CVE-2020-26197
📋 TL;DR
Dell PowerScale OneFS versions 8.1.0 through 9.1.0 have an LDAP Provider vulnerability where it cannot establish TLSv1.2 connections to LDAP servers. This allows attackers to potentially intercept and decrypt authentication traffic between the cluster and LDAP servers. Only clusters using LDAP servers for authentication are affected.
💻 Affected Systems
- Dell PowerScale OneFS
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers intercept LDAP authentication traffic, decrypt credentials, and gain unauthorized access to the PowerScale cluster with administrative privileges.
Likely Case
Attackers eavesdrop on LDAP authentication sessions to capture credentials, potentially leading to unauthorized access to the storage system.
If Mitigated
With proper network segmentation and monitoring, impact is limited to potential credential exposure without direct system compromise.
🎯 Exploit Status
Requires network access to intercept LDAP traffic between PowerScale cluster and LDAP servers. No authentication needed for eavesdropping.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 9.2.0 and later
Vendor Advisory: https://www.dell.com/support/kbdoc/000185202
Restart Required: Yes
Instructions:
1. Backup configuration and data. 2. Upgrade to OneFS 9.2.0 or later. 3. Verify LDAP connections are using TLSv1.2. 4. Test authentication functionality.
🔧 Temporary Workarounds
Disable LDAP Authentication
linuxTemporarily switch to local authentication or other supported authentication providers
isi auth local enable
isi auth providers modify ldap --enabled=false
Network Segmentation
allIsolate LDAP traffic to trusted networks using VLANs or firewalls
🧯 If You Can't Patch
- Implement network encryption at layer 2/3 (IPsec, MACsec) between PowerScale and LDAP servers
- Monitor network traffic for LDAP interception attempts and implement strict access controls
🔍 How to Verify
Check if Vulnerable:
Check OneFS version with 'isi version' and verify LDAP authentication is configured in 'isi auth providers view ldap'Check Version:
isi versionVerify Fix Applied:
After upgrade to 9.2.0+, verify LDAP connections with 'isi auth providers view ldap' and test authentication📡 Detection & Monitoring
Log Indicators:
- Failed LDAP authentication attempts
- LDAP connection errors
- TLS handshake failures
Network Indicators:
- Unencrypted LDAP traffic on port 389
- LDAP traffic with weak TLS versions
SIEM Query:
source="powerscale" AND (event="ldap_auth_failed" OR event="tls_error")