EMC Isilon OneFS versions 7.x and 8.x suffer from a privilege escalation vulnerability. They contain an issue where a 'compadmin' user can potentially run restricted system commands with elevated (root) privilege on a cluster in compliance mode.
EMC Isilon OneFS Privilege Escalation Vulnerability CVE Identifier: CVE-2017-14380 Severity Rating: CVSS v3 Base Score: 6.7 (AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H) Affected products: * EMC Isilon OneFS 126.96.36.199 * EMC Isilon OneFS 188.8.131.52 - 184.108.40.206 * EMC Isilon OneFS 220.127.116.11 - 18.104.22.168 * EMC Isilon OneFS 22.214.171.124 - 126.96.36.199 * EMC Isilon OneFS 7.2.0.x * EMC Isilon OneFS 7.1.1.x Summary: EMC Isilon OneFS contains an issue where a 'compadmin' user can potentially run restricted system commands with elevated (root) privilege on a cluster in compliance mode. Details: A malicious compliance admin (compadmin) account user could exploit a vulnerability in isi_get_itrace or isi_get_profile maintenance scripts to run any shell script as system root on a cluster in compliance mode. This could potentially lead to an elevation of privilege for the compadmin user and violate compliance mode. Resolution: The following versions of EMC Isilon OneFS resolve this vulnerability: * EMC Isilon OneFS 188.8.131.52 * EMC Isilon OneFS 184.108.40.206 * EMC Isilon OneFS 220.127.116.11 * EMC Isilon OneFS 18.104.22.168 There are patches available for the following versions of EMC Isilon OneFS: * EMC Isilon OneFS 22.214.171.124 * EMC Isilon OneFS 126.96.36.199 * EMC Isilon OneFS 188.8.131.52 * EMC Isilon OneFS 184.108.40.206 EMC recommends that all customers upgrade to a version or patch containing the resolution at the earliest opportunity. Link to remedies: Registered EMC Online Support customers can download OneFS installation files from the Downloads for Isilon OneFS page of EMC Online Support at https://support.emc.com/downloads/15209_Isilon-OneFS. Patches are available here: * Patch-211403 for OneFS 220.127.116.11 https://download.emc.com/downloads/DL87131 * Patch-211402 for OneFS 18.104.22.168 https://download.emc.com/downloads/DL87130 * Patch-211400 for OneFS 22.214.171.124 https://download.emc.com/downloads/DL87128 * Patch-211401 for OneFS 126.96.36.199 https://download.emc.com/downloads/DL87129 If you have any questions, contact EMC Support. # 0day.today [2018-04-09] #