CVE-2016-0907 in Isilon OneFS
Summary
by MITRE
EMC Isilon OneFS 7.1.x anxd 7.2.x before 7.2.1.3 and 8.0.x before 8.0.0.1, and IsilonSD Edge OneFS 8.0.x before 8.0.0.1, does not require SMB signing within a DCERPC session over ncacn_np, which allows man-in-the-middle attackers to spoof SMB clients by modifying the client-server data stream, a similar issue to CVE-2016-2115.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 08/22/2022
The vulnerability identified as CVE-2016-0907 affects EMC Isilon OneFS storage systems across multiple versions including 7.1.x and 7.2.x prior to 7.2.1.3, 8.0.x prior to 8.0.0.1, and IsilonSD Edge OneFS 8.0.x prior to 8.0.0.1. This security flaw resides in the implementation of Server Message Block (SMB) protocol handling within Distributed Computing Environment Remote Procedure Call (DCERPC) sessions, specifically when utilizing the ncacn_np transport protocol. The vulnerability represents a critical weakness in the authentication and data integrity mechanisms that should normally protect against malicious interference in network communications.
The technical flaw stems from the absence of SMB signing requirements during DCERPC sessions over ncacn_np transport. SMB signing is a cryptographic mechanism designed to ensure data integrity and authenticate the parties involved in SMB communications by generating and verifying message integrity checks. When this mechanism is disabled or not enforced, attackers can exploit the lack of verification to perform man-in-the-middle attacks. The vulnerability specifically impacts the ncacn_np transport which is commonly used for RPC communications over SMB, making it particularly dangerous in enterprise environments where file sharing and distributed computing are prevalent. This weakness allows attackers to modify the client-server data stream without detection, effectively enabling them to impersonate legitimate SMB clients within the network.
The operational impact of this vulnerability is severe and multifaceted, as it provides attackers with the capability to perform sophisticated network infiltration and data manipulation attacks. An attacker positioned within the network can intercept and modify SMB traffic between clients and servers, potentially gaining unauthorized access to shared resources, modifying file contents, or redirecting network traffic to malicious endpoints. The vulnerability's similarity to CVE-2016-2115 indicates a pattern of weak SMB security implementation that has been previously documented in the industry, suggesting that organizations with affected systems are at risk of data breaches, privilege escalation, and unauthorized system access. This weakness particularly affects enterprise storage environments where Isilon systems are commonly deployed for high-performance computing and data storage operations.
Organizations should immediately implement mitigations including applying the vendor-provided patches and updates to bring affected systems to versions 7.2.1.3 or 8.0.0.1 and later. Network segmentation and monitoring should be enhanced to detect anomalous SMB traffic patterns, while administrators should configure SMB signing requirements to enforce cryptographic verification of all communications. The vulnerability aligns with CWE-310, which addresses cryptographic weaknesses in authentication mechanisms, and maps to ATT&CK techniques related to credential access and defense evasion through network protocol manipulation. Security teams should also consider implementing network intrusion detection systems that can identify and alert on suspicious SMB traffic modifications and ensure that all RPC communications over ncacn_np transport are properly secured with appropriate authentication and integrity checking mechanisms.