Skip to main content
  • Place orders quickly and easily
  • View orders and track your shipping status
  • Enjoy members-only rewards and discounts
  • Create and access a list of your products
  • Manage your Dell EMC sites, products, and product-level contacts using Company Administration.

Article Number: 000153867


DSA-2020-093: Dell EMC Isilon OneFS and Dell EMC PowerScale OneFS Security Update for NFS Configuration Vulnerabilities

Article Content


Impact

High

Details

Summary:   
The home directory within Dell EMC Isilon OneFS and Dell EMC PowerScale OneFS requires a remediation to address a vulnerability.

  • Incorrect Default Permissions Vulnerability 

CVE-2020-5353

The Dell Isilon OneFS versions 8.2.2 and earlier and Dell EMC PowerScale OneFS version 9.0.0 default configuration for Network File System (NFS) allows access to an 'admin' home directory. An attacker may leverage a spoofed Unique Identifier (UID) over NFS to rewrite sensitive files to gain administrative access to the system.

CVSS v3.1 Base Score: 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)

  • Incorrect Default Permissions Vulnerability 

CVE-2020-5353

The Dell Isilon OneFS versions 8.2.2 and earlier and Dell EMC PowerScale OneFS version 9.0.0 default configuration for Network File System (NFS) allows access to an 'admin' home directory. An attacker may leverage a spoofed Unique Identifier (UID) over NFS to rewrite sensitive files to gain administrative access to the system.

CVSS v3.1 Base Score: 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)

Dell Technologies recommends all customers consider both the CVSS base score and any relevant temporal and environmental scores that may impact the potential severity associated with a particular security vulnerability.

Affected Products and Remediation

Affected products:    
Dell EMC Isilon OneFS versions 8.2.2 and earlier
Dell EMC PowerScale version 9.0.0

Remediation:     
For Dell EMC PowerScale OneFS version 9.0.0, the fix is contained in the release.
For Dell EMC Isilon OneFS version 8.2.2, the fix for this issue is included with the June 2020 Rollup Patch, as well as all future Rollup Patches. For more information and to obtain a Rollup patch, see the Current Isilon OneFS Patches document.
For Dell EMC Isilon OneFS version 8.2.1 and 8.1.2 the fix for this issue is included with the May 2020 Rollup Patch, as well as all future Rollup Patches.

Dell EMC recommends all customers upgrade at the earliest opportunity.  

Workaround:    
There are several options to choose from:    

  • Disable NFS

  • Move the admin home directory

  • Enable Kerberos authentication


Disable NFS

  1. Open a SSH connection to any node in the cluster and log in as root.

  2. Stop NFS as a service:    
    isi services nfs disable


Move the Admin Home Directory
For more information, see KB article 320432: How to move the admin home directory  


Enable Kerberos Authentication
For information about enabling Kerberos authentication, see the following sections of the OneFS CLI Administration Guide:   

  • Authentication chapter, Managing MIT Kerberos authentication section.

  • File sharing chapter, Managing NFS Exports section.

For information about Using NFS with Active Directory Kerberos and Using NFS with MIT Kerberos, see sections 5.2.1 and 5.2.2 of the Isilon OneFS NFS Design Considerations and Best Practices whitepaper.



Affected products:    
Dell EMC Isilon OneFS versions 8.2.2 and earlier
Dell EMC PowerScale version 9.0.0

Remediation:     
For Dell EMC PowerScale OneFS version 9.0.0, the fix is contained in the release.
For Dell EMC Isilon OneFS version 8.2.2, the fix for this issue is included with the June 2020 Rollup Patch, as well as all future Rollup Patches. For more information and to obtain a Rollup patch, see the Current Isilon OneFS Patches document.
For Dell EMC Isilon OneFS version 8.2.1 and 8.1.2 the fix for this issue is included with the May 2020 Rollup Patch, as well as all future Rollup Patches.

Dell EMC recommends all customers upgrade at the earliest opportunity.  

Workaround:    
There are several options to choose from:    

  • Disable NFS

  • Move the admin home directory

  • Enable Kerberos authentication


Disable NFS

  1. Open a SSH connection to any node in the cluster and log in as root.

  2. Stop NFS as a service:    
    isi services nfs disable


Move the Admin Home Directory
For more information, see KB article 320432: How to move the admin home directory  


Enable Kerberos Authentication
For information about enabling Kerberos authentication, see the following sections of the OneFS CLI Administration Guide:   

  • Authentication chapter, Managing MIT Kerberos authentication section.

  • File sharing chapter, Managing NFS Exports section.

For information about Using NFS with Active Directory Kerberos and Using NFS with MIT Kerberos, see sections 5.2.1 and 5.2.2 of the Isilon OneFS NFS Design Considerations and Best Practices whitepaper.



Acknowledgements

Dell would like to thank Knud from F-Secure for reporting this issue.

Related Information


Article Properties


Affected Product

PowerScale OneFS

Product

PowerScale OneFS, Product Security Information

Last Published Date

10 Apr 2021

Version

3

Article Type

Dell Security Advisory