CVE-2024-42422 Overview
CVE-2024-42422 is an authorization bypass vulnerability affecting Dell NetWorker version 19.10. The flaw is classified under [CWE-639] as Authorization Bypass Through User-Controlled Key. An unauthenticated remote attacker can exploit this weakness over the network without user interaction. Successful exploitation leads to information disclosure from the affected NetWorker instance.
Dell published security advisory DSA-2024-478 to address this issue. The vulnerability carries a CVSS 3.1 base score of 7.5 and is tracked with an EPSS probability of 0.119%.
Critical Impact
An unauthenticated remote attacker can bypass authorization checks in Dell NetWorker 19.10 and access sensitive information stored or processed by the backup platform.
Affected Products
- Dell NetWorker version 19.10
- Deployments using the vulnerable NetWorker server components
- Enterprise backup environments relying on the affected release
Discovery Timeline
- 2024-12-03 - CVE-2024-42422 published to the National Vulnerability Database
- 2024-12-03 - Dell publishes security advisory DSA-2024-478
- 2025-02-03 - Last updated in the NVD database
Technical Details for CVE-2024-42422
Vulnerability Analysis
The vulnerability resides in Dell NetWorker 19.10, an enterprise data protection and backup management platform. The flaw allows an unauthenticated attacker with network access to bypass authorization controls. Exploitation results in disclosure of information that should require valid credentials.
The CWE classification [CWE-639] indicates the application uses a key or identifier supplied by the client to retrieve resources without validating the requester's authorization for that key. An attacker can substitute identifiers to access data belonging to other users or system components.
No authentication, privileges, or user interaction are required. The attack is network-reachable, which makes any NetWorker management interface exposed to untrusted networks an immediate target.
Root Cause
The root cause is improper authorization on a user-controlled key. The application trusts an identifier provided in the request and returns the associated resource without confirming that the requester owns or may access that resource. This is a logic flaw in access enforcement rather than a memory-safety defect.
Attack Vector
The attack vector is network-based. An attacker sends crafted requests to the NetWorker service that reference identifiers belonging to other resources or principals. The service returns the referenced data because it omits the ownership or role check. Repeated requests with enumerated identifiers can extract larger volumes of information.
No verified proof-of-concept code is publicly available. See the Dell Security Update DSA-2024-478 for vendor technical details.
Detection Methods for CVE-2024-42422
Indicators of Compromise
- Unauthenticated HTTP or RPC requests to NetWorker management endpoints originating from unexpected source addresses
- Sequential or enumerated identifier values in request parameters targeting NetWorker resources
- Unusual volumes of read operations on backup metadata without preceding authentication events
- Access patterns to resource identifiers that do not correspond to any active administrative session
Detection Strategies
- Inspect NetWorker server access logs for requests that retrieve resources without an associated authenticated session identifier
- Correlate identifier values across requests to detect enumeration of user-controlled keys
- Alert on traffic to NetWorker management ports from outside designated administrator subnets
- Compare resource access events against expected backup job schedules to surface anomalies
Monitoring Recommendations
- Forward NetWorker logs to a centralized SIEM and retain at least 90 days of history
- Baseline normal request rates per source and alert on deviations
- Track authorization failure ratios and investigate sudden drops that may indicate bypass
- Monitor network flows for direct access to NetWorker from non-management network segments
How to Mitigate CVE-2024-42422
Immediate Actions Required
- Apply the Dell remediation described in advisory DSA-2024-478 on all NetWorker 19.10 servers
- Restrict network access to NetWorker management interfaces to trusted administrative hosts only
- Review NetWorker audit logs for evidence of unauthorized resource access since deployment of 19.10
- Rotate any credentials, tokens, or backup encryption keys that may have been exposed
Patch Information
Dell has released a fixed version of NetWorker. Refer to the Dell Security Update DSA-2024-478 for the patched build numbers and upgrade procedure. Administrators should follow Dell's documented upgrade path and validate backup operations after applying the update.
Workarounds
- Place NetWorker servers behind network segmentation that blocks access from general user networks
- Enforce firewall rules permitting only known administrator workstations to reach NetWorker ports
- Require VPN or jump-host access for all administrative connections to NetWorker
- Disable any externally exposed NetWorker management endpoints until the patch is applied
# Example firewall rule restricting NetWorker management access
# Replace 10.10.0.0/24 with your administrator subnet
iptables -A INPUT -p tcp --dport 7937:7938 -s 10.10.0.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 7937:7938 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
