Dell ships patch for vulnerable filesystem

Dell has pushed out patches for its PowerScale OneFS filesystem that fix six security vulnerabilities.

Dell describes the filesystem, which originated in EMC, as “a massively scalable, high-performance, modular storage architecture" that is used with all Isilon storage systems.

There are no non-patch mitigations for all but one of the bugs, but fixed software is available for all versions.

The most critical of the vulnerabilities, with a Common Vulnerability Scoring System (CVSS) score of 9.1, is CVE-2022-26851. Affected versions of the PowerScale OneFS software contain “a predictable file name from observable state”.

An unprivileged network attacker could exploit the vulnerability, “leading to telemetry loss for Dell”.

Next on the list is CVE-2022-26852: the software has a predictable seed in a pseudo-random number generator (CVSS score 8.1).

This exposes the system to remote attack, “leading to an account compromise”.

In CVE-2022-26854, Dell says “risky cryptographic algorithms” are used in some versions of the filesystem software, but doesn’t stipulate which algorithms are in use (CVSS score 8.1).

However, they could give a remote attacker “full system access”, the advisory stated.

The other three vulnerabilities are less severe.

CVE-2022-24428 (CVSS score 6.3) is a local privilege escalation vulnerability “due to improper preservation of privileges”; CVE-2022-26855 (CVSS score 5.5) is a local incorrect default permissions vulnerability; and CVE-2022-22563 (CVSS score 4.4) could allow a privileged user to change account information without being logged.