'[FD] ESA-2017-161: EMC Isilon OneFS NFS Export Security Setting Fallback Vulnerability'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       full-disclosure
Subject:    [FD] ESA-2017-161: EMC Isilon OneFS NFS Export Security Setting Fallback Vulnerability
From:       EMC Product Security Response Center <Security_Alert () emc ! com>
Date:       2017-12-18 19:07:08
Message-ID: 1BF8853173D9704A93EF882F85952A8938CF6E () MX304CL04 ! corp ! emc ! com
[Download RAW message or body]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

ESA-2017-161: EMC Isilon OneFS NFS Export Security Setting Fallback Vulnerability 

EMC Identifier: ESA-2017-161

CVE Identifier: CVE-2017-14387 

Severity Rating: CVSS v3 Base Score: 4.8 (AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N)

Affected products:  
*	EMC Isilon OneFS 8.1.0.0
*	EMC Isilon OneFS 8.0.1.0 -- 8.0.1.1
*	EMC Isilon OneFS 8.0.0.0 - 8.0.0.4

Summary:  
EMC Isilon OneFS requires a security update to address an issue that may potentially allow NFS \
clients to access certain NFS exports using a weaker authentication flavor when default NFS \
export settings are modified. 

Details:  
OneFS NFS service maintains default NFS export settings (including NFS export security flavor \
for authentication) that can be leveraged by current and future NFS exports. OneFS NFS service \
contained a flaw that did not properly propagate changes made to the default security flavor to \
all new and existing NFS exports that are configured to use default NFS export settings and \
that are mounted after those changes are made. This flaw may potentially allow NFS clients to \
access affected NFS exports using the default and potentially weaker security flavor even if a \
more secure one was selected to be used by the OneFS administrator. 

Resolution:  
The following versions of EMC Isilon OneFS resolve this vulnerability:
*	EMC Isilon OneFS 8.1.0.1
*	EMC Isilon OneFS 8.0.1.2
*	EMC Isilon OneFS 8.0.0.5
EMC recommends that all customers upgrade to a version containing the resolution at the \
earliest opportunity. 

If you cannot upgrade at this time, you can perform the workaround below.  

Workaround:
After you create or modify an export, and before you mount that export, manually refresh the \
exports by running either of the following commands:

isi nfs exports reload 

or

/usr/likewise/bin/lwsm refresh nfs

Link to remedies:

Registered EMC Online Support customers can download OneFS installation files from the \
Downloads for Isilon OneFS page of the EMC Online Support site at \
https://support.emc.com/downloads/15209_Isilon-OneFS. 

If you have any questions, please contact EMC Support.

[The following is standard text included in all security advisories.  Please do not change or \
delete.]

Read and use the information in this EMC Security Advisory to assist in avoiding any situation \
that might arise from the problems described herein. If you have any questions regarding this \
product alert, contact EMC Software Technical Support at 1-877-534-2867.

For an explanation of Severity Ratings, refer to EMC Knowledgebase solution emc218831. EMC \
recommends all customers take into account both the base score and any relevant temporal and \
environmental scores which may impact the potential severity associated with particular \
security vulnerability.

EMC Corporation distributes EMC Security Advisories, in order to bring to the attention of \
users of the affected EMC products, important security information. EMC recommends that all \
users determine the applicability of this information to their individual situations and take \
appropriate action. The information set forth herein is provided "as is" without warranty of \
any kind. EMC disclaims all warranties, either express or implied, including the warranties of \
merchantability, fitness for a particular purpose, title and non-infringement. In no event, \
shall EMC or its suppliers, be liable for any damages whatsoever including direct, indirect, \
incidental, consequential, loss of business profits or special damages, even if EMC or its \
suppliers have been advised of the possibility of such damages. Some states do not allow the \
exclusion or limitation of liability for consequential or incidental damages, so the foregoing \
limitation may not apply.