Privilege Escalation in EMC Isilon OneFS (CVE-2017–14380)
EMC Isilon is a Network Attached Storage platform for storage, backup, and archiving of high volumes of arbitrary data. It features a compliance mode, designed to be used in environments where copies of old data must be kept, e.g., legal reasons.
Who is Vulnerable?
This vulnerability affects clusters running EMC Isilon OneFS 8.1.0.0, 8.0.1.0–8.0.1.1, 8.0.0.0–8.0.0.4, 7.2.1.0–7.2.1.5, 7.2.0.x, and 7.1.1.x only when running in compliance mode. When compliance mode is not engaged, this vulnerability does not apply. In order to successfully exploit this vulnerability, an attacker must already have the ability to execute commands as the compadmin user, which even independent of this attack has an extremely high level of privilege.
Compliance Mode Background
When compliance mode is engaged, several things occur. First, the file system goes into a Write-Once Read-Many (WORM) mode. While in WORM mode, files can be created, but modifications and deletions are merely simulated; the system stores all previous versions and deleted files in a tamper-resistant manner called a hash tree.
Second, a “compliance admin” user (internally termed compadmin) is created, and functions as a limited root user; through the standard Linux /etc/sudoers mechanism, this user is allowed to configure the system in ways that do not affect the “compliance status”. For instance, they are not allowed to disengage compliance mode, or tamper with the metadata of stored file revisions. From that point on, it is intended that the compadmin account be used for day-to-day administration tasks, and the real root account be kept secure and used only by extremely trusted administrators for tasks that the compadmin account cannot perform.
The Vulnerability
A privilege exploitation vulnerability was discovered by Packet Storm Security which allows the compadmin user to trick the isi_get_itrace and isi_get_profile maintenance scripts into executing arbitrary shell scripts (and thus, run arbitrary commands) as root, bypassing the restrictions defined in /etc/sudoers. While specific exploit details such as a proof-of-concept commands were not publicly disclosed, these kinds of exploits generally take the form of script inputs that are vulnerable to command injection or otherwise execute user input.
Attack Detection
As successful exploitation of this vulnerability grants unrestricted root access, post-hoc detection will be difficult. External logging systems may detect the initial use of the exploit, but a skilled attacker can potentially use root access to spoof or disable such logging mechanisms.
Mitigation
EMC has released a patch for all affected versions. Packet Storm Security’s original disclosure contains links to each firmware update package. As usual, we recommend updating all software, both known to be vulnerable and not, when updates are released. If for some reason patching is not possible, then the compadmin user should have its credentials changed, and treated as if it were root in terms of access control until the patch has been applied.
Shea Polansky, Junior Security Analyst at Independent Security Evaluators
Twitter: @isesecurity.
