[FD] [CORE-2017-0009] - Dell EMC Isilon OneFS Multiple Vulnerabilities

Core Security - Corelabs Advisory http://ift.tt/140w507 Dell EMC Isilon OneFS Multiple Vulnerabilities 1. **Advisory Information** Title: Dell EMC Isilon OneFS Multiple Vulnerabilities Advisory ID: CORE-2017-0009 Advisory URL: http://ift.tt/2nZEL4m Date published: 2018-02-14 Date of last update: 2018-02-14 Vendors contacted: Dell EMC Release mode: Coordinated release 2. **Vulnerability Information** Class: Cross-Site Request Forgery [CWE-352], Improper Privilege Management [CWE-269], Improper Privilege Management [CWE-269], Improper Neutralization of Input During Web Page Generation [CWE-79], Improper Neutralization of Input During Web Page Generation [CWE-79], Improper Neutralization of Input During Web Page Generation [CWE-79], Improper Neutralization of Input During Web Page Generation [CWE-79], Improper Neutralization of Input During Web Page Generation [CWE-79], Improper Neutralization of Input During Web Page Generation [CWE-79] Impact: Code execution Remotely Exploitable: Yes Locally Exploitable: Yes CVE Name: CVE-2018-1213, CVE-2018-1203, CVE-2018-1204, CVE-2018-1186, CVE-2018-1187, CVE-2018-1188, CVE-2018-1189, CVE-2018-1201, CVE-2018-1202 3. **Vulnerability Description** Dell EMC's website states that:[1] The EMC Isilon scale-out NAS storage platform combines modular hardware with unified software to harness unstructured data. Powered by the OneFS operating system, an EMC Isilon cluster delivers a scalable pool of storage with a global namespace. The platform's unified software provides centralized Web-based and command-line administration to manage the following features: - A cluster that runs a distributed file system - Scale-out nodes that add capacity and performance - Storage options that manage files and tiering - Flexible data protection and high availability - Software modules that control costs and optimize resources Multiple vulnerabilities were found in the Isilon OneFS Web console that would allow a remote attacker to gain command execution as root. 4. **Vulnerable Packages** . Dell EMC Isilon OneFS version 8.1.1.0 (CVE-2018-1203, CVE-2018-1204) . Dell EMC Isilon OneFS versions between 8.1.0.0 - 8.1.0.1 (all CVEs) . Dell EMC Isilon OneFS versions between 8.0.1.0 - 8.0.1.2 (all CVEs) . Dell EMC Isilon OneFS versions between 8.0.0.0 - 8.0.0.6 (all CVEs) . Dell EMC Isilon OneFS versions 7.2.1.x (CVE-2018-1186, CVE-2018-1188,   CVE-2018-1201, CVE-2018-1204, CVE-2018-1213) . Dell EMC Isilon OneFS version 7.1.1.11 (CVE-2018-1186, CVE-2018-1201,   CVE-2018-1202, CVE-2018-1204, CVE-2018-1213) Other products and versions might be affected, but they were not tested. 5. **Vendor Information, Solutions and Workarounds** Dell EMC provided a link to the Download for Isilon OneFS page which contains the patches: . http://ift.tt/1UkWYza 6. **Credits** These vulnerabilities were discovered and researched by Ivan Huertas and Maximiliano Vidal from Core Security Consulting Services. The publication of this advisory was coordinated by Alberto Solino from Core Advisories Team. 7. **Technical Description / Proof of Concept Code** The Web console contains several sensitive features that are vulnerable to cross-site request forgery. We describe this issue in section 7.1. Sections 7.2 and 7.3 show two vectors to escalate privileges to root. Various persistent cross-site scripting issues are presented in the remaining sections (7.4, 7.5, 7.6, 7.7, 7.8, 7.9). 7.1. **Cross-site request forgery leading to command execution** [CVE-2018-1213] There are no anti-CSRF tokens in any forms on the Web interface. This would allow an attacker to submit authenticated requests when an authenticated user browses an attacker-controlled domain. The Web console contains a plethora of sensitive actions that can be abused, such as adding new users with SSH access or re-mapping existing storage directories to allow read-write-execute access to all users. All requests are JSON-encoded, which in some cases might hinder exploitation of CSRF vulnerabilities. However, the application does not verify the content-type set. This allows an attacker to exploit the CSRF vulnerabilities by setting a text/plain content-type and sending the request body as JSON_PAYLOAD=ignored. The following proof of concept creates a new user and assigns him a new role with enough privileges to log in via SSH, configure identifies, manage authentication providers, configure the cluster and run the remote support tools. /--

Source: Gmail -> IFTTT-> Blogger