Article Number: 000182873
Critical
Proprietary Code CVE(s) | Description | CVSSBase Score | CVSS Vector String |
CVE-2021-21502 | Dell PowerScale OneFS versions 8.1.0 – 9.1.0 contain a "use of SSH key past account expiration" vulnerability. A user on the network with the ISI_PRIV_AUTH_SSH RBAC privilege that has an expired account may potentially exploit this vulnerability, giving them access to the same things they had before account expiration. This may by a high privileged account and hence Dell recommends customers upgrade at the earliest opportunity. | 9.8 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
CVE-2020-26196 | Dell EMC PowerScale OneFS versions 8.1.0-9.1.0 contain a Backup/Restore Privilege implementation issue. A user with the BackupAdmin role may potentially exploit this vulnerability resulting in the ability to write data outside of the intended file system location. | 5.5 | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N |
CVE-2020-26195 | Dell EMC PowerScale OneFS versions 8.1.2 – 9.1.0 contain an issue where the OneFS SMB directory auto-create may erroneously create a directory for a user. A remote unauthenticated attacker may take advantage of this issue to slow down the system. | 5.3 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L |
CVE-2020-26194 | Dell EMC PowerScale OneFS versions 8.1.2 and 8.2.2 contain an Incorrect Permission Assignment for a Critical Resource vulnerability. This may allow a non-admin user with either ISI_PRIV_LOGIN_CONSOLE or ISI_PRIV_LOGIN_SSH privileges to exploit the vulnerability, leading to compromised cryptographic operations. | 7.0 | CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H |
CVE-2020-26193 | Dell EMC PowerScale OneFS versions 8.1.0 - 9.1.0 contain an improper input validation vulnerability. A user with the ISI_PRIV_CLUSTER privilege may exploit this vulnerability, leading to the execution of arbitrary OS commands on the application's underlying OS, with the privileges of the vulnerable application. | 7.8 | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
CVE-2020-26192 | Dell EMC PowerScale OneFS versions 8.2.0 - 9.1.0 contain a privilege escalation vulnerability. A non-admin user with either ISI_PRIV_LOGIN_CONSOLE or ISI_PRIV_LOGIN_SSH may potentially exploit this vulnerability to read arbitrary data, tamper with system software or deny service to users. Note: No non-admin users or roles have these privileges by default. |
7.8 | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
CVE-2020-26191 | Dell EMC PowerScale OneFS versions 8.1.0 - 9.1.0 contain a privilege escalation vulnerability. A user with ISI_PRIV_JOB_ENGINE may use the PermissionRepair job to grant themselves the highest level of RBAC privileges thus being able to read arbitrary data, tamper with system software or deny service to users. | 7.8 | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
Proprietary Code CVE(s) | Description | CVSSBase Score | CVSS Vector String |
CVE-2021-21502 | Dell PowerScale OneFS versions 8.1.0 – 9.1.0 contain a "use of SSH key past account expiration" vulnerability. A user on the network with the ISI_PRIV_AUTH_SSH RBAC privilege that has an expired account may potentially exploit this vulnerability, giving them access to the same things they had before account expiration. This may by a high privileged account and hence Dell recommends customers upgrade at the earliest opportunity. | 9.8 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
CVE-2020-26196 | Dell EMC PowerScale OneFS versions 8.1.0-9.1.0 contain a Backup/Restore Privilege implementation issue. A user with the BackupAdmin role may potentially exploit this vulnerability resulting in the ability to write data outside of the intended file system location. | 5.5 | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N |
CVE-2020-26195 | Dell EMC PowerScale OneFS versions 8.1.2 – 9.1.0 contain an issue where the OneFS SMB directory auto-create may erroneously create a directory for a user. A remote unauthenticated attacker may take advantage of this issue to slow down the system. | 5.3 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L |
CVE-2020-26194 | Dell EMC PowerScale OneFS versions 8.1.2 and 8.2.2 contain an Incorrect Permission Assignment for a Critical Resource vulnerability. This may allow a non-admin user with either ISI_PRIV_LOGIN_CONSOLE or ISI_PRIV_LOGIN_SSH privileges to exploit the vulnerability, leading to compromised cryptographic operations. | 7.0 | CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H |
CVE-2020-26193 | Dell EMC PowerScale OneFS versions 8.1.0 - 9.1.0 contain an improper input validation vulnerability. A user with the ISI_PRIV_CLUSTER privilege may exploit this vulnerability, leading to the execution of arbitrary OS commands on the application's underlying OS, with the privileges of the vulnerable application. | 7.8 | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
CVE-2020-26192 | Dell EMC PowerScale OneFS versions 8.2.0 - 9.1.0 contain a privilege escalation vulnerability. A non-admin user with either ISI_PRIV_LOGIN_CONSOLE or ISI_PRIV_LOGIN_SSH may potentially exploit this vulnerability to read arbitrary data, tamper with system software or deny service to users. Note: No non-admin users or roles have these privileges by default. |
7.8 | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
CVE-2020-26191 | Dell EMC PowerScale OneFS versions 8.1.0 - 9.1.0 contain a privilege escalation vulnerability. A user with ISI_PRIV_JOB_ENGINE may use the PermissionRepair job to grant themselves the highest level of RBAC privileges thus being able to read arbitrary data, tamper with system software or deny service to users. | 7.8 | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
Dell Technologies recommends all customers consider both the CVSS base score and any relevant temporal and environmental scores that may impact the potential severity associated with a particular security vulnerability.
CVE(s) Addressed | Affected Version(s) | Updated Version(s) | Link to Update |
CVE-2021-21502 | 8.1.0, 8.1.1, 8.2.0, 8.2.1, 8.1.2, 8.2.2, 9.0.0 | Upgrade your PowerScale OneFS version | PowerScale Downloads area. |
9.1.0 | RUP 2021-01 | ||
CVE-2020-26196 | 8.1.0, 8.1.1, 8.2.0, 8.2.1 | Upgrade your PowerScale OneFS version | PowerScale Downloads area. |
8.2.2, 9.0.0 | October 2020 RUP for your OneFS version | ||
8.1.2, 8.2.1, 9.1.0 | November 2020 RUP for your OneFS version | ||
CVE-2020-26195 | 8.1.0, 8.1.1, 8.2.0, 8.2.1 | Upgrade your PowerScale OneFS version | PowerScale Downloads area. |
8.1.2, 8.2.2, 9.0.0, 9.1.0 | January RUP 2021-01 | ||
CVE-2020-26194 | 8.1.0, 8.1.1, 8.2.0, 8.2.1 | Upgrade your PowerScale OneFS version | PowerScale Downloads area. |
8.1.2, 8.2.2, 9.0.0, 9.1.0 | January RUP 2021-01 | ||
CVE-2020-26193 | 8.1.0, 8.1.1, 8.2.0, 8.2.1 | Upgrade your PowerScale OneFS version | PowerScale Downloads area. |
8.1.2, 8.2.2, 9.0.0, 9.1.0 | January RUP 2021-01 | ||
CVE-2020-26192 | 8.2.0, 8.2.2, 9.0.0, 9.1.0 | January RUP 2021-01 | PowerScale Downloads area. |
CVE-2020-26191 | 8.1.0, 8.1.1, 8.2.0, 8.2.1 | Upgrade your PowerScale OneFS version | PowerScale Downloads area. |
8.1.2, 8.2.2, 9.0.0, 9.1.0 | January RUP 2021-01 |
CVE(s) Addressed | Affected Version(s) | Updated Version(s) | Link to Update |
CVE-2021-21502 | 8.1.0, 8.1.1, 8.2.0, 8.2.1, 8.1.2, 8.2.2, 9.0.0 | Upgrade your PowerScale OneFS version | PowerScale Downloads area. |
9.1.0 | RUP 2021-01 | ||
CVE-2020-26196 | 8.1.0, 8.1.1, 8.2.0, 8.2.1 | Upgrade your PowerScale OneFS version | PowerScale Downloads area. |
8.2.2, 9.0.0 | October 2020 RUP for your OneFS version | ||
8.1.2, 8.2.1, 9.1.0 | November 2020 RUP for your OneFS version | ||
CVE-2020-26195 | 8.1.0, 8.1.1, 8.2.0, 8.2.1 | Upgrade your PowerScale OneFS version | PowerScale Downloads area. |
8.1.2, 8.2.2, 9.0.0, 9.1.0 | January RUP 2021-01 | ||
CVE-2020-26194 | 8.1.0, 8.1.1, 8.2.0, 8.2.1 | Upgrade your PowerScale OneFS version | PowerScale Downloads area. |
8.1.2, 8.2.2, 9.0.0, 9.1.0 | January RUP 2021-01 | ||
CVE-2020-26193 | 8.1.0, 8.1.1, 8.2.0, 8.2.1 | Upgrade your PowerScale OneFS version | PowerScale Downloads area. |
8.1.2, 8.2.2, 9.0.0, 9.1.0 | January RUP 2021-01 | ||
CVE-2020-26192 | 8.2.0, 8.2.2, 9.0.0, 9.1.0 | January RUP 2021-01 | PowerScale Downloads area. |
CVE-2020-26191 | 8.1.0, 8.1.1, 8.2.0, 8.2.1 | Upgrade your PowerScale OneFS version | PowerScale Downloads area. |
8.1.2, 8.2.2, 9.0.0, 9.1.0 | January RUP 2021-01 |
CVE ID | Workaround(s) and Mitigation(s) |
CVE-2021-21502 |
# isi ssh settings modify --pubkey-authentication=false
|
CVE-2020-26196 |
|
CVE-2020-26195 | None |
CVE-2020-26194 |
|
CVE-2020-26193 | None |
CVE-2020-26192 | The upgrade agent may be disabled up until an upgrade/patching activity needs to take place:
# isi services -a isi_upgrade_agent_d disable
# isi services -a isi_upgrade_agent_d enable
|
CVE-2020-26191 | None |
Revision | Date | Description |
1.0 | 2021-02-08 | Initial Release |
Dell Security Advisories and Notices
Dell Vulnerability Response Policy
CVSS Scoring Guide
The information in this Dell Technologies Security Advisory should be read and used to assist in avoiding situations that may arise from the problems described herein. Dell Technologies distributes Security Advisories to bring important security information to the attention of users of the affected product(s). Dell Technologies assesses the risk based on an average of risks across a diverse set of installed systems and may not represent the actual risk to your local installation and individual environment. It is recommended that all users determine the applicability of this information to their individual environments and take appropriate actions. The information set forth herein is provided "as is" without warranty of any kind. Dell Technologies expressly disclaims all warranties, either express or implied, including the warranties of merchantability, fitness for a particular purpose, title and non-infringement. In no event shall Dell Technologies, its affiliates or suppliers, be liable for any damages whatsoever arising from or related to the information contained herein or actions that you decide to take based thereon, including any direct, indirect, incidental, consequential, loss of business profits or special damages, even if Dell Technologies, its affiliates or suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages, so the foregoing limitation shall apply to the extent permissible under law.
PowerScale OneFS, Product Security Information
05 Mar 2021
2
Dell Security Advisory