CVE-2021-36278: DSA-2021-142: Dell PowerScale OneFS Security Update for Multiple Vulnerabilities

Vaikutus

Critical

Tiedot

Proprietary Code CVEs

Description

CVSS Base Score

CVSS Vector String

CVE-2021-21568

Dell EMC PowerScale OneFS versions 8.2.x - 9.2.x contain an insufficient logging vulnerability. An authenticated user with ISI_PRIV_LOGIN_PAPI may make un-audited and un-trackable configuration changes to settings that their roles have privileges to change.

4.3

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L

CVE-2021-21592

Dell EMC PowerScale OneFS versions 8.2.x - 9.2.x improperly handle an exceptional condition. A remote low privileged user may potentially exploit this vulnerability, leading to unauthorized information disclosure.

3.1

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N

CVE-2021-21594

Dell PowerScale OneFS versions 8.2.2 - 9.1.0.x contain a use of get request method with sensitive query strings vulnerability. It may lead to potential disclosure of sensitive data. Dell recommends upgrading at your earliest opportunity.

8.2

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H

CVE-2021-21595

Dell EMC PowerScale OneFS versions 8.2.x - 9.1.1.x contain an improper neutralization of special elements used in an OS command. This vulnerability may allow the compadmin user to elevate privileges. This only impacts Smartlock WORM compliance mode clusters as a critical vulnerability and Dell recommends to update or upgrade at the earliest opportunity.

6.0

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H

CVE-2021-21599

Dell EMC PowerScale OneFS versions 8.2.x - 9.2.1.x contain an OS command injection vulnerability. This may allow a user with ISI_PRIV_LOGIN_SSH or ISI_PRIV_LOGIN_CONSOLE to escalate privileges and escape the compliance guarantees. This only impacts Smartlock WORM compliance mode clusters as a critical vulnerability and Dell recommends to update or upgrade at the earliest opportunity.

6.0

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H

CVE-2021-36278

Dell EMC PowerScale OneFS versions 8.2.x, 9.1.0.x, and 9.1.1.1 contain a sensitive information exposure vulnerability in log files. A local malicious user with ISI_PRIV_LOGIN_SSH, ISI_PRIV_LOGIN_CONSOLE, or ISI_PRIV_SYS_SUPPORT privileges may exploit this vulnerability to access sensitive information. If any third-party consumes those logs, the same sensitive information is available to those systems as well. Dell recommends to update or upgrade at the earliest opportunity.

8.1

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CVE-2021-36279

Dell EMC PowerScale OneFS versions 8.2.x - 9.2.x contain an incorrect permission assignment for critical resource vulnerability. This may allow a user with ISI_PRIV_LOGIN_SSH or ISI_PRIV_LOGIN_CONSOLE to access privileged information about the cluster.

7.8

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H

CVE-2021-36281

Dell EMC PowerScale OneFS versions 8.2.x - 9.2.x contain an incorrect permission assignment vulnerability. A low privileged authenticated user may potentially exploit this vulnerability to escalate privileges.

7.5

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

CVE-2021-36282

Dell EMC PowerScale OneFS versions 8.2.x - 9.1.0.x contain a use of uninitialized resource vulnerability. This may potentially allow an authenticated user with ISI_PRIV_LOGIN_CONSOLE or ISI_PRIV_LOGIN_SSH privileges to gain access up to 24 bytes of data within the /ifs kernel stack under certain conditions.

2.5

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N

Proprietary Code CVEs

Description

CVSS Base Score

CVSS Vector String

CVE-2021-21568

Dell EMC PowerScale OneFS versions 8.2.x - 9.2.x contain an insufficient logging vulnerability. An authenticated user with ISI_PRIV_LOGIN_PAPI may make un-audited and un-trackable configuration changes to settings that their roles have privileges to change.

4.3

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L

CVE-2021-21592

Dell EMC PowerScale OneFS versions 8.2.x - 9.2.x improperly handle an exceptional condition. A remote low privileged user may potentially exploit this vulnerability, leading to unauthorized information disclosure.

3.1

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N

CVE-2021-21594

Dell PowerScale OneFS versions 8.2.2 - 9.1.0.x contain a use of get request method with sensitive query strings vulnerability. It may lead to potential disclosure of sensitive data. Dell recommends upgrading at your earliest opportunity.

8.2

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H

CVE-2021-21595

Dell EMC PowerScale OneFS versions 8.2.x - 9.1.1.x contain an improper neutralization of special elements used in an OS command. This vulnerability may allow the compadmin user to elevate privileges. This only impacts Smartlock WORM compliance mode clusters as a critical vulnerability and Dell recommends to update or upgrade at the earliest opportunity.

6.0

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H

CVE-2021-21599

Dell EMC PowerScale OneFS versions 8.2.x - 9.2.1.x contain an OS command injection vulnerability. This may allow a user with ISI_PRIV_LOGIN_SSH or ISI_PRIV_LOGIN_CONSOLE to escalate privileges and escape the compliance guarantees. This only impacts Smartlock WORM compliance mode clusters as a critical vulnerability and Dell recommends to update or upgrade at the earliest opportunity.

6.0

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H

CVE-2021-36278

Dell EMC PowerScale OneFS versions 8.2.x, 9.1.0.x, and 9.1.1.1 contain a sensitive information exposure vulnerability in log files. A local malicious user with ISI_PRIV_LOGIN_SSH, ISI_PRIV_LOGIN_CONSOLE, or ISI_PRIV_SYS_SUPPORT privileges may exploit this vulnerability to access sensitive information. If any third-party consumes those logs, the same sensitive information is available to those systems as well. Dell recommends to update or upgrade at the earliest opportunity.

8.1

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CVE-2021-36279

Dell EMC PowerScale OneFS versions 8.2.x - 9.2.x contain an incorrect permission assignment for critical resource vulnerability. This may allow a user with ISI_PRIV_LOGIN_SSH or ISI_PRIV_LOGIN_CONSOLE to access privileged information about the cluster.

7.8

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H

CVE-2021-36281

Dell EMC PowerScale OneFS versions 8.2.x - 9.2.x contain an incorrect permission assignment vulnerability. A low privileged authenticated user may potentially exploit this vulnerability to escalate privileges.

7.5

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

CVE-2021-36282

Dell EMC PowerScale OneFS versions 8.2.x - 9.1.0.x contain a use of uninitialized resource vulnerability. This may potentially allow an authenticated user with ISI_PRIV_LOGIN_CONSOLE or ISI_PRIV_LOGIN_SSH privileges to gain access up to 24 bytes of data within the /ifs kernel stack under certain conditions.

2.5

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N

Dell Technologies suosittelee, että kaikki asiakkaat ottavat huomioon sekä CVSS-peruspistemäärän että kaikki asiaankuuluvat väliaikaiset ja ympäristöön liittyvät pisteet, jotka voivat vaikuttaa tietyn tietoturvahaavoittuvuuden mahdolliseen vakavuuteen.

Tuotteet, joihin asia vaikuttaa ja tilanteen korjaaminen

CVEs Addressed

Affected Versions

Updated Versions

Link to Update

CVE-2021-21568

9.0.0.x and 9.2.0

Upgrade your version of OneFS

PowerScale Download Area

Additional Guidance: In addition to upgrading your version of OneFS or downloading and installing the latest RUP, Dell recommends changing the root password for PowerScale. If the root account is used by clients (for example, backup software, scripting), the clients must be updated with the new password. If the root password for PowerScale was used as a password elsewhere, Dell recommends changing these passwords and does not recommend using the same password on multiple accounts and programs.

8.2.2, 9.1.0.x, and 9.2.1.x

Download and install the latest RUP

CVE-2021-21592

9.0.0.x and 9.2.0

Upgrade your version of OneFS

8.2.2, 9.1.0.x, and 9.2.1.x

Download and install the latest RUP

CVE-2021-21594

9.0.0.x

Upgrade your version of OneFS

8.2.2 and 9.1.0.x

Download and install the latest RUP

CVE-2021-21595

9.0.0.x and 9.2.0

Upgrade your version of OneFS

8.2.2, 9.1.0.x, and 9.2.1.x

Download and install the latest RUP

CVE-2021-21599

9.0.0.x and 9.2.0

Upgrade your version of OneFS

8.2.2 and 9.1.0.x

Download and install the latest RUP

CVE-2021-36278

8.2.x, 9.0.0.x, and 9.2.0

Upgrade your version of OneFS

8.2.2 and 9.1.0.x

Download and install the latest RUP

CVE-2021-36279

9.0.0.x and 9.2.0

Upgrade your version of OneFS

8.2.2 and 9.1.0.x

Download and install the latest RUP

CVE-2021-36281

9.0.0.x and 9.2.0

Upgrade your version of OneFS

8.2.2, 9.1.0.x, and 9.2.1.x

Download and install the latest RUP

CVE-2021-36282

9.0.0.x and 9.2.0

Upgrade your version of OneFS

8.2.2 and 9.1.0.x

Download and install the latest RUP

CVEs Addressed

Affected Versions

Updated Versions

Link to Update

CVE-2021-21568

9.0.0.x and 9.2.0

Upgrade your version of OneFS

PowerScale Download Area

Additional Guidance: In addition to upgrading your version of OneFS or downloading and installing the latest RUP, Dell recommends changing the root password for PowerScale. If the root account is used by clients (for example, backup software, scripting), the clients must be updated with the new password. If the root password for PowerScale was used as a password elsewhere, Dell recommends changing these passwords and does not recommend using the same password on multiple accounts and programs.

8.2.2, 9.1.0.x, and 9.2.1.x

Download and install the latest RUP

CVE-2021-21592

9.0.0.x and 9.2.0

Upgrade your version of OneFS

8.2.2, 9.1.0.x, and 9.2.1.x

Download and install the latest RUP

CVE-2021-21594

9.0.0.x

Upgrade your version of OneFS

8.2.2 and 9.1.0.x

Download and install the latest RUP

CVE-2021-21595

9.0.0.x and 9.2.0

Upgrade your version of OneFS

8.2.2, 9.1.0.x, and 9.2.1.x

Download and install the latest RUP

CVE-2021-21599

9.0.0.x and 9.2.0

Upgrade your version of OneFS

8.2.2 and 9.1.0.x

Download and install the latest RUP

CVE-2021-36278

8.2.x, 9.0.0.x, and 9.2.0

Upgrade your version of OneFS

8.2.2 and 9.1.0.x

Download and install the latest RUP

CVE-2021-36279

9.0.0.x and 9.2.0

Upgrade your version of OneFS

8.2.2 and 9.1.0.x

Download and install the latest RUP

CVE-2021-36281

9.0.0.x and 9.2.0

Upgrade your version of OneFS

8.2.2, 9.1.0.x, and 9.2.1.x

Download and install the latest RUP

CVE-2021-36282

9.0.0.x and 9.2.0

Upgrade your version of OneFS

8.2.2 and 9.1.0.x

Download and install the latest RUP

Keinoja ongelman kiertämiseen tai lieventämiseen

In addition to applying the Workaround and Mitigations below, Dell recommends changing the root password for PowerScale. If the root account is used by clients (for example, backup software, scripting), the clients must be updated with the new password. If the root password for PowerScale was used as a password elsewhere, Dell recommends changing these passwords and does not recommend using the same password on multiple accounts and programs.

Workarounds or mitigations

CVE-2021-21568

Disallow ISI_PRIV_LOGIN_PAPI privileges to non-administrative users.

CVE-2021-21592

None

CVE-2021-21594

None

CVE-2021-21595

This only applies to clusters running in WORM Smartlock Compliance mode.

CVE-2021-21599

This only applies to clusters running in WORM Smartlock Compliance mode.

CVE-2021-36278

Disallow ISI_PRIV_LOGIN_CONSOLE and ISI_PRIV_LOGIN_SSH privileges to non-administrative users.

CVE-2021-36279

Disallow ISI_PRIV_LOGIN_CONSOLE and ISI_PRIV_LOGIN_SSH privileges to non-administrative users.
OR
As root for clusters not in Smartlock WORM Compliance Mode the following remediates the issue

1. mkdir -p -m 750 /ifs/data/Isilon_Support/ /ifs/data/Isilon_Support/pkg/
2. chmod o-rwx /ifs/data/Isilon_Support/ /ifs/data/Isilon_Support/pkg/

CVE-2021-36281

• Do not have multiple LDAP records with the same LDAP UID (username)
• Or do not allow LDAP users to set their own LDAP UID (username)
• Or disable the usage of any LDAP authentication providers

CVE-2021-36282

Disallow ISI_PRIV_LOGIN_CONSOLE and ISI_PRIV_LOGIN_SSH privileges to non-administrative users.

Versiohistoria

Revision

Date

Description

1.0

2021-08-10

Initial Release

2.0

2021-08-26

CVE-2021-36280 due to partial fix, complete fix is in the next DSA-2021-158

2.1

2022-03-11

Updated CVE-2021-36278 description for clarity.

3.0

2022-04-13

Updated CVE-2021-36278 score and provided additional remediation guidance.

Asiaan liittyvät tiedot

Dell Security Advisories and Notices
Dell Vulnerability Response Policy
CVSS Scoring Guide

Tämän Dell Technologiesin tietoturvatiedotteen tiedot on luettava, ja niiden avulla voidaan välttää tilanteita, jotka voivat johtua tässä kuvatuista ongelmista. Dell Technologiesin tietoturvatiedotteet tuovat tärkeitä tietoturvatietoja haavoittuvuudelle alttiiden tuotteiden käyttäjien tietoon. Dell Technologies arvioi riskin perustuen asennettujen järjestelmien hajautetun joukon keskimääräisiin riskeihin, eikä se välttämättä vastaa paikallisen asennuksen ja yksittäisen ympäristön todellista riskiä. Suositus on, että kaikki käyttäjät ratkaisevat näiden tietojen sovellettavuuden yksittäisten ympäristöjen mukaan ja ryhtyvät tarvittaviin toimenpiteisiin. Tässä esitetyt tiedot annetaan “sellaisenaan” ilman minkäänlaista takuuta. Dell Technologies kiistää kaikki suorat tai epäsuorat takuut, mukaan lukien takuut soveltuvuudesta kaupankäynnin kohteeksi, sopivuudesta tiettyyn käyttötarkoitukseen, omistusoikeudesta ja loukkaamattomuudesta. Dell Technologies, sen tytäryhtiöt tai toimittajat eivät missään tilanteessa ole vastuussa mistään vahingoista, jotka johtuvat tässä asiakirjassa mainituista tiedoista tai toimenpiteistä, joihin käyttäjä päättää ryhtyä. Tämä koskee kaikkia suoria, epäsuoria, satunnaisia, välillisiä, liikevoiton menetykseen liittyviä tai erityisluontoisia vahinkoja, vaikka Dell Technologies tai sen tytäryhtiöt tai toimittajat olisivat saaneet tiedon tällaisten vahinkojen mahdollisuudesta. Jotkin osavaltiot eivät salli satunnaisten tai seuraamuksellisten vahinkojen vastuun poistamista tai rajoittamista, joten edellä mainittua rajoitusta sovelletaan vain lain sallimassa laajuudessa.