CVE-2020-26181
📋 TL;DR
This CVE describes a privilege escalation vulnerability in Dell EMC Isilon OneFS and PowerScale OneFS systems. It allows a compadmin user with specific privileges to elevate to root access on SmartLock Compliance mode clusters. Affected systems include Dell EMC Isilon OneFS versions 8.1+ and Dell EMC PowerScale OneFS version 9.0.0.
💻 Affected Systems
- Dell EMC Isilon OneFS
- Dell EMC PowerScale OneFS
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
An attacker with compadmin access and ISI PRIV HARDENING privileges gains full root control over the cluster, enabling data theft, system compromise, and complete administrative takeover.
Likely Case
Malicious insider or compromised compadmin account escalates to root privileges, potentially accessing sensitive data and modifying system configurations.
If Mitigated
With proper access controls and monitoring, impact is limited to authorized administrative actions, though privilege boundaries are still breached.
🎯 Exploit Status
Exploitation requires authenticated compadmin access with ISI PRIV HARDENING privileges via ISI PRIV LOGIN SSH or CONSOLE.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check Dell Security Advisory DSA-2020-227 for specific patched versions
Restart Required: Yes
Instructions:
1. Review Dell Security Advisory DSA-2020-227. 2. Apply the recommended security update from Dell. 3. Restart affected systems as required. 4. Verify the patch is applied successfully.
🔧 Temporary Workarounds
Restrict compadmin privileges
linuxRemove ISI PRIV HARDENING privileges from compadmin users to prevent exploitation
isi auth privileges modify compadmin --remove-privileges=ISI_PRIV_HARDENING
Monitor privileged access
allImplement strict monitoring and logging of compadmin user activities and privilege escalations
🧯 If You Can't Patch
- Immediately remove ISI PRIV HARDENING privileges from all compadmin users
- Implement strict access controls and monitoring for compadmin accounts, including session logging and alerting for privilege escalation attempts
🔍 How to Verify
Check if Vulnerable:
Check if system is running affected OneFS versions (8.1+ for Isilon, 9.0.0 for PowerScale) and is in SmartLock Compliance mode with compadmin users having ISI PRIV HARDENING privileges.Check Version:
isi versionVerify Fix Applied:
Verify the security update from Dell Security Advisory DSA-2020-227 is applied and compadmin users no longer have ISI PRIV HARDENING privileges.📡 Detection & Monitoring
Log Indicators:
- Unusual compadmin login activity
- Privilege escalation attempts from compadmin to root
- ISI PRIV LOGIN SSH/CONSOLE usage patterns
Network Indicators:
- SSH connections to administrative interfaces from compadmin accounts
SIEM Query:
source="onefs_logs" AND (user="compadmin" AND (event="privilege_escalation" OR event="root_access"))🔗 References
- https://www.dell.com/support/security/en-us/details/546720/DSA-2020-227-Dell-EMC-PowerScale-OneFS-and-Dell-EMC-Isilon-OneFS-Security-Update-for-SmartLock-Co
- https://www.dell.com/support/security/en-us/details/546720/DSA-2020-227-Dell-EMC-PowerScale-OneFS-and-Dell-EMC-Isilon-OneFS-Security-Update-for-SmartLock-Co
