[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

ESA-2016-061: EMC Isilon OneFS SMB Signing Vulnerability

To: "'bugtraq@xxxxxxxxxxxxxxxxx'" <bugtraq@xxxxxxxxxxxxxxxxx>, "'dm@xxxxxxxxxxxxxxxxx'" <dm@xxxxxxxxxxxxxxxxx>
Subject: ESA-2016-061: EMC Isilon OneFS SMB Signing Vulnerability
From: Security Alert <Security_Alert@xxxxxxx>
Date: Thu, 26 May 2016 16:23:07 +0000

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

ESA-2016-061: EMC Isilon OneFS SMB Signing Vulnerability 

EMC Identifier: ESA-2016-061
        
CVE Identifier: CVE-2016-0907

Severity Rating: CVSSv3 Base Score: 5.9 (AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N) 

Affected products: 
EMC IsilonSD Edge OneFS 8.0.x
EMC Isilon OneFS 8.0.x
EMC Isilon OneFS 7.2.1.x
EMC Isilon OneFS 7.2.0.x
EMC Isilon OneFS 7.1.1.x
EMC Isilon OneFS 7.1.0.x

Summary: 
EMC Isilon OneFS and EMC IsilonSD Edge include an implementation of the SMB 
protocol. This implementation is vulnerable to a man-in-the-middle attack that 
could compromise the affected systems.

Details: 

The Isilon implementation of the SMB client does not require SMB signing within 
a DCERPC session over ncacn_np, which may allow man-in-the-middle attackers to 
spoof SMB clients by modifying the client-server data stream. This is similar 
to CVE-2016-2115 in Samba implementation. More information can be found at 
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-2115.  

Resolution: 

This issue is resolved in the following versions of OneFS:
?       EMC IsilonSD Edge OneFS 8.0.0.1
?       EMC Isilon OneFS 8.0.0.1
?       EMC Isilon OneFS 7.2.1.3

In addition, patches are available for the following versions of OneFS:   

Version                           Patch

OneFS 8.0.0.0                  Patch-169836
IsilonSD Edge OneFS 8.0.0.0    Patch-169836
OneFS 7.2.1.1 - 7.2.1.2        Patch-169835
OneFS 7.1.1.8 - 7.1.1.9        Patch-169833

EMC recommends that all customers install the appropriate patch at the earliest 
opportunity. If you are not running a version for which a patch is available, 
EMC recommends that you upgrade to a target code version, and then install the 
patch.  

Isilon Engineering is also working to validate a code fix for the following 
product family. This code fix will be available in an upcoming maintenance 
release:

?       EMC Isilon OneFS 7.1.1.x

This ESA will be updated when the code fix becomes available.

Link to remedies:
Registered EMC Online Support customers can download the patches from the 
following locations:

Patch-169836: https://download.emc.com/downloads/DL70407 
Patch-169835: https://download.emc.com/downloads/DL70405 
Patch-169833: https://download.emc.com/downloads/DL70402 

If you have any questions, please contact EMC Support.


Read and use the information in this EMC Security Advisory to assist in 
avoiding any situation that might arise from the problems described herein. If 
you have any questions regarding this product alert, contact EMC Software 
Technical Support at 1-877-534-2867. 

For an explanation of Severity Ratings, refer to EMC Knowledgebase solution 
emc218831. EMC recommends all customers take into account both the base score 
and any relevant temporal and environmental scores which may impact the 
potential severity associated with particular security vulnerability. EMC 
Corporation distributes EMC Security Advisories, in order to bring to the 
attention of users of the affected EMC products, important security 
information. EMC recommends that all users determine the applicability of this 
information to their individual situations and take appropriate action. The 
information set forth herein is provided "as is" without warranty of any kind. 
EMC disclaims all warranties, either express or implied, including the 
warranties of merchantability, fitness for a particular purpose, title and 
non-infringement. In no event, shall EMC or its suppliers, be liable for any 
damages whatsoever including direct, indirect, incidental, consequential, loss 
of business profits or special damages, even if EMC or its suppliers have been 
advised of the possibility of such damages. Some states do not allow the 
exclusion or limitation of liability for consequential or incidental damages, 
so the foregoing limitation may not apply.

EMC Product Security Response Center
security_alert@xxxxxxx
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (Cygwin)

iEYEARECAAYFAldHIk8ACgkQtjd2rKp+ALzFLACfX7UlCfV/s4Z5cs2TpS92ZkFs
ks4AoJM3hbNCMtYXT6NJKVxRfkeiQ4i7
=IGjN
-----END PGP SIGNATURE-----

Prev by Date: [security bulletin] HPSBGN03610 rev.1 - HPE IceWall Products using OpenSSL, Remote Denial of Service (DoS), Arbitrary Code Execution
Next by Date: [CVE-2016-4434] Apache Tika XML External Entity vulnerability
Previous by thread: [security bulletin] HPSBGN03610 rev.1 - HPE IceWall Products using OpenSSL, Remote Denial of Service (DoS), Arbitrary Code Execution
Next by thread: [CVE-2016-4434] Apache Tika XML External Entity vulnerability
Index(es):
- Date
- Thread