Are you using EMC and VMware solutions? Watch out unauthorized accesses!

EMC Data Domain OS and VMware NSX and vRealize are affected by security issues that could be exploited to gain unauthorized access to data.

Both EMC and VMware are affected by security issues that could allow unauthorized access to attackers.

An information disclosure vulnerability in the EMC Data Domain OS could potentially be exploited by malicious users to compromise the affected system.

EMC Data Domain OS is the operating system running on disk backup units, the flaw could allow ill-intentioned users to log the system assuming the identity of one of the allowed users and access his data.

“Data Domain logs the session identifier of a user logged in via the GUI in a file that is accessible to all users. A malicious user could use the disclosed
session identifier to take over the account of the victim, a GUI user whose session identifier was disclosed.” reported the notification published by EMC.

EMC issued a security update for the EMC Data Domain OS 5.5, 5.6 and 5.7.

Are you using VMware NSX and vCNS products? You must read this, according to the VMSA-2016-0007 advisory, the VMware NSX and vCNS product updates address a critical information disclosure vulnerability in the VMware software.

An attacker can exploit the vulnerability  to gain access to sensitive data as explained by the company in the advisory.

“VMware NSX and vCNS with SSL-VPN enabled contain a critical input validation vulnerability. This issue may allow a remote attacker to gain access to sensitive information. ” states the advisory.

VMware released security patches for both NSX Edge 6.1 and 6.2 and vCNS Edge 5.5. Unfortunately, VMware admins have to consider also another security issue, an important stored cross-site scripting issue in VMware vRealize Log Insight (VMSA-2016-0008)

Hackers can exploit the flaw to hijack an authenticated user’s session, the security advisory urges administrators using Versions 2.x and 3.x to apply the available patches.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – VMware, EMC Data Domain)