Medium
Summary:
The SSHD configuration within Dell EMC Isilon OneFS requires a remediation to address a vulnerability.
CVE-2020-5355
The Dell Isilon OneFS versions 8.2.2 and earlier SSHD process improperly allows Transmission Control Protocol (TCP) and stream forwarding. This provides the remotesupport user and users with restricted shells more access than is intended.
CVSS v3.1 Base Score: 4.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)
CVE-2020-5355
The Dell Isilon OneFS versions 8.2.2 and earlier SSHD process improperly allows Transmission Control Protocol (TCP) and stream forwarding. This provides the remotesupport user and users with restricted shells more access than is intended.
CVSS v3.1 Base Score: 4.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)
Affected products:
Dell EMC Isilon OneFS versions 8.2.2 and earlier.
For Dell EMC Isilon OneFS versions 8.2.2 and earlier, see the Workaround section below.
Workaround:
There are three options available to workaround this issue:
Disable users with restricted shells
Open a secure shell (SSH) connection to any node in the cluster and log in as root.
Run the following command:
isi auth users modify remotesupport --enabled=false
Disable forwarding of UNIX domain and TCP sockets
For 8.2.0 and later:
Open a secure shell (SSH) connection to any node in the cluster and log in as root.
Run the following commands:
isi_gconfig -t ssh-config allow_tcp_forwarding=no
isi_gconfig -t ssh-config allow_stream_local_forwarding=no
Versions prior to 8.2.0
Open a secure shell (SSH) connection to each node in the cluster and log in as root.
On each node, set the following in the /etc/mcp/templates/sshd_config file:
AllowStreamLocalForwarding=no
AllowTcpForwarding=no
Note: (Versions prior to 8.2.0 only) Modify the SSH server config to disable forwarding of UNIX domain and TCP sockets for users with restricted shells.
Open a secure shell (SSH) connection to each node in the cluster and log in as root.
On each node, append the following to the end of the /etc/mcp/templates/sshd_config file:
Match User remotesupport
AllowStreamLocalForwarding=no
AllowTcpForwarding=no
Note: To make these settings persist, see KB article 530021: {Isilon} - SSH: How to modify the the sshd_config file to persist upgrades
CAUTION: The Match keyword will open a conditional block that applies until either another Match line or the end of the file. If a keyword appears in multiple Match blocks that are satisfied, only the first instance of the keyword is applied.
Affected products:
Dell EMC Isilon OneFS versions 8.2.2 and earlier.
For Dell EMC Isilon OneFS versions 8.2.2 and earlier, see the Workaround section below.
Workaround:
There are three options available to workaround this issue:
Disable users with restricted shells
Open a secure shell (SSH) connection to any node in the cluster and log in as root.
Run the following command:
isi auth users modify remotesupport --enabled=false
Disable forwarding of UNIX domain and TCP sockets
For 8.2.0 and later:
Open a secure shell (SSH) connection to any node in the cluster and log in as root.
Run the following commands:
isi_gconfig -t ssh-config allow_tcp_forwarding=no
isi_gconfig -t ssh-config allow_stream_local_forwarding=no
Versions prior to 8.2.0
Open a secure shell (SSH) connection to each node in the cluster and log in as root.
On each node, set the following in the /etc/mcp/templates/sshd_config file:
AllowStreamLocalForwarding=no
AllowTcpForwarding=no
Note: (Versions prior to 8.2.0 only) Modify the SSH server config to disable forwarding of UNIX domain and TCP sockets for users with restricted shells.
Open a secure shell (SSH) connection to each node in the cluster and log in as root.
On each node, append the following to the end of the /etc/mcp/templates/sshd_config file:
Match User remotesupport
AllowStreamLocalForwarding=no
AllowTcpForwarding=no
Note: To make these settings persist, see KB article 530021: {Isilon} - SSH: How to modify the the sshd_config file to persist upgrades
CAUTION: The Match keyword will open a conditional block that applies until either another Match line or the end of the file. If a keyword appears in multiple Match blocks that are satisfied, only the first instance of the keyword is applied.
Dell would like to thank Andre Protas with Apple Information Security for reporting this issue.