DSA-2022-057: Dell EMC PowerScale OneFS Security Update for Multiple Vulnerabilities.
Summary: Dell EMC PowerScale OneFS remediation is available for multiple vulnerabilities that could be exploited by malicious users to compromise the affected system.
This article applies to
This article does not apply to
This article is not tied to any specific product.
Not all product versions are identified in this article.
Impact
Critical
Details
| Proprietary Code CVE(s) | Description | CVSS Base Score | CVSS Vector String |
| CVE-2022-26851 | Dell PowerScale OneFS, 8.2.2-9.3.x, contains a predictable file name from observable state vulnerability. An unprivileged network attacker could potentially exploit this vulnerability, leading to telemetry data loss for Dell. | 9.1 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H |
| CVE-2022-26852 | Dell PowerScale OneFS, versions 8.2.x-9.3.x, contain a predictable seed in pseudo-random number generator. A remote unauthenticated attacker could potentially exploit this vulnerability, leading to an account compromise. | 8.1 | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H |
| CVE-2022-26854 | Dell PowerScale OneFS, versions 8.2.x-9.2.x, contain risky cryptographic algorithms. A remote unprivileged malicious attacker could potentially exploit this vulnerability, leading to full system access. | 8.1 | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H |
| CVE-2022-24428 | Dell PowerScale OneFS, versions 8.2.x - 9.3.0.x, contain an improper preservation of privileges. A remote filesystem user with a local account with the ISI_PRIV_SMB role could potentially exploit this vulnerability, leading to an escalation of file privileges and information disclosure. | 6.3 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L |
| CVE-2022-26855 | Dell PowerScale OneFS, versions 8.2.x-9.3.0.x, contains an incorrect default permissions vulnerability. A local malicious user could potentially exploit this vulnerability, leading to a denial of service. | 5.5 | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H |
| CVE-2022-22563 | Dell EMC Powerscale OneFS 8.2.x - 9.2.x omit security-relevant information in /etc/master.passwd. A high-privileged user can exploit this vulnerability to not record information identifying the source of account information changes. | 4.4 | CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N |
| Proprietary Code CVE(s) | Description | CVSS Base Score | CVSS Vector String |
| CVE-2022-26851 | Dell PowerScale OneFS, 8.2.2-9.3.x, contains a predictable file name from observable state vulnerability. An unprivileged network attacker could potentially exploit this vulnerability, leading to telemetry data loss for Dell. | 9.1 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H |
| CVE-2022-26852 | Dell PowerScale OneFS, versions 8.2.x-9.3.x, contain a predictable seed in pseudo-random number generator. A remote unauthenticated attacker could potentially exploit this vulnerability, leading to an account compromise. | 8.1 | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H |
| CVE-2022-26854 | Dell PowerScale OneFS, versions 8.2.x-9.2.x, contain risky cryptographic algorithms. A remote unprivileged malicious attacker could potentially exploit this vulnerability, leading to full system access. | 8.1 | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H |
| CVE-2022-24428 | Dell PowerScale OneFS, versions 8.2.x - 9.3.0.x, contain an improper preservation of privileges. A remote filesystem user with a local account with the ISI_PRIV_SMB role could potentially exploit this vulnerability, leading to an escalation of file privileges and information disclosure. | 6.3 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L |
| CVE-2022-26855 | Dell PowerScale OneFS, versions 8.2.x-9.3.0.x, contains an incorrect default permissions vulnerability. A local malicious user could potentially exploit this vulnerability, leading to a denial of service. | 5.5 | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H |
| CVE-2022-22563 | Dell EMC Powerscale OneFS 8.2.x - 9.2.x omit security-relevant information in /etc/master.passwd. A high-privileged user can exploit this vulnerability to not record information identifying the source of account information changes. | 4.4 | CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N |
Affected Products & Remediation
| CVE(s) Addressed | Affected Version(s) | Updated Version(s) | Link to Update |
| CVE-2022-26851 | 9.0.0, 9.1.1.x, 9.2.0.x | Upgrade your version of OneFS | PowerScale OneFS Downloads Area |
| 9.1.0.x, 9.2.1.x, 9.3.0.x | Download and install the latest RUP | ||
| CVE-2022-26852 | 9.0.0, 9.1.1.x, 9.2.0.x | Upgrade your version of OneFS | |
| 9.1.0.x, 9.2.1.x, 9.3.0.x | Download and install the latest RUP | ||
| CVE-2022-26854 | 9.0.0, 9.1.1.x, 9.2.0.x, 9.2.1.x, 9.3.0.x |
Upgrade your version of OneFS | |
| 9.1.0.x | Download and install the latest RUP | ||
| 9.4.0.x | Contains the fix upon release | ||
| CVE-2022-24428 | 9.0.0, 9.1.1.x, 9.2.0.x | Upgrade your version of OneFS | |
| 9.1.0.x, 9.2.1.x, 9.3.0.x | Download and install the latest RUP | ||
| CVE-2022-26855 | 9.0.0, 9.1.1.x, 9.2.0.x | Upgrade your version of OneFS | |
| 9.1.0.x, 9.2.1.x, 9.3.0.x | Download and install the latest RUP | ||
| CVE-2022-22563 | 9.0.0, 9.1.1.x, 9.2.0.x | Upgrade your version of OneFS | |
| 9.1.0.x, 9.2.1.x, 9.3.0.x | Download and install the latest RUP |
| CVE(s) Addressed | Affected Version(s) | Updated Version(s) | Link to Update |
| CVE-2022-26851 | 9.0.0, 9.1.1.x, 9.2.0.x | Upgrade your version of OneFS | PowerScale OneFS Downloads Area |
| 9.1.0.x, 9.2.1.x, 9.3.0.x | Download and install the latest RUP | ||
| CVE-2022-26852 | 9.0.0, 9.1.1.x, 9.2.0.x | Upgrade your version of OneFS | |
| 9.1.0.x, 9.2.1.x, 9.3.0.x | Download and install the latest RUP | ||
| CVE-2022-26854 | 9.0.0, 9.1.1.x, 9.2.0.x, 9.2.1.x, 9.3.0.x |
Upgrade your version of OneFS | |
| 9.1.0.x | Download and install the latest RUP | ||
| 9.4.0.x | Contains the fix upon release | ||
| CVE-2022-24428 | 9.0.0, 9.1.1.x, 9.2.0.x | Upgrade your version of OneFS | |
| 9.1.0.x, 9.2.1.x, 9.3.0.x | Download and install the latest RUP | ||
| CVE-2022-26855 | 9.0.0, 9.1.1.x, 9.2.0.x | Upgrade your version of OneFS | |
| 9.1.0.x, 9.2.1.x, 9.3.0.x | Download and install the latest RUP | ||
| CVE-2022-22563 | 9.0.0, 9.1.1.x, 9.2.0.x | Upgrade your version of OneFS | |
| 9.1.0.x, 9.2.1.x, 9.3.0.x | Download and install the latest RUP |
Workarounds & Mitigations
| CVE(s) Addressed | Workaround and/or mitigation |
| CVE-2022-26851 | none |
| CVE-2022-26852 | none |
| CVE-2022-26854 | Manually set the isi ssh settings to remove the KEy eXchange algorithms that are deprecated 1- To modify the supported key exchange algorithms (KEX algorithms): #isi ssh settings modify --kex-algorithms="curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384, ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256"2- Alternatively you may upgrade to Dell EMC PowerScale OneFS 9.4.0.0 which contains the fix NOTE: The above is the default list with diffie-hellman-group14-sha1 removed. |
| CVE-2022-24428 | none |
| CVE-2022-26855 | none |
| CVE-2022-22563 | none |
Revision History
| Revision | Date | Description |
| 1.0 | 2022-04-04 | Initial Release |
Related Information
Legal Disclaimer
Affected Products
PowerScale OneFS, Product Security InformationArticle Properties
Article Number: 000197991
Article Type: Dell Security Advisory
Last Modified: 04 Apr 2022
Find answers to your questions from other Dell users
Support Services
Check if your device is covered by Support Services.