Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Nine Remotely Exploitable Vulnerabilities Found in Dell EMC Storage Platform

Nine remotely exploitable vulnerabilities have been found in Dell EMC’s Isilon OneFS platform, a scale-out NAS storage platform that combines modular hardware with unified software to harness unstructured data.

Nine remotely exploitable vulnerabilities have been found in Dell EMC’s Isilon OneFS platform, a scale-out NAS storage platform that combines modular hardware with unified software to harness unstructured data.

“Multiple vulnerabilities were found in the Isilon OneFS Web console that would allow a remote attacker to gain command execution as root,” warns an advisory released today.

The vulnerabilities were discovered by researchers Ivan Huertas and Maximiliano Vidal from CoreLabs, the research center of Core Security, and disclosed to Dell in September 2017. A range of Isilon OneFS versions from 7.1.1.11 to 8.0.1.2 were found to be affected by two or more of the vulnerabilities. “Other products and versions might be affected, but they were not tested,” states the advisory.

The Isilon web console contains several features that are vulnerable to cross-site request forgery. Since there are no anti-CSRF tokens in any forms on the web interface, an attacker can submit authenticated requests when an authenticated user browses an attacker-controlled domain. If social engineering can convince an authenticated user or administrator to visit a malicious website, embedded code could be executed to create a new user with elevated privileges, or execute arbitrary commands in the target system.

This is the first (CVE-2018-1213) of the nine vulnerabilities. Two privilege escalation vulnerabilities could then be used, once initial access has been achieved, to allow the attacker to run shell commands or arbitrary Python code with root privilege. 

The first of these (CVE-2018-1203) is possible because of incorrect sudo permissions. “The compadmin user can run the tcpdump binary with root privileges via sudo,” explains the advisory. “This allows for local privilege escalation, as tcpdump can be instructed to run shell commands when rotating capture files.”

The second (CVE-2018-1204) is privilege escalation via remote support scripts. “As a cluster administrator or compadmin, it is possible to enable the remote support functionality, hence enabling the isi_phone_home tool via sudo,” explain the researchers. “This tool is vulnerable to a path traversal when reading the script file to run, which would enable an attacker to execute arbitrary python code with root privileges.”

The remaining six vulnerabilities are persistent cross-site scripting errors: in the cluster description; the Network Configuration page; the Authentication Providers page; the Antivirus page; the Job Operations page; and the NDMP page.

All nine vulnerabilities were responsibly disclosed to Dell EMC on 25 September 2017. At first (about one month later), Dell proposed an update schedule including June 2018. CoreLabs replied that this was unacceptable given “given current industry standards.”

Dell reviewed its schedules, and confirmed that they would have a fix available by February 12, 2018. The two parties agreed to release details of the vulnerabilities and fixes on February 14. Dell’s fixes are available from its support site today. Dell’s own advisory will be posted to the Full Disclosure mailing list today. It had not been done at the time of writing this article.

Dell completed the acquisition of data storage firm EMC in September 2016 in a record $67 billion deal. In the same deal, Dell also acquired RSA.

Core Security merged with SecureAuth and raised more than $200 million from K1 Investment Management and Toba Capital in September 2017.

Written By

Click to comment

Expert Insights

Related Content

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Vulnerabilities

Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.

Vulnerabilities

Google has awarded more than $25,000 to the researchers who reported the vulnerabilities patched with the release of the latest Chrome update.