High
Summary:
The home directory within Dell EMC Isilon OneFS and Dell EMC PowerScale OneFS requires a remediation to address a vulnerability.
CVE-2020-5353
The Dell Isilon OneFS versions 8.2.2 and earlier and Dell EMC PowerScale OneFS version 9.0.0 default configuration for Network File System (NFS) allows access to an 'admin' home directory. An attacker may leverage a spoofed Unique Identifier (UID) over NFS to rewrite sensitive files to gain administrative access to the system.
CVSS v3.1 Base Score: 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
CVE-2020-5353
The Dell Isilon OneFS versions 8.2.2 and earlier and Dell EMC PowerScale OneFS version 9.0.0 default configuration for Network File System (NFS) allows access to an 'admin' home directory. An attacker may leverage a spoofed Unique Identifier (UID) over NFS to rewrite sensitive files to gain administrative access to the system.
CVSS v3.1 Base Score: 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
Affected products:
Dell EMC Isilon OneFS versions 8.2.2 and earlier
Dell EMC PowerScale version 9.0.0
Remediation:
For Dell EMC PowerScale OneFS version 9.0.0, the fix is contained in the release.
For Dell EMC Isilon OneFS version 8.2.2, the fix for this issue is included with the June 2020 Rollup Patch, as well as all future Rollup Patches. For more information and to obtain a Rollup patch, see the Current Isilon OneFS Patches document.
For Dell EMC Isilon OneFS version 8.2.1 and 8.1.2 the fix for this issue is included with the May 2020 Rollup Patch, as well as all future Rollup Patches.
Dell EMC recommends all customers upgrade at the earliest opportunity.
Workaround:
There are several options to choose from:
Disable NFS
Move the admin home directory
Enable Kerberos authentication
Disable NFS
Open a SSH connection to any node in the cluster and log in as root.
Stop NFS as a service:
isi services nfs disable
Move the Admin Home Directory
For more information, see KB article 320432: How to move the admin home directory
Enable Kerberos Authentication
For information about enabling Kerberos authentication, see the following sections of the OneFS CLI Administration Guide:
Authentication chapter, Managing MIT Kerberos authentication section.
File sharing chapter, Managing NFS Exports section.
For information about Using NFS with Active Directory Kerberos and Using NFS with MIT Kerberos, see sections 5.2.1 and 5.2.2 of the Isilon OneFS NFS Design Considerations and Best Practices whitepaper.
Affected products:
Dell EMC Isilon OneFS versions 8.2.2 and earlier
Dell EMC PowerScale version 9.0.0
Remediation:
For Dell EMC PowerScale OneFS version 9.0.0, the fix is contained in the release.
For Dell EMC Isilon OneFS version 8.2.2, the fix for this issue is included with the June 2020 Rollup Patch, as well as all future Rollup Patches. For more information and to obtain a Rollup patch, see the Current Isilon OneFS Patches document.
For Dell EMC Isilon OneFS version 8.2.1 and 8.1.2 the fix for this issue is included with the May 2020 Rollup Patch, as well as all future Rollup Patches.
Dell EMC recommends all customers upgrade at the earliest opportunity.
Workaround:
There are several options to choose from:
Disable NFS
Move the admin home directory
Enable Kerberos authentication
Disable NFS
Open a SSH connection to any node in the cluster and log in as root.
Stop NFS as a service:
isi services nfs disable
Move the Admin Home Directory
For more information, see KB article 320432: How to move the admin home directory
Enable Kerberos Authentication
For information about enabling Kerberos authentication, see the following sections of the OneFS CLI Administration Guide:
Authentication chapter, Managing MIT Kerberos authentication section.
File sharing chapter, Managing NFS Exports section.
For information about Using NFS with Active Directory Kerberos and Using NFS with MIT Kerberos, see sections 5.2.1 and 5.2.2 of the Isilon OneFS NFS Design Considerations and Best Practices whitepaper.
Dell would like to thank Knud from F-Secure for reporting this issue.