Researchers have discovered security flaws in the operating system powering Dell EMC's Isilon storage platform, which could open them up to remote code execution by hackers.
The flaws were discovered by Maximiliano Vidal and Ivan Huertas from Core Security and include nine CVEs that, if exploited, could enable privilege escalation and cross-site request forgery attacks.
"There are no anti-CSRF tokens in any forms on the web interface," a security advisory issued by Core Security read. "This would allow an attacker to submit authenticated requests when an authenticated user browses an attacker-controlled domain."
"The web console contains a plethora of sensitive actions that can be abused, such as adding new users with SSH access or re-mapping existing storage directories to allow read-write-execute access to all users."
Attackers could then use the privilege escalation vulnerabilities to run Python code of shell commands with root access, the advisory warned, and use cross-site scripting to impersonate victims, although researchers also noted that the attack relied on some degree of social engineering.
The flaws, which were first discovered in September last year, affect various versions of Dell EMC's Isilon OneFS software ranging from version 7.1.1.11 to version 8.1.1.0. The company told IT Pro that it has now issued security updates to address the vulnerabilities, and has alerted customers via a security advisory.
"With software vulnerabilities a fact of life in the technology industry, Dell EMC follows best practices in managing and responding to security vulnerabilities in our products. Our goal is to provide customers with timely information, guidance and mitigation to address threats from vulnerabilities," a spokesperson for the company said. "This is a good example of coordinated disclosure in action."
-
Why keeping track of AI assistants can be a tricky businessColumn Making the most of AI assistants means understanding what they can do – and what the workforce wants from them
-
Nvidia braces for a $5.5 billion hit as tariffs reach the semiconductor industryNews The chipmaker says its H20 chips need a special license as its share price plummets
-
Seized database helps Europol snare botnet customers in ‘Operation Endgame’ follow-up stingNews Europol has detained several people believed to be involved in a botnet operation as part of a follow-up to a major takedown last year.
-
"Thinly spread": Questions raised over UK government’s latest cyber funding schemeThe funding will go towards bolstering cyber skills, though some industry experts have questioned the size of the price tag
-
Modern enterprise cybersecuritywhitepaper Cultivating resilience with reduced detection and response times
-
IDC InfoBrief: How CIOs can achieve the promised benefits of sustainabilitywhitepaper CIOs are facing two conflicting strategic imperatives
-
The complete guide to the NIST cybersecurity frameworkWhitepaper Find out how the NIST Cybersecurity framework is evolving
-
Are you prepared for the next attack? The state of application security in 2024Webinar Aligning to NIS2 cybersecurity risk-management obligations in the EU
-
The economics of penetration testing for web application securitywhitepaper Get the most value from your security solution
-
How to extend zero trust to your cloud workloadsWhitepaper Implement zero trust-based security across your entire ecosystem
