DSA-2022-057: Dell EMC PowerScale OneFS Security Update for Multiple Vulnerabilities.
Zusammenfassung: Dell EMC PowerScale OneFS remediation is available for multiple vulnerabilities that could be exploited by malicious users to compromise the affected system.
Dieser Artikel gilt für
Dieser Artikel gilt nicht für
Dieser Artikel ist nicht an ein bestimmtes Produkt gebunden.
In diesem Artikel werden nicht alle Produktversionen aufgeführt.
Auswirkungen
Critical
Details
| Proprietary Code CVE(s) | Description | CVSS Base Score | CVSS Vector String |
| CVE-2022-26851 | Dell PowerScale OneFS, 8.2.2-9.3.x, contains a predictable file name from observable state vulnerability. An unprivileged network attacker could potentially exploit this vulnerability, leading to telemetry data loss for Dell. | 9.1 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H |
| CVE-2022-26852 | Dell PowerScale OneFS, versions 8.2.x-9.3.x, contain a predictable seed in pseudo-random number generator. A remote unauthenticated attacker could potentially exploit this vulnerability, leading to an account compromise. | 8.1 | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H |
| CVE-2022-26854 | Dell PowerScale OneFS, versions 8.2.x-9.2.x, contain risky cryptographic algorithms. A remote unprivileged malicious attacker could potentially exploit this vulnerability, leading to full system access. | 8.1 | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H |
| CVE-2022-24428 | Dell PowerScale OneFS, versions 8.2.x - 9.3.0.x, contain an improper preservation of privileges. A remote filesystem user with a local account with the ISI_PRIV_SMB role could potentially exploit this vulnerability, leading to an escalation of file privileges and information disclosure. | 6.3 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L |
| CVE-2022-26855 | Dell PowerScale OneFS, versions 8.2.x-9.3.0.x, contains an incorrect default permissions vulnerability. A local malicious user could potentially exploit this vulnerability, leading to a denial of service. | 5.5 | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H |
| CVE-2022-22563 | Dell EMC Powerscale OneFS 8.2.x - 9.2.x omit security-relevant information in /etc/master.passwd. A high-privileged user can exploit this vulnerability to not record information identifying the source of account information changes. | 4.4 | CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N |
| Proprietary Code CVE(s) | Description | CVSS Base Score | CVSS Vector String |
| CVE-2022-26851 | Dell PowerScale OneFS, 8.2.2-9.3.x, contains a predictable file name from observable state vulnerability. An unprivileged network attacker could potentially exploit this vulnerability, leading to telemetry data loss for Dell. | 9.1 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H |
| CVE-2022-26852 | Dell PowerScale OneFS, versions 8.2.x-9.3.x, contain a predictable seed in pseudo-random number generator. A remote unauthenticated attacker could potentially exploit this vulnerability, leading to an account compromise. | 8.1 | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H |
| CVE-2022-26854 | Dell PowerScale OneFS, versions 8.2.x-9.2.x, contain risky cryptographic algorithms. A remote unprivileged malicious attacker could potentially exploit this vulnerability, leading to full system access. | 8.1 | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H |
| CVE-2022-24428 | Dell PowerScale OneFS, versions 8.2.x - 9.3.0.x, contain an improper preservation of privileges. A remote filesystem user with a local account with the ISI_PRIV_SMB role could potentially exploit this vulnerability, leading to an escalation of file privileges and information disclosure. | 6.3 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L |
| CVE-2022-26855 | Dell PowerScale OneFS, versions 8.2.x-9.3.0.x, contains an incorrect default permissions vulnerability. A local malicious user could potentially exploit this vulnerability, leading to a denial of service. | 5.5 | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H |
| CVE-2022-22563 | Dell EMC Powerscale OneFS 8.2.x - 9.2.x omit security-relevant information in /etc/master.passwd. A high-privileged user can exploit this vulnerability to not record information identifying the source of account information changes. | 4.4 | CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N |
Betroffene Produkte und Korrektur
| CVE(s) Addressed | Affected Version(s) | Updated Version(s) | Link to Update |
| CVE-2022-26851 | 9.0.0, 9.1.1.x, 9.2.0.x | Upgrade your version of OneFS | PowerScale OneFS Downloads Area |
| 9.1.0.x, 9.2.1.x, 9.3.0.x | Download and install the latest RUP | ||
| CVE-2022-26852 | 9.0.0, 9.1.1.x, 9.2.0.x | Upgrade your version of OneFS | |
| 9.1.0.x, 9.2.1.x, 9.3.0.x | Download and install the latest RUP | ||
| CVE-2022-26854 | 9.0.0, 9.1.1.x, 9.2.0.x, 9.2.1.x, 9.3.0.x |
Upgrade your version of OneFS | |
| 9.1.0.x | Download and install the latest RUP | ||
| 9.4.0.x | Contains the fix upon release | ||
| CVE-2022-24428 | 9.0.0, 9.1.1.x, 9.2.0.x | Upgrade your version of OneFS | |
| 9.1.0.x, 9.2.1.x, 9.3.0.x | Download and install the latest RUP | ||
| CVE-2022-26855 | 9.0.0, 9.1.1.x, 9.2.0.x | Upgrade your version of OneFS | |
| 9.1.0.x, 9.2.1.x, 9.3.0.x | Download and install the latest RUP | ||
| CVE-2022-22563 | 9.0.0, 9.1.1.x, 9.2.0.x | Upgrade your version of OneFS | |
| 9.1.0.x, 9.2.1.x, 9.3.0.x | Download and install the latest RUP |
| CVE(s) Addressed | Affected Version(s) | Updated Version(s) | Link to Update |
| CVE-2022-26851 | 9.0.0, 9.1.1.x, 9.2.0.x | Upgrade your version of OneFS | PowerScale OneFS Downloads Area |
| 9.1.0.x, 9.2.1.x, 9.3.0.x | Download and install the latest RUP | ||
| CVE-2022-26852 | 9.0.0, 9.1.1.x, 9.2.0.x | Upgrade your version of OneFS | |
| 9.1.0.x, 9.2.1.x, 9.3.0.x | Download and install the latest RUP | ||
| CVE-2022-26854 | 9.0.0, 9.1.1.x, 9.2.0.x, 9.2.1.x, 9.3.0.x |
Upgrade your version of OneFS | |
| 9.1.0.x | Download and install the latest RUP | ||
| 9.4.0.x | Contains the fix upon release | ||
| CVE-2022-24428 | 9.0.0, 9.1.1.x, 9.2.0.x | Upgrade your version of OneFS | |
| 9.1.0.x, 9.2.1.x, 9.3.0.x | Download and install the latest RUP | ||
| CVE-2022-26855 | 9.0.0, 9.1.1.x, 9.2.0.x | Upgrade your version of OneFS | |
| 9.1.0.x, 9.2.1.x, 9.3.0.x | Download and install the latest RUP | ||
| CVE-2022-22563 | 9.0.0, 9.1.1.x, 9.2.0.x | Upgrade your version of OneFS | |
| 9.1.0.x, 9.2.1.x, 9.3.0.x | Download and install the latest RUP |
Workarounds und Korrekturmaßnahmen
| CVE(s) Addressed | Workaround and/or mitigation |
| CVE-2022-26851 | none |
| CVE-2022-26852 | none |
| CVE-2022-26854 | Manually set the isi ssh settings to remove the KEy eXchange algorithms that are deprecated 1- To modify the supported key exchange algorithms (KEX algorithms): #isi ssh settings modify --kex-algorithms="curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384, ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256"2- Alternatively you may upgrade to Dell EMC PowerScale OneFS 9.4.0.0 which contains the fix NOTE: The above is the default list with diffie-hellman-group14-sha1 removed. |
| CVE-2022-24428 | none |
| CVE-2022-26855 | none |
| CVE-2022-22563 | none |
Revisionsverlauf
| Revision | Date | Description |
| 1.0 | 2022-04-04 | Initial Release |
Zugehörige Informationen
Rechtlicher Hinweis
Betroffene Produkte
PowerScale OneFS, Product Security InformationArtikeleigenschaften
Artikelnummer: 000197991
Artikeltyp: Dell Security Advisory
Zuletzt geändert: 04 Apr. 2022
Antworten auf Ihre Fragen erhalten Sie von anderen Dell NutzerInnen
Support Services
Prüfen Sie, ob Ihr Gerät durch Support Services abgedeckt ist.