CVE-2021-36278
📋 TL;DR
Dell EMC PowerScale OneFS versions 8.2.x, 9.1.0.x, and 9.1.1.1 expose sensitive information in log files. Local users with specific privileges (ISI_PRIV_LOGIN_SSH, ISI_PRIV_LOGIN_CONSOLE, or ISI_PRIV_SYS_SUPPORT) can access this data, and third-party systems consuming these logs also gain access. This vulnerability affects organizations using vulnerable PowerScale OneFS storage systems.
💻 Affected Systems
- Dell EMC PowerScale OneFS
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Sensitive credentials, configuration data, or proprietary information is exfiltrated, leading to full system compromise, data breaches, or lateral movement within the network.
Likely Case
Privileged local users access sensitive information from logs, potentially enabling privilege escalation or exposing confidential data to unauthorized parties.
If Mitigated
With proper access controls and log monitoring, impact is limited to authorized users who already have elevated privileges, reducing exposure risk.
🎯 Exploit Status
Exploitation requires local access with specific privileges. No public exploit code is known, but the vulnerability is straightforward to exploit by authorized users.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 8.2.2.19, 9.1.0.24, 9.2.1.0 and later
Vendor Advisory: https://www.dell.com/support/kbdoc/000190408
Restart Required: Yes
Instructions:
1. Review Dell advisory 000190408. 2. Upgrade to patched versions: 8.2.2.19, 9.1.0.24, or 9.2.1.0+. 3. Apply patches through OneFS upgrade process. 4. Restart systems as required.
🔧 Temporary Workarounds
Restrict Log Access
linuxLimit access to log files and directories to only necessary users. Implement strict file permissions on log storage.
chmod 640 /var/log/*
chown root:adm /var/log/*
Monitor Log Consumption
allAudit and control third-party systems that consume PowerScale logs to prevent unauthorized access to sensitive information.
🧯 If You Can't Patch
- Implement strict access controls to limit users with ISI_PRIV_LOGIN_SSH, ISI_PRIV_LOGIN_CONSOLE, or ISI_PRIV_SYS_SUPPORT privileges.
- Regularly audit and sanitize log files to remove sensitive information before storage or sharing.
🔍 How to Verify
Check if Vulnerable:
Check OneFS version via CLI: 'isi version'. If version is 8.2.x, 9.1.0.x, or 9.1.1.1, system is vulnerable.Check Version:
isi versionVerify Fix Applied:
After patching, verify version is 8.2.2.19, 9.1.0.24, or 9.2.1.0+ using 'isi version'.📡 Detection & Monitoring
Log Indicators:
- Unauthorized access attempts to log files, unusual log file reads by privileged users, alerts from file integrity monitoring on log directories.
Network Indicators:
- Unusual outbound traffic from log storage systems to third-party consumers.
SIEM Query:
source="PowerScale" AND (event_type="file_access" AND file_path="/var/log/*") AND user_privileges IN ("ISI_PRIV_LOGIN_SSH", "ISI_PRIV_LOGIN_CONSOLE", "ISI_PRIV_SYS_SUPPORT")