CVE-2025-27690

Summary

Dell PowerScale OneFS, versions 9.5.0.0 through 9.10.1.0, contains a use of default password vulnerability. An unauthenticated attacker with remote access could potentially exploit this vulnerability, leading to the takeover of a high privileged user account.

Affected Software

VendorProductVersion RangeStatus
DellPowerScale OneFS9.5.0.0 <= 9.5.1.2affected
DellPowerScale OneFS9.6.0.0 <= 9.7.1.6affected
DellPowerScale OneFS9.8.0.0 <= 9.8.0.2affected
DellPowerScale OneFS9.9.0.0 <= 9.9.0.1affected
DellPowerScale OneFS9.10.0.0 <= 9.10.1.0affected

Weaknesses

  • CWE-1393: CWE-1393: Use of Default Password

Workarounds

These independent workarounds can be in place until an upgrade to a fixed release, or patch can be applied.

Note: Authentication Provider hash types can be viewed with isi auth file view System in the "Password Hash Type" entry.

Workaround 1:

Add the impacted users to the "Users who cannot be modified" list. For clusters that have not switched to SHA256 or SHA512 hash types:

isi auth file modify System –add-unmodifiable-users=compadmin,remotesupport,ese,insightiq,www,nobody,git_daemon,isdmgmt –remove-modifiable-users=compadmin,remotesupport,ese,insightiq,www,nobody,git_daemon,isdmgmt –restrict-modifiable=true

For clusters that have switched to SHA256 or SHA512 hash types: Add above users, but also include other file provider users with system privileges:

isi auth file modify System –add-unmodifiable-users=root,admin –remove-modifiable-users=root,admin –restrict-modifiable=true

Once the patch is applied, if you use the users, you can make them modifiable again.

Workaround 2:

For clusters that have not switched to SHA256 or SHA512 hash types. Set/reset password for users that are not blocked for modification in the System zone file provider, as well as disabling them.

  • compadmin, remotesupport, ese, insightiq, www, nobody, git_daemon, isdmgmt

Workaround 3:

Disable the WebUI and API via CLI

isi http services modify Platform-API-External –enabled=false

This does not completely mitigate the issue as it could still be abused by users with ISI_PRIV_LOGIN_CONSOLE or ISI_PRIV_LOGIN_SSH.

Workaround 4:

Limit access to API & WebUI to trusted networks via firewall rule

  • Enable the firewall
  • In "default_pools_policy" modify "rule_isi_webui" to restrict "source network" to a trusted set of networks/IPs

This does not completely mitigate the issue as it could still be abused by users with ISI_PRIV_LOGIN_CONSOLE or ISI_PRIV_LOGIN_SSH, as well as users on the IPs allowed through the firewall.

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: yes
    • Technical Impact: total

References