Researchers warn of nine vulnerabilities in Dell EMC's Isilon platform

The company's OneFS storage OS is vulnerable to cross-site request forgeries and privilege escalation

Researchers have discovered security flaws in the operating system powering Dell EMC's Isilon storage platform, which could open them up to remote code execution by hackers.

The flaws were discovered by Maximiliano Vidal and Ivan Huertas from Core Security and include nine CVEs that, if exploited, could enable privilege escalation and cross-site request forgery attacks.

"There are no anti-CSRF tokens in any forms on the web interface," a security advisory issued by Core Security read. "This would allow an attacker to submit authenticated requests when an authenticated user browses an attacker-controlled domain."

"The web console contains a plethora of sensitive actions that can be abused, such as adding new users with SSH access or re-mapping existing storage directories to allow read-write-execute access to all users."

Attackers could then use the privilege escalation vulnerabilities to run Python code of shell commands with root access, the advisory warned, and use cross-site scripting to impersonate victims, although researchers also noted that the attack relied on some degree of social engineering.

The flaws, which were first discovered in September last year, affect various versions of Dell EMC's Isilon OneFS software ranging from version 7.1.1.11 to version 8.1.1.0. The company told IT Pro that it has now issued security updates to address the vulnerabilities, and has alerted customers via a security advisory.

"With software vulnerabilities a fact of life in the technology industry, Dell EMC follows best practices in managing and responding to security vulnerabilities in our products. Our goal is to provide customers with timely information, guidance and mitigation to address threats from vulnerabilities," a spokesperson for the company said. "This is a good example of coordinated disclosure in action."

Featured Resources

The definitive guide to warehouse efficiency

Get your free guide to creating efficiencies in the warehouse

Free download

The total economic impact™ of Datto

Cost savings and business benefits of using Datto Integrated Solutions

Download now

Three-step guide to modern customer experience

Support the critical role CX plays in your business

Free download

Ransomware report

The global state of the channel

Download now

Recommended

Nigerian cyber criminals target Texas unemployment system
cyber security

Nigerian cyber criminals target Texas unemployment system

27 May 2021
Dell EMC PowerEdge C6520 review: Super dense Gen3 Xeon Scalable
Server & storage

Dell EMC PowerEdge C6520 review: Super dense Gen3 Xeon Scalable

27 May 2021
Hackers use open source Microsoft dev platform to deliver trojans
Security

Hackers use open source Microsoft dev platform to deliver trojans

14 May 2021
Dell EMC PowerEdge R750 review: A third-gen Xeon Scalable powerhouse
Server & storage

Dell EMC PowerEdge R750 review: A third-gen Xeon Scalable powerhouse

4 May 2021

Most Popular

How to find RAM speed, size and type
Laptops

How to find RAM speed, size and type

17 Sep 2021
What are the pros and cons of AI?
machine learning

What are the pros and cons of AI?

8 Sep 2021
The technology powering the future of shopping
Technology

The technology powering the future of shopping

16 Sep 2021