DSA-2025-119: Security Update for Dell PowerScale OneFS for Multiple Security Vulnerabilities

Resumo: Dell PowerScale OneFS remediation is available for multiple security vulnerabilities that could be exploited by malicious users to compromise the affected system.

Soluções temporárias e atenuações

Produtos afetados

Este artigo aplica-se a Este artigo não se aplica a Este artigo não está vinculado a nenhum produto específico. Nem todas as versões do produto estão identificadas neste artigo.

Confira outros recursos

Impacto

Critical

Dados

Proprietary Code CVEs	Description	CVSS Base Score	CVSS Vector String
CVE-2025-27690	Dell PowerScale OneFS, versions 9.5.0.0 through 9.10.1.0, contains a use of default password vulnerability. An unauthenticated attacker with remote access could potentially exploit this vulnerability, leading to the takeover of a high privileged user account.	9.8	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVE-2025-26330	Dell PowerScale OneFS, versions 9.4.0.0 through 9.10.0.1, contains an incorrect authorization vulnerability. An unauthenticated attacker with local access could potentially exploit this vulnerability to access the cluster with previous privileges of a disabled user account.	7.0	CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
CVE-2025-22471	Dell PowerScale OneFS, versions 9.4.0.0 through 9.10.0.1, contains an integer overflow or wraparound vulnerability. An unauthenticated attacker with remote access could potentially exploit this vulnerability, leading to denial of service.	6.5	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
CVE-2025-26480	Dell PowerScale OneFS, versions 9.5.0.0 through 9.10.0.0, contains an uncontrolled resource consumption vulnerability. An unauthenticated attacker with remote access could potentially exploit this vulnerability, leading to denial of service.	5.3	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
CVE-2025-23378	Dell PowerScale OneFS, versions 9.4.0.0 through 9.10.0.0, contains an exposure of information through directory listing vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to information disclosure.	3.3	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
CVE-2025-26479	Dell PowerScale OneFS, versions 9.4.0.0 through 9.10.0.0, contains an out-of-bounds write vulnerability. An attacker could potentially exploit this vulnerability in NFS workflows, leading to data integrity issues.	3.1	CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N

Proprietary Code CVEs	Description	CVSS Base Score	CVSS Vector String
CVE-2025-27690	Dell PowerScale OneFS, versions 9.5.0.0 through 9.10.1.0, contains a use of default password vulnerability. An unauthenticated attacker with remote access could potentially exploit this vulnerability, leading to the takeover of a high privileged user account.	9.8	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVE-2025-26330	Dell PowerScale OneFS, versions 9.4.0.0 through 9.10.0.1, contains an incorrect authorization vulnerability. An unauthenticated attacker with local access could potentially exploit this vulnerability to access the cluster with previous privileges of a disabled user account.	7.0	CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
CVE-2025-22471	Dell PowerScale OneFS, versions 9.4.0.0 through 9.10.0.1, contains an integer overflow or wraparound vulnerability. An unauthenticated attacker with remote access could potentially exploit this vulnerability, leading to denial of service.	6.5	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
CVE-2025-26480	Dell PowerScale OneFS, versions 9.5.0.0 through 9.10.0.0, contains an uncontrolled resource consumption vulnerability. An unauthenticated attacker with remote access could potentially exploit this vulnerability, leading to denial of service.	5.3	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
CVE-2025-23378	Dell PowerScale OneFS, versions 9.4.0.0 through 9.10.0.0, contains an exposure of information through directory listing vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to information disclosure.	3.3	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
CVE-2025-26479	Dell PowerScale OneFS, versions 9.4.0.0 through 9.10.0.0, contains an out-of-bounds write vulnerability. An attacker could potentially exploit this vulnerability in NFS workflows, leading to data integrity issues.	3.1	CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N

A Dell Technologies recomenda que todos os clientes levem em consideração a pontuação base CVSS e as pontuações temporais e ambientais pertinentes que possam afetar a gravidade potencial associada a uma vulnerabilidade de segurança específica.

Produtos afetados e soluções

CVEs Addressed	Product	Affected Versions	Remediated Versions	Link
CVE-2025-23378	PowerScale OneFS	Version 9.4.0.0 through 9.10.0.0	Version 9.10.1.1 or later	PowerScale OneFS Downloads Area
CVE-2025-26479, CVE-2025-26330, CVE-2025-22471	PowerScale OneFS	Version 9.4.0.0 through 9.10.0.1	Version 9.10.1.1 or later	PowerScale OneFS Downloads Area
CVE-2025-26480	PowerScale OneFS	Version 9.5.0.0 through 9.10.0.0	Version 9.10.1.1 or later	PowerScale OneFS Downloads Area
CVE-2025-22471	PowerScale OneFS	Version 9.4.0.0 through 9.4.0.20	Version 9.4.0.21 or later	PowerScale OneFS Downloads Area
CVE-2025-22471, CVE-2025-26480, CVE-2025-26479, CVE-2025-23378	PowerScale OneFS	Version 9.5.0.0 through 9.5.1.2	Version 9.5.1.3 or later	PowerScale OneFS Downloads Area
CVE-2025-26330, CVE-2025-22471, CVE-2025-26480, CVE-2025-26479, CVE-2025-23378	PowerScale OneFS	Version 9.7.0.0 through 9.7.1.4	Version 9.7.1.5 or later	PowerScale OneFS Downloads Area
CVE-2025-27690	PowerScale OneFS	Version 9.5.0.0 through 9.5.1.2	Version 9.5.1.3 or later	PowerScale OneFS Downloads Area
CVE-2025-27690	PowerScale OneFS	Version 9.6.0.0 through 9.7.1.6	Version 9.7.1.7 or later	PowerScale OneFS Downloads Area
CVE-2025-27690	PowerScale OneFS	Version 9.8.0.0 through 9.8.0.2	Version 9.8.0.3 or later	PowerScale OneFS Downloads Area
CVE-2025-27690	PowerScale OneFS	Version 9.9.0.0 through 9.9.0.1	Version 9.9.0.2 or later	PowerScale OneFS Downloads Area
CVE-2025-27690	PowerScale OneFS	Version 9.10.0.0 through 9.10.1.0	Version 9.10.1.1 or later	PowerScale OneFS Downloads Area

CVEs Addressed	Product	Affected Versions	Remediated Versions	Link
CVE-2025-23378	PowerScale OneFS	Version 9.4.0.0 through 9.10.0.0	Version 9.10.1.1 or later	PowerScale OneFS Downloads Area
CVE-2025-26479, CVE-2025-26330, CVE-2025-22471	PowerScale OneFS	Version 9.4.0.0 through 9.10.0.1	Version 9.10.1.1 or later	PowerScale OneFS Downloads Area
CVE-2025-26480	PowerScale OneFS	Version 9.5.0.0 through 9.10.0.0	Version 9.10.1.1 or later	PowerScale OneFS Downloads Area
CVE-2025-22471	PowerScale OneFS	Version 9.4.0.0 through 9.4.0.20	Version 9.4.0.21 or later	PowerScale OneFS Downloads Area
CVE-2025-22471, CVE-2025-26480, CVE-2025-26479, CVE-2025-23378	PowerScale OneFS	Version 9.5.0.0 through 9.5.1.2	Version 9.5.1.3 or later	PowerScale OneFS Downloads Area
CVE-2025-26330, CVE-2025-22471, CVE-2025-26480, CVE-2025-26479, CVE-2025-23378	PowerScale OneFS	Version 9.7.0.0 through 9.7.1.4	Version 9.7.1.5 or later	PowerScale OneFS Downloads Area
CVE-2025-27690	PowerScale OneFS	Version 9.5.0.0 through 9.5.1.2	Version 9.5.1.3 or later	PowerScale OneFS Downloads Area
CVE-2025-27690	PowerScale OneFS	Version 9.6.0.0 through 9.7.1.6	Version 9.7.1.7 or later	PowerScale OneFS Downloads Area
CVE-2025-27690	PowerScale OneFS	Version 9.8.0.0 through 9.8.0.2	Version 9.8.0.3 or later	PowerScale OneFS Downloads Area
CVE-2025-27690	PowerScale OneFS	Version 9.9.0.0 through 9.9.0.1	Version 9.9.0.2 or later	PowerScale OneFS Downloads Area
CVE-2025-27690	PowerScale OneFS	Version 9.10.0.0 through 9.10.1.0	Version 9.10.1.1 or later	PowerScale OneFS Downloads Area

We encourage all customers to adopt the Long-Term Support (LTS) 2025 version which is 9.10.1.x code line, with the latest maintenance release, currently MR 9.10.1.1. For more information on LTS code lines, see Dell Infrastructure Solutions Group (ISG) LTS Release Support Customer Summary

Soluções temporárias e atenuações

CVE ID

Workaround and Mitigation

CVE-2025-27690

These independent workarounds can be in place until an upgrade to a fixed release, or patch can be applied.

Note: Authentication Provider hash types can be viewed with isi auth file view System in the "Password Hash Type" entry.

Workaround 1:

Add the impacted users to the "Users who cannot be modified" list.
For clusters that have not switched to SHA256 or SHA512 hash types:

isi auth file modify System --add-unmodifiable-users=compadmin,remotesupport,ese,insightiq,www,nobody,git_daemon,isdmgmt --remove-modifiable-users=compadmin,remotesupport,ese,insightiq,www,nobody,git_daemon,isdmgmt --restrict-modifiable=true

For clusters that have switched to SHA256 or SHA512 hash types:
Add above users, but also include other file provider users with system privileges:

isi auth file modify System --add-unmodifiable-users=root,admin --remove-modifiable-users=root,admin --restrict-modifiable=true

Once the patch is applied, if you use the users, you can make them modifiable again.

Workaround 2:

For clusters that have not switched to SHA256 or SHA512 hash types.
Set/reset password for users that are not blocked for modification in the System zone file provider, as well as disabling them.

compadmin, remotesupport, ese, insightiq, www, nobody, git_daemon, isdmgmt

Workaround 3:

Disable the WebUI and API via CLI

isi http services modify Platform-API-External --enabled=false

This does not completely mitigate the issue as it could still be abused by users with ISI_PRIV_LOGIN_CONSOLE or ISI_PRIV_LOGIN_SSH.

Workaround 4:

Limit access to API & WebUI to trusted networks via firewall rule

Enable the firewall
In "default_pools_policy" modify "rule_isi_webui" to restrict "source network" to a trusted set of networks/IPs

This does not completely mitigate the issue as it could still be abused by users with ISI_PRIV_LOGIN_CONSOLE or ISI_PRIV_LOGIN_SSH, as well as users on the IPs allowed through the firewall.

Histórico de revisão

Revision	Date	Description
1.0	2025-04-07	Initial Release
2.0	2025-04-07	Minor update; Formatting changes only
3.0	2025-04-09	Minor update; Removed a duplicate entry

Informações relacionadas

Aviso de isenção legal

Produtos afetados

PowerScale OneFS

Número do artigo: 000300860

Tipo de artigo: Dell Security Advisory

Último modificado: 09 abr. 2025

Verifique se o dispositivo está coberto pelos serviços de suporte.

DSA-2025-119: Security Update for Dell PowerScale OneFS for Multiple Security Vulnerabilities

Resumo: Dell PowerScale OneFS remediation is available for multiple security vulnerabilities that could be exploited by malicious users to compromise the affected system.

Impacto

Dados

Produtos afetados e soluções

Soluções temporárias e atenuações

Histórico de revisão

Informações relacionadas

Aviso de isenção legal

Produtos afetados

Impacto

Dados

Produtos afetados e soluções

Soluções temporárias e atenuações

Histórico de revisão

Informações relacionadas

Aviso de isenção legal

Produtos afetados

Propriedades do artigo

Encontre as respostas de outros usuários da Dell para suas perguntas.

Serviços de suporte

Propriedades do artigo

Encontre as respostas de outros usuários da Dell para suas perguntas.

Serviços de suporte

DSA-2025-119: Security Update for Dell PowerScale OneFS for Multiple Security Vulnerabilities

Resumo: Dell PowerScale OneFS remediation is available for multiple security vulnerabilities that could be exploited by malicious users to compromise the affected system.

Artigo detalhado

Impacto

Dados

Produtos afetados e soluções

Soluções temporárias e atenuações

Histórico de revisão

Informações relacionadas

Aviso de isenção legal

Produtos afetados

Propriedades do artigo

Encontre as respostas de outros usuários da Dell para suas perguntas.

Serviços de suporte

Propriedades do artigo

Encontre as respostas de outros usuários da Dell para suas perguntas.

Serviços de suporte