DSA-2021-048: Dell PowerScale OneFS Security Update for Multiple Vulnerabilities

Résumé: Dell PowerScale OneFS contains remediation for multiple security vulnerabilities that may be exploited by malicious users to compromise the affected system.

Cet article concerne Cet article ne concerne pas Cet article n’est associé à aucun produit spécifique. Toutes les versions du produit ne sont pas identifiées dans cet article.
Consulter d’autres ressources

Impact

Critical

Détails

Proprietary Code CVE(s) Description CVSSBase Score CVSS Vector String
CVE-2021-21526 Dell PowerScale OneFS 8.1.0 - 9.1.0 contains a privilege escalation in SmartLock compliance mode that may allow compadmin to execute arbitrary commands as root.
Note: If running in Compliance Mode, this is a critical vulnerability.		 6.0 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H
CVE-2020-26197 Dell PowerScale OneFS 8.1.0 – 9.1.0 contains an LDAP Provider inability to connect over TLSv1.2 vulnerability. It may make it easier to eavesdrop and decrypt such traffic for a malicious actor. 
Note: This does not affect clusters which are not relying on an LDAP server for the authentication provider.		 7.5 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
CVE-2021-21502 Dell PowerScale OneFS 8.1.0 – 9.1.0 contains a use of a key past its expiration date vulnerability. An expired user with ISI_PRIV_LOGIN_SSH is still able to login.
Note: This has already been disclosed in DSA-2021-009, but is included here due to patches for more releases being available.		 9.8
(prior disclosure)		 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Proprietary Code CVE(s) Description CVSSBase Score CVSS Vector String
CVE-2021-21526 Dell PowerScale OneFS 8.1.0 - 9.1.0 contains a privilege escalation in SmartLock compliance mode that may allow compadmin to execute arbitrary commands as root.
Note: If running in Compliance Mode, this is a critical vulnerability.		 6.0 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H
CVE-2020-26197 Dell PowerScale OneFS 8.1.0 – 9.1.0 contains an LDAP Provider inability to connect over TLSv1.2 vulnerability. It may make it easier to eavesdrop and decrypt such traffic for a malicious actor. 
Note: This does not affect clusters which are not relying on an LDAP server for the authentication provider.		 7.5 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
CVE-2021-21502 Dell PowerScale OneFS 8.1.0 – 9.1.0 contains a use of a key past its expiration date vulnerability. An expired user with ISI_PRIV_LOGIN_SSH is still able to login.
Note: This has already been disclosed in DSA-2021-009, but is included here due to patches for more releases being available.		 9.8
(prior disclosure)		 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Dell Technologies recommande à tous les clients de prendre en compte à la fois le score de base CVSS et les scores temporels et environnementaux pertinents qui peuvent avoir un impact sur la gravité potentielle associée à une faille de sécurité donnée.

Produits concernés et mesure corrective

CVE Addressed Affected Version(s) Updated Version(s) Link to Update
CVE-2021-21526 9.0 Upgrade your OneFS version



PowerScale Downloads Area on https://www.dell.com
9.1 March RUP_2021-03

CVE-2020-26197		 8.1.0, 8.1.1 Upgrade your OneFS version
8.1.2 March RUP_2021-03
8.2.2 November RUP_2020-11 

CVE-2021-21502		 8.1.0, 8.1.1, 8.2.0, 8.2.1, 9.0.0 Upgrade your OneFS version
9.1.0 RUP 2021-01
8.1.2, 8.2.2 RUP 2021-03

Note: The table above may not be a comprehensive list of all affected supported versions and may be updated as more information becomes available.
CVE Addressed Affected Version(s) Updated Version(s) Link to Update
CVE-2021-21526 9.0 Upgrade your OneFS version



PowerScale Downloads Area on https://www.dell.com
9.1 March RUP_2021-03

CVE-2020-26197		 8.1.0, 8.1.1 Upgrade your OneFS version
8.1.2 March RUP_2021-03
8.2.2 November RUP_2020-11 

CVE-2021-21502		 8.1.0, 8.1.1, 8.2.0, 8.2.1, 9.0.0 Upgrade your OneFS version
9.1.0 RUP 2021-01
8.1.2, 8.2.2 RUP 2021-03

Note: The table above may not be a comprehensive list of all affected supported versions and may be updated as more information becomes available.

Solutions de contournement et mesures d’atténuation

CVE ID Workaround(s) and Mitigation(s)
CVE-2021-21526 None.
CVE-2020-26197 Disable LDAP Providers.
CVE-2021-21502
  1. Removing authorized_keys files from homedir/.ssh of expired accounts
  2. Removing expired accounts from roles that have ISI_AUTH_PRIV_SSH
Disabling public key authentication in SSH; login to your cluster with a username which has the appropriate privileges, and at the prompt, enter the following CLI commands:    
# isi ssh modify --auth-settings-template=custom
# isi ssh settings modify --pubkey-authentication=false

Historique des révisions

RevisionDateDescription
1.02021-04-12Initial Release

Informations connexes

Dell Security Advisories and Notices
Dell Vulnerability Response Policy
CVSS Scoring Guide

Mention légale

Produits concernés

PowerScale OneFS

Produits

Product Security Information
Propriétés de l’article
Numéro d’article: 000185202
Type d’article: Dell Security Advisory
Dernière modification: 28 Sep 2021
Trouvez des réponses à vos questions auprès d’autres utilisateurs Dell
Services de support
Vérifiez si votre appareil est couvert par les services de support.