DSA-2021-009: Dell PowerScale OneFS Security Update for Multiple Vulnerabilities
摘要: Dell PowerScale OneFS contains remediation for multiple security vulnerabilities that may be exploited by malicious users to compromise the affected system.
本文适用于
本文不适用于
本文并非针对某种特定的产品。
本文并非包含所有产品版本。
影响
Critical
详情
| Proprietary Code CVEs | Description | CVSSBase Score | CVSS Vector String |
| CVE-2021-21502 | Dell PowerScale OneFS versions 8.1.0 – 9.1.0 contain a "use of SSH key past account expiration" vulnerability. A user on the network with the ISI_PRIV_AUTH_SSH RBAC privilege that has an expired account may potentially exploit this vulnerability, giving them access to the same things they had before account expiration. This may by a high privileged account and hence Dell recommends customers upgrade at the earliest opportunity. | 9.8 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
| CVE-2020-26196 | Dell EMC PowerScale OneFS versions 8.1.0-9.1.0 contain a Backup/Restore Privilege implementation issue. A user with the BackupAdmin role may potentially exploit this vulnerability resulting in the ability to write data outside of the intended file system location. | 5.5 | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N |
| CVE-2020-26195 | Dell EMC PowerScale OneFS versions 8.1.2 – 9.1.0 contain an issue where the OneFS SMB directory auto-create may erroneously create a directory for a user. A remote unauthenticated attacker may take advantage of this issue to slow down the system. | 5.3 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L |
| CVE-2020-26194 | Dell EMC PowerScale OneFS versions 8.1.2 and 8.2.2 contain an Incorrect Permission Assignment for a Critical Resource vulnerability. This may allow a non-admin user with either ISI_PRIV_LOGIN_CONSOLE or ISI_PRIV_LOGIN_SSH privileges to exploit the vulnerability, leading to compromised cryptographic operations. | 7.0 | CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H |
| CVE-2020-26193 | Dell EMC PowerScale OneFS versions 8.1.0 - 9.1.0 contain an improper input validation vulnerability. A user with the ISI_PRIV_CLUSTER privilege may exploit this vulnerability, leading to the execution of arbitrary OS commands on the application's underlying OS, with the privileges of the vulnerable application. | 7.8 | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
| CVE-2020-26192 | Dell EMC PowerScale OneFS versions 8.2.0 - 9.1.0 contain a privilege escalation vulnerability. A non-admin user with either ISI_PRIV_LOGIN_CONSOLE or ISI_PRIV_LOGIN_SSH may potentially exploit this vulnerability to read arbitrary data, tamper with system software or deny service to users. Note: No non-admin users or roles have these privileges by default. |
7.8 | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
| CVE-2020-26191 | Dell EMC PowerScale OneFS versions 8.1.0 - 9.1.0 contain a privilege escalation vulnerability. A user with ISI_PRIV_JOB_ENGINE may use the PermissionRepair job to grant themselves the highest level of RBAC privileges thus being able to read arbitrary data, tamper with system software or deny service to users. | 7.8 | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
| Proprietary Code CVEs | Description | CVSSBase Score | CVSS Vector String |
| CVE-2021-21502 | Dell PowerScale OneFS versions 8.1.0 – 9.1.0 contain a "use of SSH key past account expiration" vulnerability. A user on the network with the ISI_PRIV_AUTH_SSH RBAC privilege that has an expired account may potentially exploit this vulnerability, giving them access to the same things they had before account expiration. This may by a high privileged account and hence Dell recommends customers upgrade at the earliest opportunity. | 9.8 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
| CVE-2020-26196 | Dell EMC PowerScale OneFS versions 8.1.0-9.1.0 contain a Backup/Restore Privilege implementation issue. A user with the BackupAdmin role may potentially exploit this vulnerability resulting in the ability to write data outside of the intended file system location. | 5.5 | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N |
| CVE-2020-26195 | Dell EMC PowerScale OneFS versions 8.1.2 – 9.1.0 contain an issue where the OneFS SMB directory auto-create may erroneously create a directory for a user. A remote unauthenticated attacker may take advantage of this issue to slow down the system. | 5.3 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L |
| CVE-2020-26194 | Dell EMC PowerScale OneFS versions 8.1.2 and 8.2.2 contain an Incorrect Permission Assignment for a Critical Resource vulnerability. This may allow a non-admin user with either ISI_PRIV_LOGIN_CONSOLE or ISI_PRIV_LOGIN_SSH privileges to exploit the vulnerability, leading to compromised cryptographic operations. | 7.0 | CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H |
| CVE-2020-26193 | Dell EMC PowerScale OneFS versions 8.1.0 - 9.1.0 contain an improper input validation vulnerability. A user with the ISI_PRIV_CLUSTER privilege may exploit this vulnerability, leading to the execution of arbitrary OS commands on the application's underlying OS, with the privileges of the vulnerable application. | 7.8 | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
| CVE-2020-26192 | Dell EMC PowerScale OneFS versions 8.2.0 - 9.1.0 contain a privilege escalation vulnerability. A non-admin user with either ISI_PRIV_LOGIN_CONSOLE or ISI_PRIV_LOGIN_SSH may potentially exploit this vulnerability to read arbitrary data, tamper with system software or deny service to users. Note: No non-admin users or roles have these privileges by default. |
7.8 | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
| CVE-2020-26191 | Dell EMC PowerScale OneFS versions 8.1.0 - 9.1.0 contain a privilege escalation vulnerability. A user with ISI_PRIV_JOB_ENGINE may use the PermissionRepair job to grant themselves the highest level of RBAC privileges thus being able to read arbitrary data, tamper with system software or deny service to users. | 7.8 | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
受影响的产品和补救措施
| CVEs Addressed | Affected Versions | Updated Versions | Link to Update |
| CVE-2021-21502 | 8.1.0, 8.1.1, 8.2.0, 8.2.1, 8.1.2, 8.2.2, 9.0.0 | Upgrade your PowerScale OneFS version | PowerScale Downloads area. |
| 9.1.0 | RUP 2021-01 | ||
| CVE-2020-26196 | 8.1.0, 8.1.1, 8.2.0, 8.2.1 | Upgrade your PowerScale OneFS version | PowerScale Downloads area. |
| 8.2.2, 9.0.0 | October 2020 RUP for your OneFS version | ||
| 8.1.2, 8.2.1, 9.1.0 | November 2020 RUP for your OneFS version | ||
| CVE-2020-26195 | 8.1.0, 8.1.1, 8.2.0, 8.2.1 | Upgrade your PowerScale OneFS version | PowerScale Downloads area. |
| 8.1.2, 8.2.2, 9.0.0, 9.1.0 | January RUP 2021-01 | ||
| CVE-2020-26194 | 8.1.0, 8.1.1, 8.2.0, 8.2.1 | Upgrade your PowerScale OneFS version | PowerScale Downloads area. |
| 8.1.2, 8.2.2, 9.0.0, 9.1.0 | January RUP 2021-01 | ||
| CVE-2020-26193 | 8.1.0, 8.1.1, 8.2.0, 8.2.1 | Upgrade your PowerScale OneFS version | PowerScale Downloads area. |
| 8.1.2, 8.2.2, 9.0.0, 9.1.0 | January RUP 2021-01 | ||
| CVE-2020-26192 | 8.2.0, 8.2.2, 9.0.0, 9.1.0 | January RUP 2021-01 | PowerScale Downloads area. |
| CVE-2020-26191 | 8.1.0, 8.1.1, 8.2.0, 8.2.1 | Upgrade your PowerScale OneFS version | PowerScale Downloads area. |
| 8.1.2, 8.2.2, 9.0.0, 9.1.0 | January RUP 2021-01 |
Note: The table above may not be a comprehensive list of all affected supported versions and may be updated as more information becomes available.
| CVEs Addressed | Affected Versions | Updated Versions | Link to Update |
| CVE-2021-21502 | 8.1.0, 8.1.1, 8.2.0, 8.2.1, 8.1.2, 8.2.2, 9.0.0 | Upgrade your PowerScale OneFS version | PowerScale Downloads area. |
| 9.1.0 | RUP 2021-01 | ||
| CVE-2020-26196 | 8.1.0, 8.1.1, 8.2.0, 8.2.1 | Upgrade your PowerScale OneFS version | PowerScale Downloads area. |
| 8.2.2, 9.0.0 | October 2020 RUP for your OneFS version | ||
| 8.1.2, 8.2.1, 9.1.0 | November 2020 RUP for your OneFS version | ||
| CVE-2020-26195 | 8.1.0, 8.1.1, 8.2.0, 8.2.1 | Upgrade your PowerScale OneFS version | PowerScale Downloads area. |
| 8.1.2, 8.2.2, 9.0.0, 9.1.0 | January RUP 2021-01 | ||
| CVE-2020-26194 | 8.1.0, 8.1.1, 8.2.0, 8.2.1 | Upgrade your PowerScale OneFS version | PowerScale Downloads area. |
| 8.1.2, 8.2.2, 9.0.0, 9.1.0 | January RUP 2021-01 | ||
| CVE-2020-26193 | 8.1.0, 8.1.1, 8.2.0, 8.2.1 | Upgrade your PowerScale OneFS version | PowerScale Downloads area. |
| 8.1.2, 8.2.2, 9.0.0, 9.1.0 | January RUP 2021-01 | ||
| CVE-2020-26192 | 8.2.0, 8.2.2, 9.0.0, 9.1.0 | January RUP 2021-01 | PowerScale Downloads area. |
| CVE-2020-26191 | 8.1.0, 8.1.1, 8.2.0, 8.2.1 | Upgrade your PowerScale OneFS version | PowerScale Downloads area. |
| 8.1.2, 8.2.2, 9.0.0, 9.1.0 | January RUP 2021-01 |
Note: The table above may not be a comprehensive list of all affected supported versions and may be updated as more information becomes available.
解决方法和缓解措施
| CVE ID | Workarounds and Mitigations |
| CVE-2021-21502 |
# isi ssh settings modify --pubkey-authentication=false
|
| CVE-2020-26196 |
|
| CVE-2020-26195 | None |
| CVE-2020-26194 |
|
| CVE-2020-26193 | None |
| CVE-2020-26192 | The upgrade agent may be disabled up until an upgrade/patching activity needs to take place:
# isi services -a isi_upgrade_agent_d disable
# isi services -a isi_upgrade_agent_d enable
|
| CVE-2020-26191 | None |
修订历史记录
| Revision | Date | Description |
| 1.0 | 2021-02-08 | Initial Release |
相关信息
法律免责声明
受影响的产品
PowerScale OneFS, Product Security Information文章属性
文章编号: 000182873
文章类型: Dell Security Advisory
上次修改时间: 23 11月 2021
从其他戴尔用户那里查找问题的答案
支持服务
检查您的设备是否在支持服务涵盖的范围内。