CVE-2021-21526
📋 TL;DR
This vulnerability allows a compadmin user on Dell PowerScale OneFS systems to escalate privileges and execute arbitrary commands as root. It affects Dell PowerScale OneFS versions 8.1.0 through 9.1.0 when SmartLock compliance mode is enabled. The vulnerability enables local privilege escalation within the storage system.
💻 Affected Systems
- Dell PowerScale OneFS
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
A malicious compadmin user gains full root access to the PowerScale cluster, enabling complete system compromise, data theft, destruction, or ransomware deployment across the entire storage infrastructure.
Likely Case
An authorized compadmin user with legitimate access exploits the vulnerability to bypass intended restrictions, potentially accessing sensitive data or making unauthorized configuration changes.
If Mitigated
With proper access controls and monitoring, impact is limited to authorized compadmin users who would need to intentionally exploit the vulnerability, with detection possible through command auditing.
🎯 Exploit Status
Exploitation requires authenticated compadmin access. The vulnerability is in SmartLock compliance mode functionality.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: OneFS 9.2.0 and later
Vendor Advisory: https://www.dell.com/support/kbdoc/000185202
Restart Required: Yes
Instructions:
1. Upgrade to OneFS 9.2.0 or later. 2. Apply the update through the PowerScale web interface or CLI. 3. Reboot the cluster to complete the update. 4. Verify the update was successful.
🔧 Temporary Workarounds
Disable SmartLock Compliance Mode
linuxTemporarily disable SmartLock compliance mode if not required for compliance needs
isi compliance settings modify --mode=disabled
Restrict compadmin Access
allReview and limit compadmin user accounts to only necessary personnel
🧯 If You Can't Patch
- Disable SmartLock compliance mode if not required for regulatory compliance
- Implement strict access controls for compadmin accounts and monitor all compadmin user activity
🔍 How to Verify
Check if Vulnerable:
Check if SmartLock compliance mode is enabled and version is between 8.1.0 and 9.1.0: isi compliance settings view && isi versionCheck Version:
isi versionVerify Fix Applied:
Verify version is 9.2.0 or later: isi version📡 Detection & Monitoring
Log Indicators:
- Unusual root-level commands executed by compadmin users
- Privilege escalation attempts in system logs
- Changes to SmartLock compliance settings
Network Indicators:
- Unusual SSH or management connections to PowerScale nodes
SIEM Query:
source="powerscale" AND (user="compadmin" AND privilege="root") OR (event="privilege_escalation")