Zu den Hauptinhalten
Abmelden

Willkommen bei Dell

Mein Konto
  • Bestellungen schnell und einfach aufgeben
  • Bestellungen anzeigen und den Versandstatus verfolgen
  • Profitieren Sie von exklusiven Prämien und Rabatten für Mitglieder
  • Erstellen Sie eine Liste Ihrer Produkte, auf die Sie jederzeit zugreifen können.
Anmelden Konto erstellen Premier-Anmeldung Anmeldung beim Partnerprogramm
Kontakt

Ihr Warenkorb bei Dell.com

DSA-2022-057: Dell EMC PowerScale OneFS Security Update for Multiple Vulnerabilities.

Zusammenfassung: Dell EMC PowerScale OneFS remediation is available for multiple vulnerabilities that could be exploited by malicious users to compromise the affected system.

Dieser Artikel gilt für   Dieser Artikel gilt nicht für 
Sehen Sie sich die Ressourcen an für

Auswirkungen

Critical

Details

 
Proprietary Code CVE(s) Description CVSS Base Score CVSS Vector String
CVE-2022-26851 Dell PowerScale OneFS, 8.2.2-9.3.x, contains a predictable file name from observable state vulnerability. An unprivileged network attacker could potentially exploit this vulnerability, leading to telemetry data loss for Dell. 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
CVE-2022-26852 Dell PowerScale OneFS, versions 8.2.x-9.3.x, contain a predictable seed in pseudo-random number generator. A remote unauthenticated attacker could potentially exploit this vulnerability, leading to an account compromise. 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
CVE-2022-26854 Dell PowerScale OneFS, versions 8.2.x-9.2.x, contain risky cryptographic algorithms. A remote unprivileged malicious attacker could potentially exploit this vulnerability, leading to full system access. 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
CVE-2022-24428 Dell PowerScale OneFS, versions 8.2.x - 9.3.0.x, contain an improper preservation of privileges. A remote filesystem user with a local account with the ISI_PRIV_SMB role could potentially exploit this vulnerability, leading to an escalation of file privileges and information disclosure. 6.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
CVE-2022-26855 Dell PowerScale OneFS, versions 8.2.x-9.3.0.x, contains an incorrect default permissions vulnerability. A local malicious user could potentially exploit this vulnerability, leading to a denial of service. 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
CVE-2022-22563 Dell EMC Powerscale OneFS 8.2.x - 9.2.x omit security-relevant information in /etc/master.passwd. A high-privileged user can exploit this vulnerability to not record information identifying the source of account information changes. 4.4 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N

 
Proprietary Code CVE(s) Description CVSS Base Score CVSS Vector String
CVE-2022-26851 Dell PowerScale OneFS, 8.2.2-9.3.x, contains a predictable file name from observable state vulnerability. An unprivileged network attacker could potentially exploit this vulnerability, leading to telemetry data loss for Dell. 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
CVE-2022-26852 Dell PowerScale OneFS, versions 8.2.x-9.3.x, contain a predictable seed in pseudo-random number generator. A remote unauthenticated attacker could potentially exploit this vulnerability, leading to an account compromise. 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
CVE-2022-26854 Dell PowerScale OneFS, versions 8.2.x-9.2.x, contain risky cryptographic algorithms. A remote unprivileged malicious attacker could potentially exploit this vulnerability, leading to full system access. 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
CVE-2022-24428 Dell PowerScale OneFS, versions 8.2.x - 9.3.0.x, contain an improper preservation of privileges. A remote filesystem user with a local account with the ISI_PRIV_SMB role could potentially exploit this vulnerability, leading to an escalation of file privileges and information disclosure. 6.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
CVE-2022-26855 Dell PowerScale OneFS, versions 8.2.x-9.3.0.x, contains an incorrect default permissions vulnerability. A local malicious user could potentially exploit this vulnerability, leading to a denial of service. 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
CVE-2022-22563 Dell EMC Powerscale OneFS 8.2.x - 9.2.x omit security-relevant information in /etc/master.passwd. A high-privileged user can exploit this vulnerability to not record information identifying the source of account information changes. 4.4 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N

Dell Technologies empfiehlt allen Kunden, sowohl die CVSS-Gesamtbewertung als auch alle relevanten zeitlichen und umweltbezogenen Bewertungen zu berücksichtigen, die sich auf den potenziellen Schweregrad einer bestimmten Sicherheitsschwachstelle auswirken können.

Betroffene Produkte und Korrektur

CVE(s) Addressed Affected Version(s) Updated Version(s) Link to Update
CVE-2022-26851 9.0.0, 9.1.1.x, 9.2.0.x Upgrade your version of OneFS PowerScale OneFS Downloads Area
9.1.0.x, 9.2.1.x, 9.3.0.x Download and install the latest RUP
CVE-2022-26852 9.0.0, 9.1.1.x, 9.2.0.x Upgrade your version of OneFS
9.1.0.x, 9.2.1.x, 9.3.0.x Download and install the latest RUP
CVE-2022-26854 9.0.0, 9.1.1.x, 9.2.0.x,
9.2.1.x, 9.3.0.x		 Upgrade your version of OneFS
9.1.0.x Download and install the latest RUP
9.4.0.x Contains the fix upon release
CVE-2022-24428 9.0.0, 9.1.1.x, 9.2.0.x Upgrade your version of OneFS
9.1.0.x, 9.2.1.x, 9.3.0.x Download and install the latest RUP
CVE-2022-26855 9.0.0, 9.1.1.x, 9.2.0.x Upgrade your version of OneFS
9.1.0.x, 9.2.1.x, 9.3.0.x Download and install the latest RUP
CVE-2022-22563 9.0.0, 9.1.1.x, 9.2.0.x Upgrade your version of OneFS
9.1.0.x, 9.2.1.x, 9.3.0.x Download and install the latest RUP
CVE(s) Addressed Affected Version(s) Updated Version(s) Link to Update
CVE-2022-26851 9.0.0, 9.1.1.x, 9.2.0.x Upgrade your version of OneFS PowerScale OneFS Downloads Area
9.1.0.x, 9.2.1.x, 9.3.0.x Download and install the latest RUP
CVE-2022-26852 9.0.0, 9.1.1.x, 9.2.0.x Upgrade your version of OneFS
9.1.0.x, 9.2.1.x, 9.3.0.x Download and install the latest RUP
CVE-2022-26854 9.0.0, 9.1.1.x, 9.2.0.x,
9.2.1.x, 9.3.0.x		 Upgrade your version of OneFS
9.1.0.x Download and install the latest RUP
9.4.0.x Contains the fix upon release
CVE-2022-24428 9.0.0, 9.1.1.x, 9.2.0.x Upgrade your version of OneFS
9.1.0.x, 9.2.1.x, 9.3.0.x Download and install the latest RUP
CVE-2022-26855 9.0.0, 9.1.1.x, 9.2.0.x Upgrade your version of OneFS
9.1.0.x, 9.2.1.x, 9.3.0.x Download and install the latest RUP
CVE-2022-22563 9.0.0, 9.1.1.x, 9.2.0.x Upgrade your version of OneFS
9.1.0.x, 9.2.1.x, 9.3.0.x Download and install the latest RUP

Workarounds und Korrekturmaßnahmen

CVE(s) Addressed Workaround and/or mitigation
CVE-2022-26851 none
CVE-2022-26852 none
CVE-2022-26854 Manually set the isi ssh settings to remove the KEy eXchange algorithms that are deprecated
1- To modify the supported key exchange algorithms (KEX algorithms): 
   #isi ssh settings modify --kex-algorithms="curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,

    ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256"
2- Alternatively you may upgrade to Dell EMC PowerScale OneFS 9.4.0.0 which contains the fix

NOTE: The above is the default list with diffie-hellman-group14-sha1 removed.
CVE-2022-24428 none
CVE-2022-26855 none
CVE-2022-22563 none

Revisionsverlauf

RevisionDateDescription
1.02022-04-04Initial Release

Zugehörige Informationen

Dell Security Advisories and Notices
Dell Vulnerability Response Policy
CVSS Scoring Guide

Rechtlicher Hinweis

Betroffene Produkte

PowerScale OneFS, Product Security Information