DSA-2025-119: Security Update for Dell PowerScale OneFS for Multiple Security Vulnerabilities

Riepilogo: Dell PowerScale OneFS remediation is available for multiple security vulnerabilities that could be exploited by malicious users to compromise the affected system.

Questo articolo si applica a Questo articolo non si applica a Questo articolo non è legato a un prodotto specifico. Non tutte le versioni del prodotto sono identificate in questo articolo.
Scopri le altre risorse

Impatto

Critical

Dettagli

Proprietary Code CVEs

Description

CVSS Base Score

CVSS Vector String

CVE-2025-27690

Dell PowerScale OneFS, versions 9.5.0.0 through 9.10.1.0, contains a use of default password vulnerability. An unauthenticated attacker with remote access could potentially exploit this vulnerability, leading to the takeover of a high privileged user account.

9.8

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HThis hyperlink is taking you to a website outside of Dell Technologies. 

CVE-2025-26330

Dell PowerScale OneFS, versions 9.4.0.0 through 9.10.0.1, contains an incorrect authorization vulnerability. An unauthenticated attacker with local access could potentially exploit this vulnerability to access the cluster with previous privileges of a disabled user account.

7.0

CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:HThis hyperlink is taking you to a website outside of Dell Technologies. 

CVE-2025-22471

Dell PowerScale OneFS, versions 9.4.0.0 through 9.10.0.1, contains an integer overflow or wraparound vulnerability. An unauthenticated attacker with remote access could potentially exploit this vulnerability, leading to denial of service.

6.5

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:HThis hyperlink is taking you to a website outside of Dell Technologies. 

CVE-2025-26480

Dell PowerScale OneFS, versions 9.5.0.0 through 9.10.0.0, contains an uncontrolled resource consumption vulnerability. An unauthenticated attacker with remote access could potentially exploit this vulnerability, leading to denial of service.

5.3

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:LThis hyperlink is taking you to a website outside of Dell Technologies. 

CVE-2025-23378

Dell PowerScale OneFS, versions 9.4.0.0 through 9.10.0.0, contains an exposure of information through directory listing vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to information disclosure.

3.3

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:NThis hyperlink is taking you to a website outside of Dell Technologies. 

CVE-2025-26479

Dell PowerScale OneFS, versions 9.4.0.0 through 9.10.0.0, contains an out-of-bounds write vulnerability.
An attacker could potentially exploit this vulnerability in NFS workflows, leading to data integrity issues.

3.1

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:NThis hyperlink is taking you to a website outside of Dell Technologies. 

 

Proprietary Code CVEs

Description

CVSS Base Score

CVSS Vector String

CVE-2025-27690

Dell PowerScale OneFS, versions 9.5.0.0 through 9.10.1.0, contains a use of default password vulnerability. An unauthenticated attacker with remote access could potentially exploit this vulnerability, leading to the takeover of a high privileged user account.

9.8

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HThis hyperlink is taking you to a website outside of Dell Technologies. 

CVE-2025-26330

Dell PowerScale OneFS, versions 9.4.0.0 through 9.10.0.1, contains an incorrect authorization vulnerability. An unauthenticated attacker with local access could potentially exploit this vulnerability to access the cluster with previous privileges of a disabled user account.

7.0

CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:HThis hyperlink is taking you to a website outside of Dell Technologies. 

CVE-2025-22471

Dell PowerScale OneFS, versions 9.4.0.0 through 9.10.0.1, contains an integer overflow or wraparound vulnerability. An unauthenticated attacker with remote access could potentially exploit this vulnerability, leading to denial of service.

6.5

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:HThis hyperlink is taking you to a website outside of Dell Technologies. 

CVE-2025-26480

Dell PowerScale OneFS, versions 9.5.0.0 through 9.10.0.0, contains an uncontrolled resource consumption vulnerability. An unauthenticated attacker with remote access could potentially exploit this vulnerability, leading to denial of service.

5.3

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:LThis hyperlink is taking you to a website outside of Dell Technologies. 

CVE-2025-23378

Dell PowerScale OneFS, versions 9.4.0.0 through 9.10.0.0, contains an exposure of information through directory listing vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to information disclosure.

3.3

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:NThis hyperlink is taking you to a website outside of Dell Technologies. 

CVE-2025-26479

Dell PowerScale OneFS, versions 9.4.0.0 through 9.10.0.0, contains an out-of-bounds write vulnerability.
An attacker could potentially exploit this vulnerability in NFS workflows, leading to data integrity issues.

3.1

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:NThis hyperlink is taking you to a website outside of Dell Technologies. 

 

Dell Technologies raccomanda a tutti i clienti di prendere in considerazione sia il punteggio base CVSS, sia ogni eventuale punteggio temporale o ambientale che possa avere effetti sul livello di gravità potenziale associato a una specifica vulnerabilità di sicurezza.

Prodotti interessati e correzione

CVEs Addressed 

Product 

Affected Versions 

Remediated Versions 

Link 

 CVE-2025-23378

PowerScale OneFS

Version 9.4.0.0 through 9.10.0.0

Version 9.10.1.1 or later

PowerScale OneFS Downloads Area

CVE-2025-26479, CVE-2025-26330, CVE-2025-22471

PowerScale OneFS

Version 9.4.0.0 through 9.10.0.1

Version 9.10.1.1 or later

PowerScale OneFS Downloads Area

CVE-2025-26480

PowerScale OneFS

Version 9.5.0.0 through 9.10.0.0

Version 9.10.1.1 or later

PowerScale OneFS Downloads Area

CVE-2025-22471 

PowerScale OneFS

Version 9.4.0.0 through 9.4.0.20

Version 9.4.0.21 or later

PowerScale OneFS Downloads Area 

CVE-2025-22471, CVE-2025-26480, CVE-2025-26479, CVE-2025-23378 

PowerScale OneFS

Version 9.5.0.0 through 9.5.1.2

Version 9.5.1.3 or later 

PowerScale OneFS Downloads Area

CVE-2025-26330, CVE-2025-22471, CVE-2025-26480, CVE-2025-26479, CVE-2025-23378 

PowerScale OneFS

Version 9.7.0.0 through 9.7.1.4

Version 9.7.1.5 or later

PowerScale OneFS Downloads Area

CVE-2025-27690 

PowerScale OneFS

Version 9.5.0.0 through 9.5.1.2

Version 9.5.1.3 or later 

PowerScale OneFS Downloads Area 

CVE-2025-27690 

PowerScale OneFS

Version 9.6.0.0 through 9.7.1.6

Version 9.7.1.7 or later 

PowerScale OneFS Downloads Area 

CVE-2025-27690 

PowerScale OneFS

Version 9.8.0.0 through 9.8.0.2

Version 9.8.0.3 or later

PowerScale OneFS Downloads Area 

CVE-2025-27690 

PowerScale OneFS

Version 9.9.0.0 through 9.9.0.1

Version 9.9.0.2 or later 

PowerScale OneFS Downloads Area 

CVE-2025-27690 

PowerScale OneFS 

Version 9.10.0.0 through 9.10.1.0 

Version 9.10.1.1 or later 

PowerScale OneFS Downloads Area 

 

CVEs Addressed 

Product 

Affected Versions 

Remediated Versions 

Link 

 CVE-2025-23378

PowerScale OneFS

Version 9.4.0.0 through 9.10.0.0

Version 9.10.1.1 or later

PowerScale OneFS Downloads Area

CVE-2025-26479, CVE-2025-26330, CVE-2025-22471

PowerScale OneFS

Version 9.4.0.0 through 9.10.0.1

Version 9.10.1.1 or later

PowerScale OneFS Downloads Area

CVE-2025-26480

PowerScale OneFS

Version 9.5.0.0 through 9.10.0.0

Version 9.10.1.1 or later

PowerScale OneFS Downloads Area

CVE-2025-22471 

PowerScale OneFS

Version 9.4.0.0 through 9.4.0.20

Version 9.4.0.21 or later

PowerScale OneFS Downloads Area 

CVE-2025-22471, CVE-2025-26480, CVE-2025-26479, CVE-2025-23378 

PowerScale OneFS

Version 9.5.0.0 through 9.5.1.2

Version 9.5.1.3 or later 

PowerScale OneFS Downloads Area

CVE-2025-26330, CVE-2025-22471, CVE-2025-26480, CVE-2025-26479, CVE-2025-23378 

PowerScale OneFS

Version 9.7.0.0 through 9.7.1.4

Version 9.7.1.5 or later

PowerScale OneFS Downloads Area

CVE-2025-27690 

PowerScale OneFS

Version 9.5.0.0 through 9.5.1.2

Version 9.5.1.3 or later 

PowerScale OneFS Downloads Area 

CVE-2025-27690 

PowerScale OneFS

Version 9.6.0.0 through 9.7.1.6

Version 9.7.1.7 or later 

PowerScale OneFS Downloads Area 

CVE-2025-27690 

PowerScale OneFS

Version 9.8.0.0 through 9.8.0.2

Version 9.8.0.3 or later

PowerScale OneFS Downloads Area 

CVE-2025-27690 

PowerScale OneFS

Version 9.9.0.0 through 9.9.0.1

Version 9.9.0.2 or later 

PowerScale OneFS Downloads Area 

CVE-2025-27690 

PowerScale OneFS 

Version 9.10.0.0 through 9.10.1.0 

Version 9.10.1.1 or later 

PowerScale OneFS Downloads Area 

 

We encourage all customers to adopt the Long-Term Support (LTS) 2025 version which is 9.10.1.x code line, with the latest maintenance release, currently MR 9.10.1.1. For more information on LTS code lines, see Dell Infrastructure Solutions Group (ISG) LTS Release Support Customer Summary

Soluzioni alternative e mitigazioni

CVE ID

Workaround and Mitigation

CVE-2025-27690

These independent workarounds can be in place until an upgrade to a fixed release, or patch can be applied.

Note: Authentication Provider hash types can be viewed with isi auth file view System in the "Password Hash Type" entry.

 

Workaround 1:

Add the impacted users to the "Users who cannot be modified" list.
For clusters that have not switched to SHA256 or SHA512 hash types:

 

isi auth file modify System --add-unmodifiable-users=compadmin,remotesupport,ese,insightiq,www,nobody,git_daemon,isdmgmt --remove-modifiable-users=compadmin,remotesupport,ese,insightiq,www,nobody,git_daemon,isdmgmt --restrict-modifiable=true

 

For clusters that have switched to SHA256 or SHA512 hash types:
Add above users, but also include other file provider users with system privileges:

 

isi auth file modify System --add-unmodifiable-users=root,admin --remove-modifiable-users=root,admin --restrict-modifiable=true

 

Once the patch is applied, if you use the users, you can make them modifiable again.

 

Workaround 2:

For clusters that have not switched to SHA256 or SHA512 hash types.
Set/reset password for users that are not blocked for modification in the System zone file provider, as well as disabling them. 

  • compadmin, remotesupport, ese, insightiq, www, nobody, git_daemon, isdmgmt

 

Workaround 3:

Disable the WebUI and API via CLI

 

isi http services modify Platform-API-External --enabled=false

 

This does not completely mitigate the issue as it could still be abused by users with ISI_PRIV_LOGIN_CONSOLE or ISI_PRIV_LOGIN_SSH.

 

Workaround 4:

Limit access to API & WebUI to trusted networks via firewall rule

  • Enable the firewall
  • In "default_pools_policy" modify "rule_isi_webui" to restrict "source network" to a trusted set of networks/IPs

This does not completely mitigate the issue as it could still be abused by users with ISI_PRIV_LOGIN_CONSOLE or ISI_PRIV_LOGIN_SSH, as well as users on the IPs allowed through the firewall.

 

Cronologia delle revisioni

Revision

Date

Description

1.0

2025-04-07

Initial Release

2.0

2025-04-07

Minor update; Formatting changes only

3.0

2025-04-09

Minor update; Removed a duplicate entry 

Informazioni correlate

Dell Security Advisories and Notices
Dell Vulnerability Response Policy
CVSS Scoring Guide

Dichiarazione di non responsabilità

Prodotti interessati

PowerScale OneFS
Proprietà dell'articolo
Numero articolo: 000300860
Tipo di articolo: Dell Security Advisory
Ultima modifica: 09 apr 2025
Trova risposta alle tue domande dagli altri utenti Dell
Support Services
Verifica che il dispositivo sia coperto dai Servizi di supporto.