CVE-2024-25954 Overview
CVE-2024-25954 is an insufficient session expiration vulnerability affecting Dell PowerScale OneFS versions 9.5.0.x through 9.7.0.x. A remote unauthenticated attacker can exploit this flaw to trigger a denial of service (DoS) condition on affected storage clusters. The weakness is classified under CWE-613: Insufficient Session Expiration and stems from improper handling of session lifecycle states. Dell published the fix in security advisory DSA-2024-115 on March 28, 2024. The vulnerability requires no privileges and no user interaction, making it exposed to any attacker who can reach the management interface over the network.
Critical Impact
Remote unauthenticated attackers can exhaust session resources on Dell PowerScale OneFS clusters, resulting in denial of service and disruption of enterprise storage availability.
Affected Products
- Dell PowerScale OneFS 9.5.0.x
- Dell PowerScale OneFS 9.6.0.x
- Dell PowerScale OneFS 9.7.0.x
Discovery Timeline
- 2024-03-28 - Dell publishes security advisory DSA-2024-115
- 2024-03-28 - CVE-2024-25954 published to NVD
- 2026-06-17 - Last updated in NVD database
Technical Details for CVE-2024-25954
Vulnerability Analysis
The vulnerability resides in how Dell PowerScale OneFS manages session expiration. OneFS is the distributed file system that powers Dell's scale-out NAS clusters and exposes network-accessible management and authentication endpoints. When session tokens or session state objects are not invalidated within an appropriate lifetime, attackers can repeatedly initiate sessions without proper teardown.
This behavior allows a remote attacker to consume server-side session resources at scale. The result is exhaustion of memory, connection slots, or session table entries on the cluster. Once resources are depleted, legitimate clients lose the ability to authenticate or access storage services, producing a denial of service against the cluster's availability.
The weakness only impacts availability. Confidentiality and integrity are not affected because the attacker does not obtain access to stored data or modify system state. However, in environments where PowerScale clusters host production workloads, the loss of availability disrupts dependent applications.
Root Cause
The root cause is improper enforcement of session expiration policies [CWE-613]. The application retains session state longer than necessary, and there is no mechanism to bound the number of concurrent unauthenticated sessions that a single source can create.
Attack Vector
The attack vector is the network. An unauthenticated remote attacker sends repeated session establishment requests to the exposed OneFS service. Because expired sessions are not promptly reclaimed, the attacker accumulates server-side state until resource limits are reached.
No verified public exploit or proof-of-concept code is currently available for this issue. Refer to the Dell Security Update Advisory for vendor-supplied technical details.
Detection Methods for CVE-2024-25954
Indicators of Compromise
- Sudden spike in concurrent session counts on PowerScale OneFS management or authentication services from a single or small set of source IPs.
- Repeated session initiation requests without corresponding logout or proper session termination events.
- Cluster log entries indicating session table saturation, connection refusals, or memory pressure on isi services.
- Legitimate user authentication failures or service timeouts coinciding with elevated network traffic.
Detection Strategies
- Monitor OneFS audit logs and isi_audit_d output for anomalous volumes of session creation events tied to a narrow source range.
- Baseline normal session establishment rates per source IP and alert when thresholds are exceeded.
- Correlate network flow telemetry with cluster service health metrics to identify resource exhaustion patterns.
Monitoring Recommendations
- Forward OneFS audit and protocol logs to a centralized SIEM for continuous analysis.
- Track cluster health KPIs including session table occupancy, memory usage, and connection rejection counts.
- Configure alerts for failed authentication bursts originating from untrusted network segments.
How to Mitigate CVE-2024-25954
Immediate Actions Required
- Upgrade Dell PowerScale OneFS to the fixed release identified in DSA-2024-115 for the corresponding 9.5.0.x, 9.6.0.x, or 9.7.0.x branch.
- Restrict network access to the OneFS management and authentication interfaces to trusted administrative subnets only.
- Review session and authentication logs for evidence of prior abuse patterns.
Patch Information
Dell released remediated versions as documented in the Dell Security Update Advisory DSA-2024-115. Apply the vendor-specified upgrade path for each affected OneFS branch. Customers running unsupported releases should plan migration to a supported and patched version.
Workarounds
- Apply network-layer access controls such as firewall rules or ACLs to limit reachability of the management plane.
- Enforce rate limiting at perimeter devices in front of the OneFS cluster to throttle session establishment attempts.
- Place OneFS administrative interfaces behind a VPN or jump host until patches can be deployed.
# Configuration example: restrict OneFS management access at the network perimeter
# Allow only the administrative subnet to reach the cluster management IP
iptables -A INPUT -s 10.10.50.0/24 -d <onefs-mgmt-ip> -p tcp --dport 8080 -j ACCEPT
iptables -A INPUT -d <onefs-mgmt-ip> -p tcp --dport 8080 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

