Nine remotely exploitable vulnerabilities have been found in Dell EMC’s Isilon OneFS platform, a scale-out NAS storage platform that combines modular hardware with unified software to harness unstructured data.
“Multiple vulnerabilities were found in the Isilon OneFS Web console that would allow a remote attacker to gain command execution as root,” warns an advisory released today.
The vulnerabilities were discovered by researchers Ivan Huertas and Maximiliano Vidal from CoreLabs, the research center of Core Security, and disclosed to Dell in September 2017. A range of Isilon OneFS versions from 7.1.1.11 to 8.0.1.2 were found to be affected by two or more of the vulnerabilities. “Other products and versions might be affected, but they were not tested,” states the advisory.
The Isilon web console contains several features that are vulnerable to cross-site request forgery. Since there are no anti-CSRF tokens in any forms on the web interface, an attacker can submit authenticated requests when an authenticated user browses an attacker-controlled domain. If social engineering can convince an authenticated user or administrator to visit a malicious website, embedded code could be executed to create a new user with elevated privileges, or execute arbitrary commands in the target system.
This is the first (CVE-2018-1213) of the nine vulnerabilities. Two privilege escalation vulnerabilities could then be used, once initial access has been achieved, to allow the attacker to run shell commands or arbitrary Python code with root privilege.
The first of these (CVE-2018-1203) is possible because of incorrect sudo permissions. “The compadmin user can run the tcpdump binary with root privileges via sudo,” explains the advisory. “This allows for local privilege escalation, as tcpdump can be instructed to run shell commands when rotating capture files.”
The second (CVE-2018-1204) is privilege escalation via remote support scripts. “As a cluster administrator or compadmin, it is possible to enable the remote support functionality, hence enabling the isi_phone_home tool via sudo,” explain the researchers. “This tool is vulnerable to a path traversal when reading the script file to run, which would enable an attacker to execute arbitrary python code with root privileges.”
The remaining six vulnerabilities are persistent cross-site scripting errors: in the cluster description; the Network Configuration page; the Authentication Providers page; the Antivirus page; the Job Operations page; and the NDMP page.
All nine vulnerabilities were responsibly disclosed to Dell EMC on 25 September 2017. At first (about one month later), Dell proposed an update schedule including June 2018. CoreLabs replied that this was unacceptable given “given current industry standards.”
Dell reviewed its schedules, and confirmed that they would have a fix available by February 12, 2018. The two parties agreed to release details of the vulnerabilities and fixes on February 14. Dell’s fixes are available from its support site today. Dell’s own advisory will be posted to the Full Disclosure mailing list today. It had not been done at the time of writing this article.
Dell completed the acquisition of data storage firm EMC in September 2016 in a record $67 billion deal. In the same deal, Dell also acquired RSA.
Core Security merged with SecureAuth and raised more than $200 million from K1 Investment Management and Toba Capital in September 2017.
More from Kevin Bowers
- Alexa May Be Recording More Than You Realize
- UK’s NCSC Adopts HackerOne for Vulnerability Coordination Disclosure
- Artificial Intelligence in Cybersecurity is Not Delivering on its Promise
- Untangle Partners With Malwarebytes to Bring Layered Security to SMBs
- Testing Security Products: Third-Party Standards vs. In-House Testing
- New Cyber Readiness Program Launched for SMBs
- Personal Details of 120 Million Brazilians Exposed
- Researchers Find Thousands of Twitter Amplification Bots in Just One Day
Latest News
- F5 Working on Patch for BIG-IP Flaw That Can Lead to DoS, Code Execution
- Flaw in Cisco Industrial Appliances Allows Malicious Code to Persist Across Reboots
- UK Car Retailer Arnold Clark Hit by Ransomware
- Dealing With the Carcinization of Security
- HeadCrab Botnet Ensnares 1,200 Redis Servers for Cryptomining
- Cyber Insights 2023 | Supply Chain Security
- Cyber Insights 2023 | Regulations
- Cyber Insights 2023 | Ransomware
