The following advisory describes a Remote Command Injection vulnerability found in EMC IsilonSD Edge Management Server version 1.0.1.0005.
IsilonSD Edge Management Server enables you to deploy industry leading scale-out NAS operating system using industry-standard hardware. Key benefits of IsilonSD Edge: Simple yet powerful and efficient scale-out storage solution for remote and branch offices, Easily extends your enterprise data lake from the core data center to edge locations and Enables consolidation and distribution of unstructured data
An independent security researcher, Nahuel D. Sánchez from vvvSecurity, has reported this vulnerability to Beyond Security’s SecuriTeam Secure Disclosure program
We have informed EMC of the vulnerability on the 24th of April 2017.
The vendor has sent the following statement in response to this advisory:
Dell EMC recently became aware of a potential vulnerability that was disclosed regarding EMC IsilonSD Management Server by third-party researchers. IsilonSD Management Server is a gateway for deploying virtual OneFS clusters on VMware ESXi. Note: IsilonSD Management Server is NOT used for deploying physical OneFS clusters.
Based on the current design of the product, we believe the reported issue does not add any additional security risk to the customer environment. The reported flaw does exist but exploitation of the vulnerability requires a privilege that is considered normal operating privilege and that should be highly protected in any Isilon deployment.
Below are our findings after initial review of the reported issue:
- The attacker requires the knowledge of the password for IsilonSD Management Server administrator to exploit the issue described in the report
- The authenticated user can then run OS commands via the reported web interface flaw on the virtual OS where IsilonSD Management Server is deployed. This issue does not allow remote code execution on the virtual OneFS clusters.
- IsilonSD Management Server administrator user is considered highly privileged user and has full access to the underlying virtual OS as part of the product design. The access to the IsilonSD Management Server (including the web interface) and administrative user credentials should be given to trusted users only. Any default credentials should be also changed as part of the best practice recommendations. Please see IsilonSD Edge with IsilonSD Management Server Installation and Administration Guide for more information.
Dell EMC continuously reviews the product design for IsilonSD Management Server to identify potential areas of improvements to raise the overall security posture of the product.
Continue reading SSD Advisory – EMC IsilonSD Edge Management Server Command Injection