Pierluigi Paganini February 16, 2018

Dell EMC addressed two critical vulnerabilities that affect the management interfaces for its VMAX enterprise storage systems.

The Dell EMC’s VMAX Virtual Appliance (vApp) Manager is an essential component of a wide range of the enterprise storage systems.

The first flaw tracked as CVE-2018-1215 is an arbitrary file upload vulnerability that could be exploited by a remote authenticated attacker to potentially upload arbitrary maliciously crafted files in any location on the web server. The flaw received a Common Vulnerability Scoring System (CVSS) base score of 8.8.

“Arbitrary file upload vulnerability A remote authenticated malicious user may potentially upload arbitrary maliciously crafted files in any location on the web server. By chaining this vulnerability with CVE-2018-1216, the attacker may use the default account to exploit this vulnerability.” reads the security advisory.

The second flaw tracked as CVE-2018-1216 is an undocumented default account in the vApp Manager with a hard-coded password. The flaw received a Common Vulnerability Scoring System (CVSS) base score of 9.8.

“Hard-coded password vulnerability The vApp Manager contains an undocumented default account (ÒsmcÓ) with a hard-coded password that may be used with certain web servlets. A remote attacker with the knowledge of the hard-coded password and the message format may use vulnerable servlets to gain unauthorized access to the system. Note: This account cannot be used to log in via the web user interface.” continues the advisory. 

The CVE-2018-1215 could be chained with a second flaw tracked as CVE-2018-1216 to use a hard-coded password to a default account to exploit this vulnerability.

“The vApp Manager which is embedded in Dell EMC Unisphere for VMAX, Dell EMC Solutions Enabler, Dell EMC VASA Virtual Appliances, and Dell EMC VMAX Embedded Management (eManagement) contains multiple security vulnerabilities that may potentially be exploited by malicious users to compromise the affected system.” states the security advisory issued by Dell EMC.

Affected products:

• Dell EMC Unisphere for VMAX Virtual Appliance versions prior to 8.4.0.18
• Dell EMC Solutions Enabler Virtual Appliance versions prior to 8.4.0.21
• Dell EMC VASA Virtual Appliance versions prior to 8.4.0.514
• Dell EMC VMAX Embedded Management (eManagement) versions prior to and including 1.4 (Enginuity Release 5977.1125.1125 and earlier)
• Dell EMC has removed the default ÒsmcÓ account from new installs, but the company noticed that the account will not be removed after the upgrade of the vApp Manager application.

Pierluigi Paganini

(Security Affairs – VMAX enterprise storage systems, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]