DSA-2022-024: Dell EMC PowerScale OneFS Security Update for Multiple Vulnerabilities
Summary: Dell EMC PowerScale OneFS remediation is available for multiple vulnerabilities that may potentially be exploited by malicious users to compromise the affected system.
This article applies to
This article does not apply to
This article is not tied to any specific product.
Not all product versions are identified in this article.
Impact
Critical
Details
| Proprietary Code CVEs | Description | CVSS Base Score | CVSS Vector String |
| CVE-2022-24411 | Dell PowerScale OneFS 8.2.2 and later contain an elevation of privilege vulnerability. A local attacker with ISI_PRIV_LOGIN_SSH and/or ISI_PRIV_LOGIN_CONSOLE may potentially exploit this vulnerability, leading to elevation of privilege. This may potentially allow users to circumvent PowerScale Compliance Mode guarantees. | 7.8 | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
| CVE-2022-24412 | Dell EMC PowerScale OneFS 8.2.x - 9.3.0.x contain an improper handling of value vulnerability. An unauthenticated remote attacker may potentially exploit this vulnerability, leading to denial-of-service. | 7.5 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
| CVE-2022-23161 | Dell PowerScale OneFS versions 8.2.x - 9.3.0.x contain a denial-of-service vulnerability in SmartConnect. An unprivileged network attacker may potentially exploit this vulnerability, leading to denial-of-service. | 7.5 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
| CVE-2022-23160 | Dell PowerScale OneFS 8.2.x - 9.3.0 contain an Improper Handling of Insufficient Permissions vulnerability. An remote malicious user may potentially exploit this vulnerability, leading to gaining write permissions on read-only files. | 5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L |
| CVE-2022-23159 | Dell PowerScale OneFS 8.2.x - 9.3.0.x contain a missing release of memory after effective lifetime vulnerability. An authenticated user with ISI_PRIV_LOGIN_SSH and/or ISI_PRIV_LOGIN_CONSOLE and ISI_PRIV_AUTH_PROVIDERS privileges may potentially exploit this vulnerability, leading to a Denial-Of-Service. This can also impact a cluster in Compliance mode. Dell recommends to update at the earliest opportunity. | 4.8 | CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:N/A:H |
| CVE-2022-23163 | Dell PowerScale OneFS 8.2.x - 9.3.0.x contain a denial of service vulnerability. A local attacker with minimal privileges may potentially exploit this vulnerability, leading to denial of service/data unavailability. | 4.7 | CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H |
| CVE-2022-24413 | Dell PowerScale OneFS 8.2.2-9.3.x contain a time-of-check-to-time-of-use vulnerability. A local user with access to the filesystem may potentially exploit this vulnerability, leading to data loss. | 4.4 | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L |
| Third-Party Component | CVE | More information |
| Apache Portable Runtime | CVE-2017-12613 | CVE-2021-35940 |
Affected Products & Remediation
| CVEs Addressed | Affected Versions | Updated Versions | Link to Update |
| CVE-2022-24411 | 8.2.2, 9.0.0, 9.1.1.x, and 9.2.0.x. | Upgrade your version of OneFS | PowerScale OneFS Downloads Area |
| 9.1.0.x, 9.2.1.x, and 9.3.0.x. | Download and install the latest RUP | ||
| CVE-2022-24412 | 8.2.2, 9.0.0, 9.1.1.x, and 9.2.0.x. | Upgrade your version of OneFS | |
| 9.1.0.x, 9.2.1.x, and 9.3.0.x. | Download and install the latest RUP | ||
| CVE-2022-23161 | 8.2.2, 9.0.0, 9.1.1.x, and 9.2.0.x. | Upgrade your version of OneFS | |
| 9.1.0.x, 9.2.1.x, and 9.3.0.x. | Download and install the latest RUP | ||
| CVE-2017-12613 | 8.2.2, 9.0.0, 9.1.1.x, and 9.2.0.x. | Upgrade your version of OneFS | |
| 9.1.0.x, 9.2.1.x, and 9.3.0.x. | Download and install the latest RUP | ||
| CVE-2022-23160 | 8.2.2, 9.0.0, 9.1.1.x, and 9.2.0.x. | Upgrade your version of OneFS | |
| 9.1.0.x, 9.2.1.x, and 9.3.0.x. | Download and install the latest RUP | ||
| CVE-2022-23159 | 8.2.2, 9.0.0, 9.1.1.x, and 9.2.0.x. | Upgrade your version of OneFS | |
| 9.1.0.x, 9.2.1.x, and 9.3.0.x. | Download and install the latest RUP | ||
| CVE-2022-23163 | 8.2.2, 9.0.0, 9.1.1.x, and 9.2.0.x. | Upgrade your version of OneFS | |
| 9.1.0.x, 9.2.1.x, and 9.3.0.x. | Download and install the latest RUP | ||
| CVE-2022-24413 | 8.2.2, 9.0.0, 9.1.1.x, and 9.2.0.x. | Upgrade your version of OneFS | |
| 9.1.0.x, 9.2.1.x, and 9.3.0.x. | Download and install the latest RUP |
| CVEs Addressed | Affected Versions | Updated Versions | Link to Update |
| CVE-2022-24411 | 8.2.2, 9.0.0, 9.1.1.x, and 9.2.0.x. | Upgrade your version of OneFS | PowerScale OneFS Downloads Area |
| 9.1.0.x, 9.2.1.x, and 9.3.0.x. | Download and install the latest RUP | ||
| CVE-2022-24412 | 8.2.2, 9.0.0, 9.1.1.x, and 9.2.0.x. | Upgrade your version of OneFS | |
| 9.1.0.x, 9.2.1.x, and 9.3.0.x. | Download and install the latest RUP | ||
| CVE-2022-23161 | 8.2.2, 9.0.0, 9.1.1.x, and 9.2.0.x. | Upgrade your version of OneFS | |
| 9.1.0.x, 9.2.1.x, and 9.3.0.x. | Download and install the latest RUP | ||
| CVE-2017-12613 | 8.2.2, 9.0.0, 9.1.1.x, and 9.2.0.x. | Upgrade your version of OneFS | |
| 9.1.0.x, 9.2.1.x, and 9.3.0.x. | Download and install the latest RUP | ||
| CVE-2022-23160 | 8.2.2, 9.0.0, 9.1.1.x, and 9.2.0.x. | Upgrade your version of OneFS | |
| 9.1.0.x, 9.2.1.x, and 9.3.0.x. | Download and install the latest RUP | ||
| CVE-2022-23159 | 8.2.2, 9.0.0, 9.1.1.x, and 9.2.0.x. | Upgrade your version of OneFS | |
| 9.1.0.x, 9.2.1.x, and 9.3.0.x. | Download and install the latest RUP | ||
| CVE-2022-23163 | 8.2.2, 9.0.0, 9.1.1.x, and 9.2.0.x. | Upgrade your version of OneFS | |
| 9.1.0.x, 9.2.1.x, and 9.3.0.x. | Download and install the latest RUP | ||
| CVE-2022-24413 | 8.2.2, 9.0.0, 9.1.1.x, and 9.2.0.x. | Upgrade your version of OneFS | |
| 9.1.0.x, 9.2.1.x, and 9.3.0.x. | Download and install the latest RUP |
Workarounds & Mitigations
| CVEs addressed | Workaround or Mitigation |
| CVE-2022-24411 | none |
| CVE-2022-24412 | Disable netbios support if enabled (default setting: disabled):
#isi smb settings global modify --support-netbios no
#isi smb settings global view | grep NetBIOS If the service is disabled, the following output is displayed: #Support NetBIOS: No |
| CVE-2022-23161 | Configure a valid FQDN in the SmartConnect service name field for every SmartConnect subnet on the cluster: #isi network subnets modify <subnet> --sc-service-name cluster-sc.example.com |
| CVE-2017-12613 | none |
| CVE-2022-23160 | Configure SMB share permissions of any SyncIQ target directory to prevent writes. |
| CVE-2022-23159 | none |
| CVE-2022-23163 | none |
| CVE-2022-24413 | none |
Revision History
| Revision | Date | Description |
| 1.0 | 2022-03-03 | Initial |
| 1.1 | 2022-03-04 | Corrected Impact |
Related Information
Legal Disclaimer
Affected Products
PowerScale OneFSProducts
Product Security InformationArticle Properties
Article Number: 000196009
Article Type: Dell Security Advisory
Last Modified: 30 Nov 2022
Find answers to your questions from other Dell users
Support Services
Check if your device is covered by Support Services.