Skip to main content
Sign Out

Welcome to Dell

My Account
  • Place orders quickly and easily
  • View orders and track your shipping status
  • Create and access a list of your products
Sign In Create an Account Premier Sign In Partner Program Sign In
Contact Us

DSA-2022-057: Dell EMC PowerScale OneFS Security Update for Multiple Vulnerabilities.

Summary: Dell EMC PowerScale OneFS remediation is available for multiple vulnerabilities that could be exploited by malicious users to compromise the affected system.

This article applies to This article does not apply to This article is not tied to any specific product. Not all product versions are identified in this article.
Check out other resources

Impact

Critical

Details

 
Proprietary Code CVE(s) Description CVSS Base Score CVSS Vector String
CVE-2022-26851 Dell PowerScale OneFS, 8.2.2-9.3.x, contains a predictable file name from observable state vulnerability. An unprivileged network attacker could potentially exploit this vulnerability, leading to telemetry data loss for Dell. 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
CVE-2022-26852 Dell PowerScale OneFS, versions 8.2.x-9.3.x, contain a predictable seed in pseudo-random number generator. A remote unauthenticated attacker could potentially exploit this vulnerability, leading to an account compromise. 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
CVE-2022-26854 Dell PowerScale OneFS, versions 8.2.x-9.2.x, contain risky cryptographic algorithms. A remote unprivileged malicious attacker could potentially exploit this vulnerability, leading to full system access. 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
CVE-2022-24428 Dell PowerScale OneFS, versions 8.2.x - 9.3.0.x, contain an improper preservation of privileges. A remote filesystem user with a local account with the ISI_PRIV_SMB role could potentially exploit this vulnerability, leading to an escalation of file privileges and information disclosure. 6.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
CVE-2022-26855 Dell PowerScale OneFS, versions 8.2.x-9.3.0.x, contains an incorrect default permissions vulnerability. A local malicious user could potentially exploit this vulnerability, leading to a denial of service. 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
CVE-2022-22563 Dell EMC Powerscale OneFS 8.2.x - 9.2.x omit security-relevant information in /etc/master.passwd. A high-privileged user can exploit this vulnerability to not record information identifying the source of account information changes. 4.4 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N

 
Proprietary Code CVE(s) Description CVSS Base Score CVSS Vector String
CVE-2022-26851 Dell PowerScale OneFS, 8.2.2-9.3.x, contains a predictable file name from observable state vulnerability. An unprivileged network attacker could potentially exploit this vulnerability, leading to telemetry data loss for Dell. 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
CVE-2022-26852 Dell PowerScale OneFS, versions 8.2.x-9.3.x, contain a predictable seed in pseudo-random number generator. A remote unauthenticated attacker could potentially exploit this vulnerability, leading to an account compromise. 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
CVE-2022-26854 Dell PowerScale OneFS, versions 8.2.x-9.2.x, contain risky cryptographic algorithms. A remote unprivileged malicious attacker could potentially exploit this vulnerability, leading to full system access. 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
CVE-2022-24428 Dell PowerScale OneFS, versions 8.2.x - 9.3.0.x, contain an improper preservation of privileges. A remote filesystem user with a local account with the ISI_PRIV_SMB role could potentially exploit this vulnerability, leading to an escalation of file privileges and information disclosure. 6.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
CVE-2022-26855 Dell PowerScale OneFS, versions 8.2.x-9.3.0.x, contains an incorrect default permissions vulnerability. A local malicious user could potentially exploit this vulnerability, leading to a denial of service. 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
CVE-2022-22563 Dell EMC Powerscale OneFS 8.2.x - 9.2.x omit security-relevant information in /etc/master.passwd. A high-privileged user can exploit this vulnerability to not record information identifying the source of account information changes. 4.4 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N

Dell Technologies recommends all customers consider both the CVSS base score and any relevant temporal and environmental scores that may impact the potential severity associated with a particular security vulnerability.

Affected Products & Remediation

CVE(s) Addressed Affected Version(s) Updated Version(s) Link to Update
CVE-2022-26851 9.0.0, 9.1.1.x, 9.2.0.x Upgrade your version of OneFS PowerScale OneFS Downloads Area
9.1.0.x, 9.2.1.x, 9.3.0.x Download and install the latest RUP
CVE-2022-26852 9.0.0, 9.1.1.x, 9.2.0.x Upgrade your version of OneFS
9.1.0.x, 9.2.1.x, 9.3.0.x Download and install the latest RUP
CVE-2022-26854 9.0.0, 9.1.1.x, 9.2.0.x,
9.2.1.x, 9.3.0.x		 Upgrade your version of OneFS
9.1.0.x Download and install the latest RUP
9.4.0.x Contains the fix upon release
CVE-2022-24428 9.0.0, 9.1.1.x, 9.2.0.x Upgrade your version of OneFS
9.1.0.x, 9.2.1.x, 9.3.0.x Download and install the latest RUP
CVE-2022-26855 9.0.0, 9.1.1.x, 9.2.0.x Upgrade your version of OneFS
9.1.0.x, 9.2.1.x, 9.3.0.x Download and install the latest RUP
CVE-2022-22563 9.0.0, 9.1.1.x, 9.2.0.x Upgrade your version of OneFS
9.1.0.x, 9.2.1.x, 9.3.0.x Download and install the latest RUP
CVE(s) Addressed Affected Version(s) Updated Version(s) Link to Update
CVE-2022-26851 9.0.0, 9.1.1.x, 9.2.0.x Upgrade your version of OneFS PowerScale OneFS Downloads Area
9.1.0.x, 9.2.1.x, 9.3.0.x Download and install the latest RUP
CVE-2022-26852 9.0.0, 9.1.1.x, 9.2.0.x Upgrade your version of OneFS
9.1.0.x, 9.2.1.x, 9.3.0.x Download and install the latest RUP
CVE-2022-26854 9.0.0, 9.1.1.x, 9.2.0.x,
9.2.1.x, 9.3.0.x		 Upgrade your version of OneFS
9.1.0.x Download and install the latest RUP
9.4.0.x Contains the fix upon release
CVE-2022-24428 9.0.0, 9.1.1.x, 9.2.0.x Upgrade your version of OneFS
9.1.0.x, 9.2.1.x, 9.3.0.x Download and install the latest RUP
CVE-2022-26855 9.0.0, 9.1.1.x, 9.2.0.x Upgrade your version of OneFS
9.1.0.x, 9.2.1.x, 9.3.0.x Download and install the latest RUP
CVE-2022-22563 9.0.0, 9.1.1.x, 9.2.0.x Upgrade your version of OneFS
9.1.0.x, 9.2.1.x, 9.3.0.x Download and install the latest RUP

Workarounds & Mitigations

CVE(s) Addressed Workaround and/or mitigation
CVE-2022-26851 none
CVE-2022-26852 none
CVE-2022-26854 Manually set the isi ssh settings to remove the KEy eXchange algorithms that are deprecated
1- To modify the supported key exchange algorithms (KEX algorithms): 
   #isi ssh settings modify --kex-algorithms="curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,

    ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256"
2- Alternatively you may upgrade to Dell EMC PowerScale OneFS 9.4.0.0 which contains the fix

NOTE: The above is the default list with diffie-hellman-group14-sha1 removed.
CVE-2022-24428 none
CVE-2022-26855 none
CVE-2022-22563 none

Revision History

RevisionDateDescription
1.02022-04-04Initial Release

Related Information

Dell Security Advisories and Notices
Dell Vulnerability Response Policy
CVSS Scoring Guide

Legal Disclaimer

Affected Products

PowerScale OneFS, Product Security Information
Article Properties
Article Number: 000197991
Article Type: Dell Security Advisory
Last Modified: 04 Apr 2022
Find answers to your questions from other Dell users
Support Services
Check if your device is covered by Support Services.