Restricted View

Knowledge Base Article: 000517728

DSA-2018-018: Dell EMC Isilon OneFS Multiple Vulnerabilities. (000517728)
Primary Product : Isilon OneFS
Product : Isilon OneFS 8.1,Isilon OneFS 8.0,Isilon OneFS 7.2,Isilon OneFS 7.1,Isilon
OneFS,Product Security Information,Isilon OneFS 8.1.0.0,Isilon OneFS 8.1.0.1,Isilon
OneFS 8.0.1.0,Isilon OneFS 8.0.1.1,Isilon OneFS 8.0.1.2,Isilon OneFS 7.1.1.11

Version: 3 Article Type: ESA Audience: Level 30 = Customers Last Published: Mon Feb 26 20:20:23 GMT 2018

Summary:

Version: 3 Article Type: ESA Audience: Level 30 = Customers Last Published: Mon Feb 26 20:20:23 GMT 2018

Summary:

CVE Identifier:
CVE-2018-1186 CVE-2018-1187 CVE-2018-1188 CVE-2018-1189
CVE-2018-1201 CVE-2018-1202 CVE-2018-1203 CVE-2018-1204
CVE-2018-1213

See the Affected Products section for details on which CVEs impact each version of Isilon.

EMC Identifier:
DSA-2018-018

Severity: High

Severity Rating: CVSS Base Score: See below for CVSS v3 scores

Details:
Incorrect Authorization Vulnerability (CVE-2018-1203)

In Dell EMC Isilon OneFS, the compadmin is able to run tcpdump binary with root privileges. The tcpdump
binary, being run with sudo, may potentially be used by compadmin to execute arbitrary code with root
privileges.
CVSS v3 Base Score: 6.7 (AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H)

Path Traversal Vulnerability (CVE-2018-1204)

Dell EMC Isilon OneFS is affected by a path traversal vulnerability in the isi_phone_home tool. A malicious
compadmin may potentially exploit this vulnerability to execute arbitrary code with root privileges.
CVSS v3 Base Score: 6.7 (AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H)

Cross-Site Scripting Vulnerability in Cluster Description (CVE-2018-1186)

Dell EMC Isilon is affected by a cross-site scripting vulnerability in the Cluster description of the OneFS web
administration interface. A malicious administrator may potentially inject arbitrary HTML or JavaScript code in
the user’s browser session in the context of the OneFS website.
CVSS v3 Base Score: 5.9 (AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L)

Cross-Site Scripting Vulnerability in Network Configuration Page (CVE-2018-1187)

Dell EMC Isilon is affected by a cross-site scripting vulnerability in the Network Configuration page within the
OneFS web administration interface. A malicious administrator may potentially inject arbitrary HTML or
JavaScript code in the user’s browser session in the context of the OneFS website.
CVSS v3 Base Score: 5.9 (AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L)

Cross-Site Scripting Vulnerability in Authorization Providers Page (CVE-2018-1188)

Dell EMC Isilon is affected by a cross-site scripting vulnerability in the Authorization Providers page within the
OneFS web administration interface. A malicious administrator may potentially inject arbitrary HTML or
 JavaScript code in the user’s browser session in the context of the OneFS website.
CVSS v3 Base Score: 5.9 (AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L)

Cross-Site Scripting Vulnerability in Antivirus Page (CVE-2018-1189)

Dell EMC Isilon is affected by a cross-site scripting vulnerability in the Antivirus Page within the OneFS web
administration interface. A malicious administrator may potentially inject arbitrary HTML or JavaScript code in
the user’s browser session in the context of the OneFS website.
CVSS v3 Base Score: 5.9 (AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L)

Cross-Site Scripting Vulnerability in Job Operations Page (CVE-2018-1201)

Dell EMC Isilon is affected by a cross-site scripting vulnerability in the Job Operations Page within the OneFS
web administration interface. A malicious administrator may potentially inject arbitrary HTML or JavaScript code
in the user’s browser session in the context of the OneFS website.
CVSS v3 Base Score: 5.9 (AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L)

Cross-Site Scripting Vulnerability in NDMP Page (CVE-2018-1202)

Dell EMC Isilon is affected by a cross-site scripting vulnerability in the NDMP Page within the OneFS web
administration interface. A malicious administrator may potentially inject arbitrary HTML or JavaScript code in
the user’s browser session in the context of the OneFS website.
CVSS v3 Base Score: 5.9 (AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L)

Cross-Site Request Forgery Vulnerability (CVE-2018-1213)

Dell EMC Isilon OneFS is affected by a cross-site request forgery vulnerability. A malicious user may potentially
exploit these vulnerability to send unauthorized requests to the server on behalf of authenticated users of the
application.
CVSS v3 Base Score: 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)

Resolution:
The following Dell EMC Isilon OneFS maintenance releases address these vulnerabilities (except for CVE-2018-1213):

Dell EMC Isilon OneFS 8.1.0.2

Patches are available for the below versions:

Patch-213283 for OneFS 8.1.0.2 (CVE-2018-1213 only)

Patch-213282 for OneFS 8.1.0.1 (all except CVE-2018-1213)

Patch-213278 for OneFS 8.0.0.6 (all CVEs)

Patch-217637 for OneFS 8.0.0.5 (all CVEs)

Patch-211980 for OneFS 8.0.0.4 (all CVEs)

Dell EMC recommends that all customers upgrade to a version or patch which addresses these vulnerabilities at the
earliest opportunity.

This advisory will be updated when fixes are available for additional versions as well as when fixes are available for
CVE-2018-1213.

Matrix table illustrating affected OneFS versions:

OneFS OneFS 8.1.0.0 – OneFS 8.0.1.0 – OneFS 8.0.0.0 – OneFS OneFS

8.1.0.2 8.1.0.1 8.0.1.2 8.0.0.6 7.2.1.x 7.1.1.11

Not
CVE-2018-1186 X X X X X
affected

Not Not Not

CVE-2018-1187 X X X
affected affected affected

Not Not
CVE-2018-1188 X X X X
affected affected

Not
CVE-2018-1189 X X X X X
affected

Not
CVE-2018-1201 X X X X X
affected

Not Not
CVE-2018-1202 X X X X
affected affected
 Not Not Not
CVE-2018-1203 X X X
affected affected affected

Not
CVE-2018-1204 X X X X X
affected

CVE-2018-1213 (Fix in
X X X X X X
progress)

Credits:
Dell EMC would like to thank Ivan Huertas and Maximiliano Vidal from Core Security Consulting Services for reporting
these vulnerabilities.

Primary Product: Isilon OneFS

Product: Isilon OneFS 8.1,Isilon OneFS 8.0,Isilon OneFS 7.2,Isilon OneFS 7.1,Isilon OneFS,Product Security Information,Isilon
OneFS 8.1.0.0,Isilon OneFS 8.1.0.1,Isilon OneFS 8.0.1.0,Isilon OneFS 8.0.1.1,Isilon OneFS 8.0.1.2,Isilon OneFS
7.1.1.11

Problem Code: EMC Software;Security Vulnerability

Severity Disclaimer: For an explanation of Severity Ratings, refer to EMC Knowledgebase article 468307. EMC recommends all customers
take into account both the base score and any relevant temporal and environmental scores which may impact the
potential severity associated with particular security vulnerability.

Legal Information: Read and use the information in this EMC Security Advisory to assist in avoiding any situation that might arise from the
problems described herein. If you have any questions regarding this product alert, contact EMC Software Technical
Support at 1-877-534-2867.If you have any questions regarding this product alert, contact EMC Software Technical
Support at 1-877-534-2867. EMC Corporation distributes EMC Security Advisories, in order to bring to the attention of
users of the affected EMC products, important security information. EMC recommends that all users determine the
applicability of this information to their individual situations and take appropriate action. The information set forth herein is
provided "as is" without warranty of any kind.EMC Corporation distributes EMC Security Advisories, in order to bring to
the attention of users of the affected EMC products, important security information. EMC recommends that all users
determine the applicability of this information to their individual situations and take appropriate action. The information set
forth herein is provided "as is" without warranty of any kind. EMC disclaims all warranties, either express or implied,
including the warranties of merchantability, fitness for a particular purpose, title and non-infringement. In no event, shall
EMC or its suppliers, be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of
business profits or special damages, even if EMC or its suppliers have been advised of the possibility of such damages.
Some states do not allow the exclusion or limitation of liability for consequential or incidental damages, so the foregoing
limitation may not apply.

Article Properties: Validation Status: Approved Original Create Date: Mon Feb 26 19:04:41 GMT 2018

Channels: First Published: Wed Feb 14 23:01:26 GMT 2018

Originally Created By: Tania Ward Last Modified: Mon Feb 26 20:20:23 GMT 2018