CVE-2024-25952
📋 TL;DR
Dell PowerScale OneFS contains a UNIX symbolic link following vulnerability that allows local high-privileged attackers to manipulate symbolic links to cause denial of service or tamper with information. This affects OneFS versions 8.2.2.x through 9.7.0.x. Only local attackers with elevated privileges can exploit this vulnerability.
💻 Affected Systems
- Dell PowerScale OneFS
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Privileged attacker could manipulate symlinks to corrupt critical system files, cause persistent denial of service, or tamper with sensitive data stored on the filesystem.
Likely Case
Local administrator or root user could cause temporary service disruption or modify non-critical system files through symlink manipulation.
If Mitigated
With proper access controls and monitoring, impact is limited to minor service disruption that can be quickly restored from backups.
🎯 Exploit Status
Exploitation requires local access and high privileges. No public exploit code has been identified as of the advisory date.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Update to OneFS version 9.7.0.1 or later as specified in DSA-2024-115
Vendor Advisory: https://www.dell.com/support/kbdoc/en-us/000223366/dsa-2024-115-security-update-for-dell-powerscale-onefs-for-multiple-security-vulnerabilities
Restart Required: Yes
Instructions:
1. Review DSA-2024-115 advisory. 2. Download appropriate OneFS update from Dell Support. 3. Apply update following Dell's PowerScale update procedures. 4. Reboot system as required.
🔧 Temporary Workarounds
Restrict local privileged access
linuxLimit the number of users with local administrative/root privileges on PowerScale nodes
# Review and minimize sudoers file entries
# audit local user accounts with elevated privileges
🧯 If You Can't Patch
- Implement strict access controls to limit local administrative privileges
- Monitor for unusual symlink creation or modification activities in system logs
🔍 How to Verify
Check if Vulnerable:
Check OneFS version with command: 'isi version' and verify if it falls within 8.2.2.x to 9.7.0.x rangeCheck Version:
isi versionVerify Fix Applied:
After patching, run 'isi version' to confirm version is 9.7.0.1 or later📡 Detection & Monitoring
Log Indicators:
- Unusual symlink creation/modification by privileged users
- File permission changes in system directories
- Unexpected service disruptions
Network Indicators:
- None - this is a local vulnerability
SIEM Query:
source="powerscale" AND (event_type="file_modification" OR event_type="symlink_creation") AND user="root" OR user="admin"