Are you using EMC and VMware solutions? Watch out unauthorized accesses!

EMC Data Domain OS and VMware NSX and vRealize are affected by security issues that could be exploited to gain unauthorized access to data.

Both EMC and VMware are affected by security issues that could allow unauthorized access to attackers.

An information disclosure vulnerability in the EMC Data Domain OS could potentially be exploited by malicious users to compromise the affected system.

EMC Data Domain OS is the operating system running on disk backup units, the flaw could allow ill-intentioned users to log the system assuming the identity of one of the allowed users and access his data.

“Data Domain logs the session identifier of a user logged in via the GUI in a file that is accessible to all users. A malicious user could use the disclosed
session identifier to take over the account of the victim, a GUI user whose session identifier was disclosed.” reported the notification published by EMC.

EMC issued a security update for the EMC Data Domain OS 5.5, 5.6 and 5.7.

Are you using VMware NSX and vCNS products? You must read this, according to the VMSA-2016-0007 advisory, the VMware NSX and vCNS product updates address a critical information disclosure vulnerability in the VMware software.

An attacker can exploit the vulnerability to gain access to sensitive data as explained by the company in the advisory.

“VMware NSX and vCNS with SSL-VPN enabled contain a critical input validation vulnerability. This issue may allow a remote attacker to gain access to sensitive information. ” states the advisory.

VMware released security patches for both NSX Edge 6.1 and 6.2 and vCNS Edge 5.5. Unfortunately, VMware admins have to consider also another security issue, an important stored cross-site scripting issue in VMware vRealize Log Insight (VMSA-2016-0008)

Hackers can exploit the flaw to hijack an authenticated user’s session, the security advisory urges administrators using Versions 2.x and 3.x to apply the available patches.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – VMware, EMC Data Domain)

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.