Ga naar hoofdinhoud
  • Snel en eenvoudig bestellen
  • Bestellingen en de verzendstatus bekijken
  • Een lijst met producten maken en openen
  • Beheer uw Dell EMC locaties, producten en contactpersonen op productniveau met Company Administration.

Artikelnummer: 000153867


DSA-2020-093: Dell EMC Isilon OneFS and Dell EMC PowerScale OneFS Security Update for NFS Configuration Vulnerabilities

Article content


Impact

High

Overview

Summary:   
The home directory within Dell EMC Isilon OneFS and Dell EMC PowerScale OneFS requires a remediation to address a vulnerability.

Gegevens

  • Incorrect Default Permissions Vulnerability 

CVE-2020-5353

The Dell Isilon OneFS versions 8.2.2 and earlier and Dell EMC PowerScale OneFS version 9.0.0 default configuration for Network File System (NFS) allows access to an 'admin' home directory. An attacker may leverage a spoofed Unique Identifier (UID) over NFS to rewrite sensitive files to gain administrative access to the system.

CVSS v3.1 Base Score: 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)

  • Incorrect Default Permissions Vulnerability 

CVE-2020-5353

The Dell Isilon OneFS versions 8.2.2 and earlier and Dell EMC PowerScale OneFS version 9.0.0 default configuration for Network File System (NFS) allows access to an 'admin' home directory. An attacker may leverage a spoofed Unique Identifier (UID) over NFS to rewrite sensitive files to gain administrative access to the system.

CVSS v3.1 Base Score: 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)

Dell Technologies raadt aan dat alle klanten rekening houden met zowel de basisscore van CVSS als alle relevante tijdelijke en omgevingsscores die gevolgen kunnen hebben voor de mogelijke ernst van de specifieke beveiligingsproblemen.

Getroffen producten en herstel

Affected products:    
Dell EMC Isilon OneFS versions 8.2.2 and earlier
Dell EMC PowerScale version 9.0.0

Remediation:     
For Dell EMC PowerScale OneFS version 9.0.0, the fix is contained in the release.
For Dell EMC Isilon OneFS version 8.2.2, the fix for this issue is included with the June 2020 Rollup Patch, as well as all future Rollup Patches. For more information and to obtain a Rollup patch, see the Current Isilon OneFS Patches document.
For Dell EMC Isilon OneFS version 8.2.1 and 8.1.2 the fix for this issue is included with the May 2020 Rollup Patch, as well as all future Rollup Patches.

Dell EMC recommends all customers upgrade at the earliest opportunity.  

Workaround:    
There are several options to choose from:    

  • Disable NFS

  • Move the admin home directory

  • Enable Kerberos authentication


Disable NFS

  1. Open a SSH connection to any node in the cluster and log in as root.

  2. Stop NFS as a service:    
    isi services nfs disable


Move the Admin Home Directory
For more information, see KB article 320432: How to move the admin home directory  


Enable Kerberos Authentication
For information about enabling Kerberos authentication, see the following sections of the OneFS CLI Administration Guide:   

  • Authentication chapter, Managing MIT Kerberos authentication section.

  • File sharing chapter, Managing NFS Exports section.

For information about Using NFS with Active Directory Kerberos and Using NFS with MIT Kerberos, see sections 5.2.1 and 5.2.2 of the Isilon OneFS NFS Design Considerations and Best Practices whitepaper.



Affected products:    
Dell EMC Isilon OneFS versions 8.2.2 and earlier
Dell EMC PowerScale version 9.0.0

Remediation:     
For Dell EMC PowerScale OneFS version 9.0.0, the fix is contained in the release.
For Dell EMC Isilon OneFS version 8.2.2, the fix for this issue is included with the June 2020 Rollup Patch, as well as all future Rollup Patches. For more information and to obtain a Rollup patch, see the Current Isilon OneFS Patches document.
For Dell EMC Isilon OneFS version 8.2.1 and 8.1.2 the fix for this issue is included with the May 2020 Rollup Patch, as well as all future Rollup Patches.

Dell EMC recommends all customers upgrade at the earliest opportunity.  

Workaround:    
There are several options to choose from:    

  • Disable NFS

  • Move the admin home directory

  • Enable Kerberos authentication


Disable NFS

  1. Open a SSH connection to any node in the cluster and log in as root.

  2. Stop NFS as a service:    
    isi services nfs disable


Move the Admin Home Directory
For more information, see KB article 320432: How to move the admin home directory  


Enable Kerberos Authentication
For information about enabling Kerberos authentication, see the following sections of the OneFS CLI Administration Guide:   

  • Authentication chapter, Managing MIT Kerberos authentication section.

  • File sharing chapter, Managing NFS Exports section.

For information about Using NFS with Active Directory Kerberos and Using NFS with MIT Kerberos, see sections 5.2.1 and 5.2.2 of the Isilon OneFS NFS Design Considerations and Best Practices whitepaper.



Bevestigingen

Dell would like to thank Knud from F-Secure for reporting this issue.

Verwante informatie

Dell Security Advisories and Notices
Dell Vulnerability Response Policy
CVSS Scoring Guide


Artikeleigenschappen


Getroffen product

PowerScale OneFS

Product

PowerScale OneFS, Product Security Information

Datum laatst gepubliceerd

10 apr 2021

Versie

3

Artikeltype

Dell Security Advisory