Dell Delivers Patch for Vulnerable File System – Security – Storage
Dell has released patches for its PowerScale OneFS file system that address six security vulnerabilities.
Dell describe the file system, which originated from EMC, as a “highly scalable, high-performance modular storage architecture” used with all Isilon storage systems.
There is no non-patching mitigation for all but one bug, but patched software is available for all versions.
The most critical of the vulnerabilities, with a Common Vulnerability Scoring System (CVSS) score of 9.1, is CVE-2022-26851. Affected versions of PowerScale OneFS software contain “predictable filename from observable state”.
An unprivileged network attacker could exploit the vulnerability, “leading to loss of telemetry for Dell.”
Next on the list is CVE-2022-26852: the software has a predictable seed in a pseudo-random number generator (CVSS score 8.1).
This exposes the system to a remote attack, “leading to a compromised account”.
In CVE-2022-26854, Dell indicates that “risky cryptographic algorithms” are used in some versions of file system software, but does not specify which algorithms are used (CVSS score 8.1).
However, they could give a remote attacker “full system access,” the advisory says.
The other three vulnerabilities are less severe.
CVE-2022-24428 (CVSS score 6.3) is a local privilege escalation vulnerability “due to poor privilege preservation”; CVE-2022-26855 (CVSS score 5.5) is a bad local default permissions vulnerability; and CVE-2022-22563 (CVSS score 4.4) could allow a privileged user to modify account information without being logged in.