DSA-2021-048: Dell PowerScale OneFS Security Update for Multiple Vulnerabilities
Summary: Dell PowerScale OneFS contains remediation for multiple security vulnerabilities that may be exploited by malicious users to compromise the affected system.
This article applies to
This article does not apply to
This article is not tied to any specific product.
Not all product versions are identified in this article.
Impact
Critical
Details
| Proprietary Code CVE(s) | Description | CVSSBase Score | CVSS Vector String |
| CVE-2021-21526 | Dell PowerScale OneFS 8.1.0 - 9.1.0 contains a privilege escalation in SmartLock compliance mode that may allow compadmin to execute arbitrary commands as root. Note: If running in Compliance Mode, this is a critical vulnerability. |
6.0 | CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H |
| CVE-2020-26197 | Dell PowerScale OneFS 8.1.0 – 9.1.0 contains an LDAP Provider inability to connect over TLSv1.2 vulnerability. It may make it easier to eavesdrop and decrypt such traffic for a malicious actor. Note: This does not affect clusters which are not relying on an LDAP server for the authentication provider. |
7.5 | CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H |
| CVE-2021-21502 | Dell PowerScale OneFS 8.1.0 – 9.1.0 contains a use of a key past its expiration date vulnerability. An expired user with ISI_PRIV_LOGIN_SSH is still able to login. Note: This has already been disclosed in DSA-2021-009, but is included here due to patches for more releases being available. |
9.8 (prior disclosure) |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
| Proprietary Code CVE(s) | Description | CVSSBase Score | CVSS Vector String |
| CVE-2021-21526 | Dell PowerScale OneFS 8.1.0 - 9.1.0 contains a privilege escalation in SmartLock compliance mode that may allow compadmin to execute arbitrary commands as root. Note: If running in Compliance Mode, this is a critical vulnerability. |
6.0 | CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H |
| CVE-2020-26197 | Dell PowerScale OneFS 8.1.0 – 9.1.0 contains an LDAP Provider inability to connect over TLSv1.2 vulnerability. It may make it easier to eavesdrop and decrypt such traffic for a malicious actor. Note: This does not affect clusters which are not relying on an LDAP server for the authentication provider. |
7.5 | CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H |
| CVE-2021-21502 | Dell PowerScale OneFS 8.1.0 – 9.1.0 contains a use of a key past its expiration date vulnerability. An expired user with ISI_PRIV_LOGIN_SSH is still able to login. Note: This has already been disclosed in DSA-2021-009, but is included here due to patches for more releases being available. |
9.8 (prior disclosure) |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
Affected Products & Remediation
| CVE Addressed | Affected Version(s) | Updated Version(s) | Link to Update |
| CVE-2021-21526 | 9.0 | Upgrade your OneFS version | PowerScale Downloads Area on https://www.dell.com |
| 9.1 | March RUP_2021-03 | ||
CVE-2020-26197 |
8.1.0, 8.1.1 | Upgrade your OneFS version | |
| 8.1.2 | March RUP_2021-03 | ||
| 8.2.2 | November RUP_2020-11 | ||
CVE-2021-21502 |
8.1.0, 8.1.1, 8.2.0, 8.2.1, 9.0.0 | Upgrade your OneFS version | |
| 9.1.0 | RUP 2021-01 | ||
| 8.1.2, 8.2.2 | RUP 2021-03 |
Note: The table above may not be a comprehensive list of all affected supported versions and may be updated as more information becomes available.
| CVE Addressed | Affected Version(s) | Updated Version(s) | Link to Update |
| CVE-2021-21526 | 9.0 | Upgrade your OneFS version | PowerScale Downloads Area on https://www.dell.com |
| 9.1 | March RUP_2021-03 | ||
CVE-2020-26197 |
8.1.0, 8.1.1 | Upgrade your OneFS version | |
| 8.1.2 | March RUP_2021-03 | ||
| 8.2.2 | November RUP_2020-11 | ||
CVE-2021-21502 |
8.1.0, 8.1.1, 8.2.0, 8.2.1, 9.0.0 | Upgrade your OneFS version | |
| 9.1.0 | RUP 2021-01 | ||
| 8.1.2, 8.2.2 | RUP 2021-03 |
Note: The table above may not be a comprehensive list of all affected supported versions and may be updated as more information becomes available.
Workarounds & Mitigations
| CVE ID | Workaround(s) and Mitigation(s) |
| CVE-2021-21526 | None. |
| CVE-2020-26197 | Disable LDAP Providers. |
| CVE-2021-21502 |
Disabling public key authentication in SSH; login to your cluster with a username which has the appropriate privileges, and at the prompt, enter the following CLI commands:
# isi ssh modify --auth-settings-template=custom
# isi ssh settings modify --pubkey-authentication=false
|
Revision History
| Revision | Date | Description |
| 1.0 | 2021-04-12 | Initial Release |
Related Information
Legal Disclaimer
Affected Products
PowerScale OneFSProducts
Product Security InformationArticle Properties
Article Number: 000185202
Article Type: Dell Security Advisory
Last Modified: 28 Sep 2021
Find answers to your questions from other Dell users
Support Services
Check if your device is covered by Support Services.