DSA-2020-124: Dell EMC Isilon OneFS Security Update for Multiple Vulnerabilities

• SNMPv2

CVE-2020-5364

Dell EMC Isilon OneFS versions 9.0.0 and earlier contain an SNMPv2 vulnerability. The SNMPv2 services is enabled, by default, with a pre-configured community string. This community string allows read-only access to many aspects of the Isilon cluster, some of which are considered sensitive and can foster additional access.

CVSS v3.1 Base Score: 5.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

• remotesupport

CVE-2020-5365

Dell EMC Isilon versions 9.0.0 and earlier contain a remotesupport vulnerability. The pre-configured support account, remotesupport, is bundled in the Dell EMC Isilon OneFS installation. This account is used for diagnostics and other support functions. Although the default password is different for every cluster, it is predictable.

CVSS v3.1 Base Score: 5.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

Affected products:    
Dell EMC Isilon OneFS versions 9.0.0 and earlier.

Remediation:    
For Dell EMC Isilon OneFS versions 9.0.0 and earlier, see the Workarounds section below.


Workarounds:     
For SNMP 
There are two options:    

• Modify the SNMPv2 community string

• Disable the SNMPv2 interface

Note: The first option is recommended. However, if you do not need SNMPv2, it is recommended that you disable it.

To modify the SNMPv2 community string through the command line interface:    

1. Open a secure shell (SSH) connection to any node in the cluster and log in as root.

2. Edit the <string>:    
   isi snmp settings modify --read-only-community=<new_string>

To disable the SNMPv2 interface:    
To disable the SNMPv2 interface on the OneFS web administration interface:     

1. On the webUI, click Cluster Management > General Settings > SNMP Monitoring.

2. In the SNMP Service Settings, uncheck the Enable SNMP Service check box. The SNMP service is enabled by default.

3. If your protocol is SNMPv2, ensure that the Allow SNMPv2 Access check box is unchecked. SNMPv2 is selected by default.

To disable the SNMPv2 interface through the command line interface:    

1. Open a secure shell (SSH) connection to any node in the cluster and log in as root.

2. Run the following command:   
   isi snmp settings modify --snmp-v1-v2c-access=false

For the default Remotesupport account:     
There are two options:   

• Change the password

• Disable the account

Note: If you change the remotesupport password and you utilize TSE services with this account, you must provide the updated password whenever contacting Support so that a technical support engineer can still access the functions, as necessary.


Through the OneFS web administration interface:     
To change the password:     

1. On the webUI, go to Access > Membership and roles  > Users > Providers: "FILE: System" remotesupport user > View/Edit > Edit user > password field

2. Click Save Changes

To disable the account:     

1. On the webUI, go to Access > Membership and roles > Users > Providers: "FILE: System" remotesupport user > Disable 

Command line interface:     
To change the password:     

1. Open a secure shell (SSH) connection to any node in the cluster and log in as root.

2. Run the following command:   
   isi auth users modify remotesupport  set-password

To disable the account:   

1. Open a secure shell (SSH) connection to any node in the cluster and log in as root.

2. Run the following command:     
   isi auth users modify remotesupport --enabled false