Update: Dell storage platform security bugs allow root access

News by Jay Jay

Security researchers recently unearthed up to nine security vulnerabilities in Dell EMC's Isilon OneFS platform that could allow remote attackers to launch social engineering attacks and subsequently access the Isilon systems at root.

Security researchers recently unearthed as many as nine security vulnerabilities in Dell EMC's Isilon OneFS platform that allowed remote attackers to launch social engineering attacks and subsequently access the Isilon systems at root.

Dell EMC's Isilon OneFS platform, which is a scale-out network-attached storage platform offering up to 50 petabytes worth high-volume storage, backup and archiving of unstructured data, was recently found to contain nine security vulnerabilities that could allow remote attackers to perform various tasks to compromise the security of data stored by the platform.

According to security firm CoreLabs who discovered the vulnerabilities, the latter were found in the web console of the Isilon OneFS platform and made the console vulnerable to cross-site request forgery. The said vulnerabilities were first reported by the firm to Dell and were finally patched by the company on 12 February.

While analysing the Isilon OneFS platform, the researchers discovered that the Web Console contained several sensitive actions that could be exploited or abused by remote attackers. These actions included adding new users with SSH access or re-mapping existing storage directories to allow read-write-execute access to all users.

Because of the absence of anti-CSRF tokens on the Web interface, CoreLabs explained that a remote attacker could submit authenticated requests whenever any authenticated user browsed through a domain controlled by the attacker. To submit such a request, an attacker could use social engineering tactics like sending phishing emails to authenticated users to lure him/her to click on links to websites that were compromised by the attacker.

The researchers also discovered that if a remote attacker were to obtain access to a system by fooling authenticated users, the attacker could use the privileges escalation vulnerabilities to run shell commands or arbitrary Python code with root privileges.

Thanks to such cross-site scripting vulnerabilities, users or administrators of the Web console could be forced by an attacker to execute arbitrary scripts and leak out cookies through social engineering tactics. Using these cookies, a hacker could then impersonate an authenticated user to gain access to the system. 

Dell EMC reports that has no knowledge of any attacks on its customers related to these vulnerabilities in Isilon OneFS. In an email to SC Media UK Dell EMC has released security updates to address the reported vulnerabilities in Isilon OneFS and alerted its customers via security advisory (DSA-2018-018) available at: https://support.emc.com/kb/517728. Registered Dell EMC Online Support customers can download OneFS updates from the Downloads for Isilon OneFS page of the Dell EMC Online Support site at https://support.emc.com/downloads/15209_Isilon-OneFS

In a statement the company says "With software vulnerabilities a fact of life in the technology industry, Dell EMC follows best practices in managing and responding to security vulnerabilities in our products. Our goal is to provide customers with timely information, guidance and mitigation to address threats from vulnerabilities. This is a good example of coordinated disclosure in action. More details on the Dell EMC documented Vulnerability Response Policy can be found at: https://www.emc.com/products/security/product-security-response-center.

This isn't the first time that security vulnerabilities were discovered in Dell EMC's products. In July last year, researchers discovered a high severity vulnerability in the EMC Secure Remote Support (ESRS) Policy Manager that could allow hackers to gain web access and take information from applications.  Again Dell EMC points out that it has no knowledge of a successful attack or known exploit related to these reported vulnerabilities.

The vulnerability pertained to the presence of an undocumented account (OpenDS admin) with a default password in the product. According to an advisory issued by Dell EMC, a remote attacker with the knowledge of the default password could log in to the system and gain administrator privileges to the local LDAP directory server.

"If an attacker can trick an Isilon OneFS administrator into visiting an attacker-controlled website (eg: via a phishing attack) while the administrator is logged in, then the attacker will be able to get access to the system by creating a new administrator user (due to the Cross-Site Request Forgery vulnerability) or hijacking the administrator's session and impersonating him by leveraging any of the Cross-Site Scripting vulnerabilities," said Alberto Solino, director of research from Core Advisories Team at SecureAuth + Core Security.

"These types of issues (Cross Site Request Forgery and Cross Site Scripting) are issues we're seeing repeatedly while testing security products. In this specific case, in order to ensure users of Ision OneFS are not victimised by these specific vulnerabilities reported, it is imperative to apply the vendor supplied patches," he added.

In an email to SC Magazine UK, Mark James, security specialist at ESET, said: “With the understanding that vulnerabilities and exploits are bad for everyone, it's good to see the continued interest in finding and correctly reporting such occurrences. It allows responsible vendors to fix holes and release patches in a timely manner, and where needed, may even encourage a vendor to act faster to protect the individuals or organisations that may be affected by any exploits created. Most companies do not have the expertise or knowledge to find these vulnerabilities in the first place, so utilising the outside expertise helps everyone."

He added that affected customers of vulnerable platforms like Dell EMC's Isilon OneFS should either uninstall the software until a patch arrives or should keep their patch and update policies up to date and executed in a timely manner to avoid being victimised by hackers.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews