Researchers warn of nine vulnerabilities in Dell EMC's Isilon platform

The company's OneFS storage OS is vulnerable to cross-site request forgeries and privilege escalation

Researchers have discovered security flaws in the operating system powering Dell EMC's Isilon storage platform, which could open them up to remote code execution by hackers.

The flaws were discovered by Maximiliano Vidal and Ivan Huertas from Core Security and include nine CVEs that, if exploited, could enable privilege escalation and cross-site request forgery attacks.

"There are no anti-CSRF tokens in any forms on the web interface," a security advisory issued by Core Security read. "This would allow an attacker to submit authenticated requests when an authenticated user browses an attacker-controlled domain."

"The web console contains a plethora of sensitive actions that can be abused, such as adding new users with SSH access or re-mapping existing storage directories to allow read-write-execute access to all users."

Advertisement
Advertisement - Article continues below
Advertisement - Article continues below

Attackers could then use the privilege escalation vulnerabilities to run Python code of shell commands with root access, the advisory warned, and use cross-site scripting to impersonate victims, although researchers also noted that the attack relied on some degree of social engineering.

The flaws, which were first discovered in September last year, affect various versions of Dell EMC's Isilon OneFS software ranging from version 7.1.1.11 to version 8.1.1.0. The company told IT Pro that it has now issued security updates to address the vulnerabilities, and has alerted customers via a security advisory.

"With software vulnerabilities a fact of life in the technology industry, Dell EMC follows best practices in managing and responding to security vulnerabilities in our products. Our goal is to provide customers with timely information, guidance and mitigation to address threats from vulnerabilities," a spokesperson for the company said. "This is a good example of coordinated disclosure in action."

Featured Resources

How inkjet can transform your business

Get more out of your business by investing in the right printing technology

Download now

Journey to a modern workplace with Office 365: which tools and when?

A guide to how Office 365 builds a modern workplace

Download now

Modernise and transform your sales organisation

Learn how a modernised sales process can drive your business

Download now

Your guide to managing cloud transformation risk

Realise the benefits. Mitigate the risks

Download now
Advertisement

Recommended

Visit/hardware/354336/the-it-pro-products-of-the-year-2019-all-the-years-best-hardware
Hardware

The IT Pro Products of the Year 2019: All the year’s best hardware

24 Dec 2019
Visit/security/internet-security/354417/avast-and-avg-extensions-pulled-from-chrome
internet security

Avast and AVG extensions pulled from Chrome

19 Dec 2019
Visit/security/354156/google-confirms-android-cameras-can-be-hijacked-to-spy-on-you
Security

Google confirms Android cameras can be hijacked to spy on you

20 Nov 2019
Visit/server-storage/33830/dell-emc-poweredge-r340-review-the-only-choice-for-top-notch-remote-management
Server & storage

Dell EMC PowerEdge R340 review

13 Jun 2019

Most Popular

Visit/mobile/28299/how-to-use-chromecast-without-wi-fi
Mobile

How to use Chromecast without Wi-Fi

5 Feb 2020
Visit/cloud/cloud-computing/354767/google-cloud-snaps-up-multi-cloud-analytics-platform-for-26bn
cloud computing

Google Cloud snaps up multi-cloud analytics platform for $2.6bn

13 Feb 2020
Visit/operating-systems/27717/how-to-fix-a-stuck-windows-10-update
operating systems

How to fix a stuck Windows 10 update

12 Feb 2020
Visit/cloud/microsoft-azure/354771/microsoft-azure-is-a-testament-to-satya-nadellas-strategic-nouse
Microsoft Azure

Microsoft Azure is a testament to Satya Nadella’s strategic nouse

14 Feb 2020