DSA-2020-093: Dell EMC Isilon OneFS and Dell EMC PowerScale OneFS Security Update for NFS Configuration Vulnerabilities

Mitigation is required for any cluster with an NFS configuration that allows access to the admin user’s home directory, such as:

• A cluster upgraded to a remediated version, retaining the default NFS configuration from the original installation

Example: A cluster installed using OneFS 8.0.0 with the default NFS configuration, and later upgraded to OneFS 9.0.0.

• A cluster installed on a version where the /ifs NFS export was manually created and the NFS service was enabled.

Example: A cluster installed using OneFS 9.0.0 where the NFS export for /ifs was manually created and the NFS service enabled.

Note: Fresh installations of clusters using any remediated version have the NFS service disabled by default, and no /ifs NFS export is created. These installations do not require additional mitigation.

Mitigation

Apply one of the recommended mitigation steps to remediate this vulnerability:

Option 1: Disable NFS

• Open an SSH connection to any node in the cluster.
• Log in as root.
• Disable NFS by running the following command:

isi services nfs disable

Option 2: Move the Admin Home Directory

• Refer to KB article titled How to move the admin home directory for details.

Option 3: Configure Kerberos Authentication for NFS Access

• Refer to the following sections of the Product CLI Administration Guide:   
  • Authentication chapter, Managing MIT Kerberos authentication section.
  • File sharing chapter, Managing NFS Exports section.

• Additional guidance is available in the Isilon Product NFS Design Considerations and Best Practices whitepaper, sections:
  
  • 5.2.1 Using NFS with Active Directory Kerberos
  • 5.2.2 Using NFS with MIT Kerberos