Skip to main content
  • Place orders quickly and easily
  • View orders and track your shipping status
  • Create and access a list of your products
  • Manage your Dell EMC sites, products, and product-level contacts using Company Administration.

Article Number: 000197991


DSA-2022-057: Dell EMC PowerScale OneFS Security Update for Multiple Vulnerabilities.

Summary: Dell EMC PowerScale OneFS remediation is available for multiple vulnerabilities that could be exploited by malicious users to compromise the affected system.

Article Content


Impact

Critical

Details

 
Proprietary Code CVE(s) Description CVSS Base Score CVSS Vector String
CVE-2022-26851 Dell PowerScale OneFS, 8.2.2-9.3.x, contains a predictable file name from observable state vulnerability. An unprivileged network attacker could potentially exploit this vulnerability, leading to telemetry data loss for Dell. 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
CVE-2022-26852 Dell PowerScale OneFS, versions 8.2.x-9.3.x, contain a predictable seed in pseudo-random number generator. A remote unauthenticated attacker could potentially exploit this vulnerability, leading to an account compromise. 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
CVE-2022-26854 Dell PowerScale OneFS, versions 8.2.x-9.2.x, contain risky cryptographic algorithms. A remote unprivileged malicious attacker could potentially exploit this vulnerability, leading to full system access. 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
CVE-2022-24428 Dell PowerScale OneFS, versions 8.2.x - 9.3.0.x, contain an improper preservation of privileges. A remote filesystem user with a local account with the ISI_PRIV_SMB role could potentially exploit this vulnerability, leading to an escalation of file privileges and information disclosure. 6.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
CVE-2022-26855 Dell PowerScale OneFS, versions 8.2.x-9.3.0.x, contains an incorrect default permissions vulnerability. A local malicious user could potentially exploit this vulnerability, leading to a denial of service. 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
CVE-2022-22563 Dell EMC Powerscale OneFS 8.2.x - 9.2.x omit security-relevant information in /etc/master.passwd. A high-privileged user can exploit this vulnerability to not record information identifying the source of account information changes. 4.4 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N

 
Proprietary Code CVE(s) Description CVSS Base Score CVSS Vector String
CVE-2022-26851 Dell PowerScale OneFS, 8.2.2-9.3.x, contains a predictable file name from observable state vulnerability. An unprivileged network attacker could potentially exploit this vulnerability, leading to telemetry data loss for Dell. 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
CVE-2022-26852 Dell PowerScale OneFS, versions 8.2.x-9.3.x, contain a predictable seed in pseudo-random number generator. A remote unauthenticated attacker could potentially exploit this vulnerability, leading to an account compromise. 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
CVE-2022-26854 Dell PowerScale OneFS, versions 8.2.x-9.2.x, contain risky cryptographic algorithms. A remote unprivileged malicious attacker could potentially exploit this vulnerability, leading to full system access. 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
CVE-2022-24428 Dell PowerScale OneFS, versions 8.2.x - 9.3.0.x, contain an improper preservation of privileges. A remote filesystem user with a local account with the ISI_PRIV_SMB role could potentially exploit this vulnerability, leading to an escalation of file privileges and information disclosure. 6.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
CVE-2022-26855 Dell PowerScale OneFS, versions 8.2.x-9.3.0.x, contains an incorrect default permissions vulnerability. A local malicious user could potentially exploit this vulnerability, leading to a denial of service. 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
CVE-2022-22563 Dell EMC Powerscale OneFS 8.2.x - 9.2.x omit security-relevant information in /etc/master.passwd. A high-privileged user can exploit this vulnerability to not record information identifying the source of account information changes. 4.4 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N

Dell Technologies recommends all customers consider both the CVSS base score and any relevant temporal and environmental scores that may impact the potential severity associated with a particular security vulnerability.

Affected Products and Remediation

CVE(s) Addressed Affected Version(s) Updated Version(s) Link to Update
CVE-2022-26851 9.0.0, 9.1.1.x, 9.2.0.x Upgrade your version of OneFS PowerScale OneFS Downloads Area
9.1.0.x, 9.2.1.x, 9.3.0.x Download and install the latest RUP
CVE-2022-26852 9.0.0, 9.1.1.x, 9.2.0.x Upgrade your version of OneFS
9.1.0.x, 9.2.1.x, 9.3.0.x Download and install the latest RUP
CVE-2022-26854 9.0.0, 9.1.1.x, 9.2.0.x,
9.2.1.x, 9.3.0.x
Upgrade your version of OneFS
9.1.0.x Download and install the latest RUP
9.4.0.x Contains the fix upon release
CVE-2022-24428 9.0.0, 9.1.1.x, 9.2.0.x Upgrade your version of OneFS
9.1.0.x, 9.2.1.x, 9.3.0.x Download and install the latest RUP
CVE-2022-26855 9.0.0, 9.1.1.x, 9.2.0.x Upgrade your version of OneFS
9.1.0.x, 9.2.1.x, 9.3.0.x Download and install the latest RUP
CVE-2022-22563 9.0.0, 9.1.1.x, 9.2.0.x Upgrade your version of OneFS
9.1.0.x, 9.2.1.x, 9.3.0.x Download and install the latest RUP
CVE(s) Addressed Affected Version(s) Updated Version(s) Link to Update
CVE-2022-26851 9.0.0, 9.1.1.x, 9.2.0.x Upgrade your version of OneFS PowerScale OneFS Downloads Area
9.1.0.x, 9.2.1.x, 9.3.0.x Download and install the latest RUP
CVE-2022-26852 9.0.0, 9.1.1.x, 9.2.0.x Upgrade your version of OneFS
9.1.0.x, 9.2.1.x, 9.3.0.x Download and install the latest RUP
CVE-2022-26854 9.0.0, 9.1.1.x, 9.2.0.x,
9.2.1.x, 9.3.0.x
Upgrade your version of OneFS
9.1.0.x Download and install the latest RUP
9.4.0.x Contains the fix upon release
CVE-2022-24428 9.0.0, 9.1.1.x, 9.2.0.x Upgrade your version of OneFS
9.1.0.x, 9.2.1.x, 9.3.0.x Download and install the latest RUP
CVE-2022-26855 9.0.0, 9.1.1.x, 9.2.0.x Upgrade your version of OneFS
9.1.0.x, 9.2.1.x, 9.3.0.x Download and install the latest RUP
CVE-2022-22563 9.0.0, 9.1.1.x, 9.2.0.x Upgrade your version of OneFS
9.1.0.x, 9.2.1.x, 9.3.0.x Download and install the latest RUP

Workarounds and Mitigations

CVE(s) Addressed Workaround and/or mitigation
CVE-2022-26851 none
CVE-2022-26852 none
CVE-2022-26854 Manually set the isi ssh settings to remove the KEy eXchange algorithms that are deprecated
1- To modify the supported key exchange algorithms (KEX algorithms):
   #isi ssh settings modify --kex-algorithms="curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,

    ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256"
2- Alternatively you may upgrade to Dell EMC PowerScale OneFS 9.4.0.0 which contains the fix

NOTE: The above is the default list with diffie-hellman-group14-sha1 removed.
CVE-2022-24428 none
CVE-2022-26855 none
CVE-2022-22563 none

Revision History

RevisionDateDescription
1.02022-04-04Initial Release

Related Information

Dell Security Advisories and Notices
Dell Vulnerability Response Policy
CVSS Scoring Guide


Article Properties


Affected Product

PowerScale OneFS, Product Security Information

Last Published Date

04 Apr 2022

Version

1

Article Type

Dell Security Advisory