DELL EMC PATCHES CRITICAL FLAWS IN VMAX ENTERPRISE STORAGE SYSTEMS

Haythem Elmir
0 1
Read Time2 Minute, 8 Second

Dell EMC fixed two critical flaws in its management interfaces for its VMAX enterprise storage systems. One of the vulnerabilities could allow a remote attacker to use a hard-coded password to a default account to gain unauthorized access to systems.

The company issued updates that address the two vulnerabilities, CVE-2018-1215 and CVE-2018-1216, on Tuesday. Dell EMC’s VMAX Virtual Appliance (vApp) Manager is a key component to a wide range of the company’s enterprise storage systems.

“The vApp Manager which is embedded in Dell EMC Unisphere for VMAX, Dell EMC Solutions Enabler, Dell EMC VASA Virtual Appliances, and Dell EMC VMAX Embedded Management (eManagement) contains multiple security vulnerabilities that may potentially be exploited by malicious users to compromise the affected system,” wrote Dell EMC in a security advisory.

The most serious flaw (CVE-2018-1216) in the vApp Manager is tied to an undocumented default account (ÒsmcÓ) which has a hard-coded password that can be used in conjunction with web-based Java servlets. Java servlets are server-side programs which run on the server side, handling specialized requests.

“A remote attacker with the knowledge of the hard-coded password and the message format may use vulnerable servlets to gain unauthorized access to the system,” according to the security bulletin. The vulnerability has a Common Vulnerability Scoring System (CVSS) base score of 9.8.

The other critical vulnerability (CVE-2018-1215) fixed in the vApp Manager application is also rated critical with a CVSS score of 8.8. In the case of this vulnerability, a remote authenticated malicious user could upload arbitrary maliciously crafted files to any location on a targeted web server.

Researchers point out this vulnerability requires a chaining of the previous vulnerability CVE-2018-1216 in order to exploit it.

Credited for finding the bug is Carlos Perez, a researcher with Tenable.

Dell EMC says part of its mitigation efforts have included removing the default ÒsmcÓ account from fresh installs. However, it said the account will not be removed when customers upgrade the vApp Manager application. “However all servlets that use this account have been removed from the application making the account obsolete,” Dell EMC noted.

Affected products include:

Dell EMC Unisphere for VMAX Virtual Appliance versions prior to 8.4.0.18

Dell EMC Solutions Enabler Virtual Appliance versions prior to 8.4.0.21

Dell EMC VASA Virtual Appliance versions prior to 8.4.0.514

Dell EMC VMAX Embedded Management (eManagement) versions prior to and including 1.4 (Enginuity Release 5977.1125.1125 and earlier)

Happy
Happy
0 %
Sad
Sad
0 %
Excited
Excited
0 %
Sleepy
Sleepy
0 %
Angry
Angry
0 %
Surprise
Surprise
100 %

Average Rating

5 Star
0%
4 Star
0%
3 Star
0%
2 Star
0%
1 Star
0%

Laisser un commentaire

Next Post

Over 30 Lawsuits Filed Against Intel for CPU Flaws

More than 30 lawsuits have been filed by Intel customers and shareholders against the chip giant following the disclosure of the Meltdown and Spectre attack methods. Three class action lawsuits were filed against Intel within a week of the Meltdown and Spectre flaws being disclosed, but the number had reached 32 by […]