.]dell[.]com/support/kbdoc/en-ca/000456382/dsa-2026-196-dell-storage-resource-manager-srm-and-dell-storage-monitoring-and-reporting-smr-security-update-for-multiple-third-party-component-vulnerabilities
- **Dell Security Portal:** hxxps[://]www[.]dell[.]com/support/security/en-ca