Dell fixes multiple flaws in PowerScale OneFS, at least one critical

Dell Technologies has released a critical security update for PowerScale OneFS to address multiple vulnerabilities that could be exploited by malicious actors to compromise affected systems. 

Dell PowerScale OneFS is a distributed file system designed for scale-out storage, enabling efficient management and protection of unstructured data across multiple nodes. It is part of the Isilon storage platform and is built on a FreeBSD variant, providing features like FlexProtect for data resilience and support for various network protocols.

The update, referenced as DSA-2025-119, includes patches for six identified security flaws of varying severity. The most critical vulnerability potentially allows complete system takeover by remote, unauthenticated attackers.

The security update addresses the following vulnerabilities:

• CVE-2025-27690 (CVSS score 9.8): A critical default password vulnerability affecting PowerScale OneFS versions 9.5.0.0 through 9.10.1.0. An unauthenticated attacker with remote access could exploit this vulnerability to take over a highly privileged user account, potentially gaining complete control of the system.
• CVE-2025-26330 (CVSS score 7.0): An incorrect authorization vulnerability in versions 9.4.0.0 through 9.10.0.1 that could allow an unauthenticated attacker with local access to access the cluster with previous privileges of a disabled user account.
• CVE-2025-22471 (CVSS score 6.5): An integer overflow or wraparound vulnerability in versions 9.4.0.0 through 9.10.0.1 that could be exploited by an unauthenticated attacker with remote access to cause a denial of service.
• CVE-2025-26480 (CVSS score 5.3): An uncontrolled resource consumption vulnerability in versions 9.5.0.0 through 9.10.0.0 that could be exploited by an unauthenticated attacker with remote access to cause a denial of service.
• CVE-2025-23378 (CVSS score 3.3): An exposure of information through directory listing vulnerability in versions 9.4.0.0 through 9.10.0.0 that could be exploited by a low-privileged attacker with local access to obtain sensitive information.
• CVE-2025-26479 (CVSS score 3.1): An out-of-bounds write vulnerability in versions 9.4.0.0 through 9.10.0.0 that could be exploited in NFS workflows, leading to data integrity issues.

Dell Technologies has released updated versions to address these vulnerabilities:

• For most vulnerabilities: Update to version 9.10.1.1 or later, which Dell recommends as part of their Long-Term Support (LTS) 2025 version
• For specific version ranges, the following updates are available:
  • Version 9.4.0.0 through 9.4.0.20: Update to version 9.4.0.21 or later
  • Version 9.5.0.0 through 9.5.1.2: Update to version 9.5.1.3 or later
  • Version 9.7.0.0 through 9.7.1.4: Update to version 9.7.1.5 or later
  • Version 9.6.0.0 through 9.7.1.6: Update to version 9.7.1.7 or later
  • Version 9.8.0.0 through 9.8.0.2: Update to version 9.8.0.3 or later
  • Version 9.9.0.0 through 9.9.0.1: Update to version 9.9.0.2 or later
  • Version 9.10.0.0 through 9.10.1.0: Update to version 9.10.1.1 or later

For organizations unable to immediately apply the updates, Dell has provided several temporary workarounds specifically for the most critical vulnerability (CVE-2025-27690):

1. Add impacted users to the "Users who cannot be modified" list:
   • For clusters not using SHA256/SHA512 hash types: Protect specific system users
   • For clusters using SHA256/SHA512 hash types: Include additional system privilege users
2. Reset passwords and disable vulnerable accounts for clusters not using SHA256/SHA512 hash types
3. Disable the WebUI and API via CLI, though this does not provide complete mitigation
4. Restrict access to API & WebUI to trusted networks via firewall rules, though this also provides only partial mitigation