Thorsten Tüllmann

**Name of the Vulnerable Software and Affected Versions** Dell EMC Unisphere for PowerMax versions prior to 9.1.0.27 Dell EMC Unisphere for PowerMax Virtual Appliance versions prior to 9.1.0.27 PowerMax OS Release 5978 **Description** The issue is related to an improper certificate validation, which could allow an unauthenticated remote attacker to carry out a man-in-the-middle attack. This is done by supplying a crafted certificate, enabling the attacker to intercept the victim's traffic, view, or modify a victim’s data in transit. **Recommendations** For Dell EMC Unisphere for PowerMax versions prior to 9.1.0.27, update to version 9.1.0.27 or later. For Dell EMC Unisphere for PowerMax Virtual Appliance versions prior to 9.1.0.27, update to version 9.1.0.27 or later. For PowerMax OS Release 5978, update to a release that includes the fix for this issue. As a temporary workaround, consider restricting access to sensitive data and implementing additional security measures to detect and prevent man-in-the-middle attacks until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Dell EMC SCG versions 5.00.00.10 and earlier **Description** A sensitive information disclosure issue exists, allowing a local malicious user to read sensitive information and potentially use it. **Recommendations** For versions 5.00.00.10 and earlier, update to a version later than 5.00.00.10 to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Dell OpenManage Enterprise-Modular (OME-M) versions prior to 1.30.00 **Description** The issue allows an authenticated malicious user with low privileges to potentially exploit a security bypass, leading to information disclosure and elevation of privilege by escaping the restricted environment and accessing sensitive system information. **Recommendations** For versions prior to 1.30.00, update to version 1.30.00 or later to resolve the issue.

Name of the Vulnerable Software and Affected Versions: VMware vCenter Server versions 6.7 before 6.7u3, 6.6 before 6.5u3k Description: The issue is related to a lack of certificate validation in the vCenter Server Appliance Management Interface update function, which can allow a remote attacker to impact the integrity, confidentiality, and availability of protected information. A malicious actor with network positioning between vCenter Server and an update repository may be able to perform a session hijack when the vCenter Server Appliance Management Interface is used to download vCenter updates. Recommendations: For versions 6.7 before 6.7u3, update to version 6.7u3 or later to resolve the issue. For versions 6.6 before 6.5u3k, update to version 6.5u3k or later to resolve the issue. As a temporary workaround, consider restricting network access to the vCenter Server Appliance Management Interface to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** VMware vCenter Server Appliance versions 6.7 before 6.7u3a VMware vCenter Server Appliance versions 6.5 before 6.5u3d **Description** The issue is related to a lack of certificate validation during File-Based Backup and Restore operations, which may allow a malicious actor to intercept sensitive data in transit over FTPS and HTTPS. A malicious actor with man-in-the-middle positioning between vCenter Server Appliance and a backup target may be able to intercept sensitive data in transit during these operations. **Recommendations** For versions 6.7 before 6.7u3a, update to version 6.7u3a or later to resolve the issue. For versions 6.5 before 6.5u3d, update to version 6.5u3d or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** VMware vCenter Server Appliance versions 6.7 before 6.7u3a VMware vCenter Server Appliance versions 6.5 before 6.5u3d **Description** The issue is related to a lack of certificate validation during File-Based Backup and Restore operations, which may allow a malicious actor to intercept sensitive data in transit over SCP. A malicious actor with man-in-the-middle positioning between vCenter Server Appliance and a backup target may be able to intercept sensitive data in transit during these operations. The vulnerability can also be exploited to gain unauthorized access to protected information using FTPS and HTTPS protocols. **Recommendations** For versions 6.7 before 6.7u3a, update to version 6.7u3a or later to resolve the issue. For versions 6.5 before 6.5u3d, update to version 6.5u3d or later to resolve the issue. As a temporary workaround, consider restricting access to the backup target and using secure communication protocols to minimize the risk of exploitation.