Headline
CVE-2020-5355: DSA-2020-096: Dell EMC Isilon OneFS Security Update for Insecure SSHD Configuration Vulnerability
The Dell Isilon OneFS versions 8.2.2 and earlier SSHD process improperly allows Transmission Control Protocol (TCP) and stream forwarding. This provides the remotesupport user and users with restricted shells more access than is intended.
Vaikutus
Medium
Overview
Summary:
The SSHD configuration within Dell EMC Isilon OneFS requires a remediation to address a vulnerability.
Tiedot
- Incorrect Default Permissions Vulnerability
CVE-2020-5355
The Dell Isilon OneFS versions 8.2.2 and earlier SSHD process improperly allows Transmission Control Protocol (TCP) and stream forwarding. This provides the remotesupport user and users with restricted shells more access than is intended.
CVSS v3.1 Base Score: 4.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)
- Incorrect Default Permissions Vulnerability
CVE-2020-5355
The Dell Isilon OneFS versions 8.2.2 and earlier SSHD process improperly allows Transmission Control Protocol (TCP) and stream forwarding. This provides the remotesupport user and users with restricted shells more access than is intended.
CVSS v3.1 Base Score: 4.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)
Dell Technologies suosittelee, että kaikki asiakkaat ottavat huomioon sekä CVSS-peruspistemäärän että kaikki asiaankuuluvat väliaikaiset ja ympäristöön liittyvät pisteet, jotka voivat vaikuttaa tietyn tietoturvahaavoittuvuuden mahdolliseen vakavuuteen.
Tuotteet, joihin asia vaikuttaa ja tilanteen korjaaminen
Affected products:
Dell EMC Isilon OneFS versions 8.2.2 and earlier.
For Dell EMC Isilon OneFS versions 8.2.2 and earlier, see the Workaround section below.
Workaround:
There are three options available to workaround this issue:
- Disable users with restricted shells (by default, only the remotesupport user).
- Modify the SSH server configuration to disable forwarding of UNIX domain and TCP sockets for all users.
- For OneFS versions prior to 8.2.0 only, modify the SSH server configuration to disable forwarding of UNIX domain and TCP sockets for users with restricted shells.
Disable users with restricted shells
Open a secure shell (SSH) connection to any node in the cluster and log in as root.
Run the following command:
isi auth users modify remotesupport --enabled=false
Disable forwarding of UNIX domain and TCP sockets
For 8.2.0 and later:
Open a secure shell (SSH) connection to any node in the cluster and log in as root.
Run the following commands:
isi_gconfig -t ssh-config allow_tcp_forwarding=no
isi_gconfig -t ssh-config allow_stream_local_forwarding=no
Versions prior to 8.2.0
Open a secure shell (SSH) connection to each node in the cluster and log in as root.
On each node, set the following in the /etc/mcp/templates/sshd_config file:
AllowStreamLocalForwarding=no
AllowTcpForwarding=no
Note: (Versions prior to 8.2.0 only) Modify the SSH server config to disable forwarding of UNIX domain and TCP sockets for users with restricted shells.
Open a secure shell (SSH) connection to each node in the cluster and log in as root.
On each node, append the following to the end of the /etc/mcp/templates/sshd_config file:
Match User remotesupport
AllowStreamLocalForwarding=no
AllowTcpForwarding=no
Note: To make these settings persist, see KB article 530021: {Isilon} - SSH: How to modify the the sshd_config file to persist upgrades
CAUTION: The Match keyword will open a conditional block that applies until either another Match line or the end of the file. If a keyword appears in multiple Match blocks that are satisfied, only the first instance of the keyword is applied.
Affected products:
Dell EMC Isilon OneFS versions 8.2.2 and earlier.
For Dell EMC Isilon OneFS versions 8.2.2 and earlier, see the Workaround section below.
Workaround:
There are three options available to workaround this issue:
- Disable users with restricted shells (by default, only the remotesupport user).
- Modify the SSH server configuration to disable forwarding of UNIX domain and TCP sockets for all users.
- For OneFS versions prior to 8.2.0 only, modify the SSH server configuration to disable forwarding of UNIX domain and TCP sockets for users with restricted shells.
Disable users with restricted shells
Open a secure shell (SSH) connection to any node in the cluster and log in as root.
Run the following command:
isi auth users modify remotesupport --enabled=false
Disable forwarding of UNIX domain and TCP sockets
For 8.2.0 and later:
Open a secure shell (SSH) connection to any node in the cluster and log in as root.
Run the following commands:
isi_gconfig -t ssh-config allow_tcp_forwarding=no
isi_gconfig -t ssh-config allow_stream_local_forwarding=no
Versions prior to 8.2.0
Open a secure shell (SSH) connection to each node in the cluster and log in as root.
On each node, set the following in the /etc/mcp/templates/sshd_config file:
AllowStreamLocalForwarding=no
AllowTcpForwarding=no
Note: (Versions prior to 8.2.0 only) Modify the SSH server config to disable forwarding of UNIX domain and TCP sockets for users with restricted shells.
Open a secure shell (SSH) connection to each node in the cluster and log in as root.
On each node, append the following to the end of the /etc/mcp/templates/sshd_config file:
Match User remotesupport
AllowStreamLocalForwarding=no
AllowTcpForwarding=no
Note: To make these settings persist, see KB article 530021: {Isilon} - SSH: How to modify the the sshd_config file to persist upgrades
CAUTION: The Match keyword will open a conditional block that applies until either another Match line or the end of the file. If a keyword appears in multiple Match blocks that are satisfied, only the first instance of the keyword is applied.
Kiitokset
Dell would like to thank Andre Protas with Apple Information Security for reporting this issue.
Asiaan liittyvät tiedot
Dell Security Advisories and Notices
Dell Vulnerability Response Policy
CVSS Scoring Guide
23 marrask. 2021