Skip to main content
  • Place orders quickly and easily
  • View orders and track your shipping status
  • Enjoy members-only rewards and discounts
  • Create and access a list of your products
  • Manage your Dell EMC sites, products, and product-level contacts using Company Administration.

Article Number: 000153868


DSA-2020-096: Dell EMC Isilon OneFS Security Update for Insecure SSHD Configuration Vulnerability

Summary: Dell EMC Isilon OneFS Security Update for Insecure SSHD Configuration Vulnerability.

Article Content


Impact

Medium

Details

Summary:    
The SSHD configuration within Dell EMC Isilon OneFS requires a remediation to address a vulnerability. 

  •  Incorrect Default Permissions Vulnerability

CVE-2020-5355

The Dell Isilon OneFS versions 8.2.2 and earlier SSHD process improperly allows Transmission Control Protocol (TCP) and stream forwarding. This provides the remotesupport user and users with restricted shells more access than is intended.

CVSS v3.1 Base Score: 4.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)

  •  Incorrect Default Permissions Vulnerability

CVE-2020-5355

The Dell Isilon OneFS versions 8.2.2 and earlier SSHD process improperly allows Transmission Control Protocol (TCP) and stream forwarding. This provides the remotesupport user and users with restricted shells more access than is intended.

CVSS v3.1 Base Score: 4.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)

Dell Technologies recommends all customers consider both the CVSS base score and any relevant temporal and environmental scores that may impact the potential severity associated with a particular security vulnerability.

Affected Products and Remediation

Affected products:   
Dell EMC Isilon OneFS versions 8.2.2 and earlier.


For Dell EMC Isilon OneFS versions 8.2.2 and earlier, see the Workaround section below.

Workaround:    
There are three options available to workaround this issue:   

  • Disable users with restricted shells (by default, only the remotesupport user).
  • Modify the SSH server configuration to disable forwarding of UNIX domain and TCP sockets for all users.
  • For OneFS versions prior to 8.2.0 only, modify the SSH server configuration to disable forwarding of UNIX domain and TCP sockets for users with restricted shells.


Disable users with restricted shells

  1. Open a secure shell (SSH) connection to any node in the cluster and log in as root.

  2. Run the following command:   

isi auth users modify remotesupport --enabled=false


Disable forwarding of UNIX domain and TCP sockets
For 8.2.0 and later:   

  1. Open a secure shell (SSH) connection to any node in the cluster and log in as root.

  2. Run the following commands:    

isi_gconfig -t ssh-config allow_tcp_forwarding=no
isi_gconfig -t ssh-config allow_stream_local_forwarding=no


Versions prior to 8.2.0

  1. Open a secure shell (SSH) connection to each node in the cluster and log in as root.

  2. On each node, set the following in the /etc/mcp/templates/sshd_config file:    

AllowStreamLocalForwarding=no
AllowTcpForwarding=no

Note: (Versions prior to 8.2.0 only) Modify the SSH server config to disable forwarding of UNIX domain and TCP sockets for users with restricted shells.

  1. Open a secure shell (SSH) connection to each node in the cluster and log in as root.

  2. On each node, append the following to the end of the /etc/mcp/templates/sshd_config file:    

Match User remotesupport

AllowStreamLocalForwarding=no
AllowTcpForwarding=no

Note: To make these settings persist, see KB article 530021: {Isilon} - SSH: How to modify the the sshd_config file to persist upgrades    

CAUTION: The Match keyword will open a conditional block that applies until either another Match line or the end of the file. If a keyword appears in multiple Match blocks that are satisfied, only the first instance of the keyword is applied.


Affected products:   
Dell EMC Isilon OneFS versions 8.2.2 and earlier.


For Dell EMC Isilon OneFS versions 8.2.2 and earlier, see the Workaround section below.

Workaround:    
There are three options available to workaround this issue:   

  • Disable users with restricted shells (by default, only the remotesupport user).
  • Modify the SSH server configuration to disable forwarding of UNIX domain and TCP sockets for all users.
  • For OneFS versions prior to 8.2.0 only, modify the SSH server configuration to disable forwarding of UNIX domain and TCP sockets for users with restricted shells.


Disable users with restricted shells

  1. Open a secure shell (SSH) connection to any node in the cluster and log in as root.

  2. Run the following command:   

isi auth users modify remotesupport --enabled=false


Disable forwarding of UNIX domain and TCP sockets
For 8.2.0 and later:   

  1. Open a secure shell (SSH) connection to any node in the cluster and log in as root.

  2. Run the following commands:    

isi_gconfig -t ssh-config allow_tcp_forwarding=no
isi_gconfig -t ssh-config allow_stream_local_forwarding=no


Versions prior to 8.2.0

  1. Open a secure shell (SSH) connection to each node in the cluster and log in as root.

  2. On each node, set the following in the /etc/mcp/templates/sshd_config file:    

AllowStreamLocalForwarding=no
AllowTcpForwarding=no

Note: (Versions prior to 8.2.0 only) Modify the SSH server config to disable forwarding of UNIX domain and TCP sockets for users with restricted shells.

  1. Open a secure shell (SSH) connection to each node in the cluster and log in as root.

  2. On each node, append the following to the end of the /etc/mcp/templates/sshd_config file:    

Match User remotesupport

AllowStreamLocalForwarding=no
AllowTcpForwarding=no

Note: To make these settings persist, see KB article 530021: {Isilon} - SSH: How to modify the the sshd_config file to persist upgrades    

CAUTION: The Match keyword will open a conditional block that applies until either another Match line or the end of the file. If a keyword appears in multiple Match blocks that are satisfied, only the first instance of the keyword is applied.


Acknowledgements

Dell would like to thank Andre Protas with Apple Information Security for reporting this issue.

Related Information


Article Properties


Affected Product

PowerScale OneFS, Product Security Information

Last Published Date

23 Nov 2021

Version

7

Article Type

Dell Security Advisory