Ga naar hoofdinhoud
  • Snel en eenvoudig bestellen
  • Bestellingen en de verzendstatus bekijken
  • Een lijst met producten maken en openen
  • Beheer uw Dell EMC locaties, producten en contactpersonen op productniveau met Company Administration.

Artikelnummer: 000153868


DSA-2020-096: Dell EMC Isilon OneFS Security Update for Insecure SSHD Configuration Vulnerability

Samenvatting: Dell EMC Isilon OneFS Security Update for Insecure SSHD Configuration Vulnerability.

Article content


Impact

Medium

Overview

Summary:    
The SSHD configuration within Dell EMC Isilon OneFS requires a remediation to address a vulnerability. 

Gegevens

  •  Incorrect Default Permissions Vulnerability

CVE-2020-5355

The Dell Isilon OneFS versions 8.2.2 and earlier SSHD process improperly allows Transmission Control Protocol (TCP) and stream forwarding. This provides the remotesupport user and users with restricted shells more access than is intended.

CVSS v3.1 Base Score: 4.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)

  •  Incorrect Default Permissions Vulnerability

CVE-2020-5355

The Dell Isilon OneFS versions 8.2.2 and earlier SSHD process improperly allows Transmission Control Protocol (TCP) and stream forwarding. This provides the remotesupport user and users with restricted shells more access than is intended.

CVSS v3.1 Base Score: 4.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)

Dell Technologies raadt aan dat alle klanten rekening houden met zowel de basisscore van CVSS als alle relevante tijdelijke en omgevingsscores die gevolgen kunnen hebben voor de mogelijke ernst van de specifieke beveiligingsproblemen.

Getroffen producten en herstel

Affected products:   
Dell EMC Isilon OneFS versions 8.2.2 and earlier.


For Dell EMC Isilon OneFS versions 8.2.2 and earlier, see the Workaround section below.

Workaround:    
There are three options available to workaround this issue:   

  • Disable users with restricted shells (by default, only the remotesupport user).
  • Modify the SSH server configuration to disable forwarding of UNIX domain and TCP sockets for all users.
  • For OneFS versions prior to 8.2.0 only, modify the SSH server configuration to disable forwarding of UNIX domain and TCP sockets for users with restricted shells.


Disable users with restricted shells

  1. Open a secure shell (SSH) connection to any node in the cluster and log in as root.

  2. Run the following command:   

isi auth users modify remotesupport --enabled=false


Disable forwarding of UNIX domain and TCP sockets
For 8.2.0 and later:   

  1. Open a secure shell (SSH) connection to any node in the cluster and log in as root.

  2. Run the following commands:    

isi_gconfig -t ssh-config allow_tcp_forwarding=no
isi_gconfig -t ssh-config allow_stream_local_forwarding=no


Versions prior to 8.2.0

  1. Open a secure shell (SSH) connection to each node in the cluster and log in as root.

  2. On each node, set the following in the /etc/mcp/templates/sshd_config file:    

AllowStreamLocalForwarding=no
AllowTcpForwarding=no

Note: (Versions prior to 8.2.0 only) Modify the SSH server config to disable forwarding of UNIX domain and TCP sockets for users with restricted shells.

  1. Open a secure shell (SSH) connection to each node in the cluster and log in as root.

  2. On each node, append the following to the end of the /etc/mcp/templates/sshd_config file:    

Match User remotesupport

AllowStreamLocalForwarding=no
AllowTcpForwarding=no

Note: To make these settings persist, see KB article 530021: {Isilon} - SSH: How to modify the the sshd_config file to persist upgrades    

CAUTION: The Match keyword will open a conditional block that applies until either another Match line or the end of the file. If a keyword appears in multiple Match blocks that are satisfied, only the first instance of the keyword is applied.


Affected products:   
Dell EMC Isilon OneFS versions 8.2.2 and earlier.


For Dell EMC Isilon OneFS versions 8.2.2 and earlier, see the Workaround section below.

Workaround:    
There are three options available to workaround this issue:   

  • Disable users with restricted shells (by default, only the remotesupport user).
  • Modify the SSH server configuration to disable forwarding of UNIX domain and TCP sockets for all users.
  • For OneFS versions prior to 8.2.0 only, modify the SSH server configuration to disable forwarding of UNIX domain and TCP sockets for users with restricted shells.


Disable users with restricted shells

  1. Open a secure shell (SSH) connection to any node in the cluster and log in as root.

  2. Run the following command:   

isi auth users modify remotesupport --enabled=false


Disable forwarding of UNIX domain and TCP sockets
For 8.2.0 and later:   

  1. Open a secure shell (SSH) connection to any node in the cluster and log in as root.

  2. Run the following commands:    

isi_gconfig -t ssh-config allow_tcp_forwarding=no
isi_gconfig -t ssh-config allow_stream_local_forwarding=no


Versions prior to 8.2.0

  1. Open a secure shell (SSH) connection to each node in the cluster and log in as root.

  2. On each node, set the following in the /etc/mcp/templates/sshd_config file:    

AllowStreamLocalForwarding=no
AllowTcpForwarding=no

Note: (Versions prior to 8.2.0 only) Modify the SSH server config to disable forwarding of UNIX domain and TCP sockets for users with restricted shells.

  1. Open a secure shell (SSH) connection to each node in the cluster and log in as root.

  2. On each node, append the following to the end of the /etc/mcp/templates/sshd_config file:    

Match User remotesupport

AllowStreamLocalForwarding=no
AllowTcpForwarding=no

Note: To make these settings persist, see KB article 530021: {Isilon} - SSH: How to modify the the sshd_config file to persist upgrades    

CAUTION: The Match keyword will open a conditional block that applies until either another Match line or the end of the file. If a keyword appears in multiple Match blocks that are satisfied, only the first instance of the keyword is applied.


Bevestigingen

Dell would like to thank Andre Protas with Apple Information Security for reporting this issue.

Verwante informatie

Dell Security Advisories and Notices
Dell Vulnerability Response Policy
CVSS Scoring Guide


Artikeleigenschappen


Getroffen product

PowerScale OneFS, Product Security Information

Datum laatst gepubliceerd

23 nov 2021

Versie

7

Artikeltype

Dell Security Advisory