Headline
CVE-2020-26197: DSA-2021-048: Dell PowerScale OneFS Security Update for Multiple Vulnerabilities
Dell PowerScale OneFS 8.1.0 - 9.1.0 contains an LDAP Provider inability to connect over TLSv1.2 vulnerability. It may make it easier to eavesdrop and decrypt such traffic for a malicious actor. Note: This does not affect clusters which are not relying on an LDAP server for the authentication provider.
Vaikutus
Critical
Tiedot
Proprietary Code CVE(s)
Description
CVSSBase Score
CVSS Vector String
CVE-2021-21526
Dell PowerScale OneFS 8.1.0 - 9.1.0 contains a privilege escalation in SmartLock compliance mode that may allow compadmin to execute arbitrary commands as root.
Note: If running in Compliance Mode, this is a critical vulnerability.
6.0
CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H
CVE-2020-26197
Dell PowerScale OneFS 8.1.0 – 9.1.0 contains an LDAP Provider inability to connect over TLSv1.2 vulnerability. It may make it easier to eavesdrop and decrypt such traffic for a malicious actor.
Note: This does not affect clusters which are not relying on an LDAP server for the authentication provider.
7.5
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
CVE-2021-21502
Dell PowerScale OneFS 8.1.0 – 9.1.0 contains a use of a key past its expiration date vulnerability. An expired user with ISI_PRIV_LOGIN_SSH is still able to login.
Note: This has already been disclosed in DSA-2021-009, but is included here due to patches for more releases being available.
9.8
(prior disclosure)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Proprietary Code CVE(s)
Description
CVSSBase Score
CVSS Vector String
CVE-2021-21526
Dell PowerScale OneFS 8.1.0 - 9.1.0 contains a privilege escalation in SmartLock compliance mode that may allow compadmin to execute arbitrary commands as root.
Note: If running in Compliance Mode, this is a critical vulnerability.
6.0
CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H
CVE-2020-26197
Dell PowerScale OneFS 8.1.0 – 9.1.0 contains an LDAP Provider inability to connect over TLSv1.2 vulnerability. It may make it easier to eavesdrop and decrypt such traffic for a malicious actor.
Note: This does not affect clusters which are not relying on an LDAP server for the authentication provider.
7.5
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
CVE-2021-21502
Dell PowerScale OneFS 8.1.0 – 9.1.0 contains a use of a key past its expiration date vulnerability. An expired user with ISI_PRIV_LOGIN_SSH is still able to login.
Note: This has already been disclosed in DSA-2021-009, but is included here due to patches for more releases being available.
9.8
(prior disclosure)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Dell Technologies suosittelee, että kaikki asiakkaat ottavat huomioon sekä CVSS-peruspistemäärän että kaikki asiaankuuluvat väliaikaiset ja ympäristöön liittyvät pisteet, jotka voivat vaikuttaa tietyn tietoturvahaavoittuvuuden mahdolliseen vakavuuteen.
Tuotteet, joihin asia vaikuttaa ja tilanteen korjaaminen
CVE Addressed
Affected Version(s)
Updated Version(s)
Link to Update
CVE-2021-21526
9.0
Upgrade your OneFS version
PowerScale Downloads Area on https://www.dell.com
9.1
March RUP_2021-03
CVE-2020-26197
8.1.0, 8.1.1
Upgrade your OneFS version
8.1.2
March RUP_2021-03
8.2.2
November RUP_2020-11
CVE-2021-21502
8.1.0, 8.1.1, 8.2.0, 8.2.1, 9.0.0
Upgrade your OneFS version
9.1.0
RUP 2021-01
8.1.2, 8.2.2
RUP 2021-03
Note: The table above may not be a comprehensive list of all affected supported versions and may be updated as more information becomes available.
CVE Addressed
Affected Version(s)
Updated Version(s)
Link to Update
CVE-2021-21526
9.0
Upgrade your OneFS version
PowerScale Downloads Area on https://www.dell.com
9.1
March RUP_2021-03
CVE-2020-26197
8.1.0, 8.1.1
Upgrade your OneFS version
8.1.2
March RUP_2021-03
8.2.2
November RUP_2020-11
CVE-2021-21502
8.1.0, 8.1.1, 8.2.0, 8.2.1, 9.0.0
Upgrade your OneFS version
9.1.0
RUP 2021-01
8.1.2, 8.2.2
RUP 2021-03
Note: The table above may not be a comprehensive list of all affected supported versions and may be updated as more information becomes available.
Keinoja ongelman kiertämiseen tai lieventämiseen
CVE ID
Workaround(s) and Mitigation(s)
CVE-2021-21526
None.
CVE-2020-26197
Disable LDAP Providers.
CVE-2021-21502
- Removing authorized_keys files from homedir/.ssh of expired accounts
- Removing expired accounts from roles that have ISI_AUTH_PRIV_SSH
Disabling public key authentication in SSH; login to your cluster with a username which has the appropriate privileges, and at the prompt, enter the following CLI commands:
isi ssh modify --auth-settings-template=custom
# isi ssh settings modify --pubkey-authentication=false
Versiohistoria
Revision
Date
Description
1.0
2021-04-12
Initial Release
Asiaan liittyvät tiedot
Dell Security Advisories and Notices
Dell Vulnerability Response Policy
CVSS Scoring Guide
28 syysk. 2021
Related news
Dell EMC PowerScale OneFS versions 8.1.2 – 9.1.0 contain an issue where the OneFS SMB directory auto-create may erroneously create a directory for a user. A remote unauthenticated attacker may take advantage of this issue to slow down the system.