[prev in list] [next in list] [prev in thread] [next in thread] 

List:       bugtraq
Subject:    ESA-2012-038: EMC NetWorker Format String Vulnerability
From:       Security Alert <Security_Alert () emc ! com>
Date:       2012-08-30 17:18:22
Message-ID: 2998EC4866DB304BB746A1FC21C45714080699D040 () MX29A ! corp ! emc ! com
[Download RAW message or body]

["ESA-2012-038.txt" (text/plain)]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

ESA-2012-038: EMC NetWorker Format String Vulnerability

EMC Identifier: ESA-2012-038

CVE Identifier: CVE-2012-2288 

Severity Rating: 9.3 (AV:N/AC:M/Au:N/C:C/I:C/A:C)


Affected products:

EMC NetWorker 7.6.3

EMC NetWorker 7.6.4

EMC NetWorker 8.0



Summary:

A format string vulnerability exists in the EMC NetWorker nsrd RPC service that could \
potentially be exploited by a malicious user to execute arbitrary code.


Details:

The nsrd  RPC service is the NetWorker binary responsible for managing save and \
recover operations, gathering statistics, and maintaining the NetWorker resource \
database. The availability of this NetWorker Server process is essential for the \
proper operation of the product. 

 

Under the context of an account running the NetWorker Server process, a remote \
malicious user could send a specially-crafted message that could  corrupt application \
memory and subsequently execute arbitrary code. 


Resolution:

The following EMC NetWorker products contain resolutions to this issue:

EMC NetWorker 7.6.4.1 and later
EMC NetWorker 8.0.0.1 and later

 

Link to remedies:


Registered EMC Online Support customers can download software from support.emc.com. 

Select “Support by Product” and type \
“NetWorker”(https://support.emc.com/products/1095_NetWorker). From this page select \
“Downloads”, “Documentation” or “Advisories” as required.


Credits: 

EMC would like to thank Aaron Portnoy via the Exodus Intelligence Program \
(http://www.exodusintel.com/eip) for reporting this issue.



Because the view is restricted based on customer agreements, you may not have \
permission to view certain downloads. Should you not see a software download you \
believe you should have access to, follow the instructions in EMC Knowledgebase \
solution emc116045. 

For an explanation of Severity Ratings, refer to EMC Knowledgebase solution \
emc218831. EMC recommends all customers take into account both the base score and any \
relevant temporal and environmental scores which may impact the potential severity \
associated with particular security vulnerability.

EMC Corporation distributes EMC Security Advisories, in order to bring to the \
attention of users of the affected EMC products, important security information. EMC \
recommends that all users determine the applicability of this information to their \
individual situations and take appropriate action. The information set forth herein \
is provided "as is" without warranty of any kind. EMC disclaims all warranties, \
either express or implied, including the warranties of merchantability, fitness for a \
particular purpose, title and non-infringement. In no event, shall EMC or its \
suppliers, be liable for any damages whatsoever including direct, indirect, \
incidental, consequential, loss of business profits or special damages, even if EMC \
or its suppliers have been advised of the possibility of such damages. Some states do \
not allow the exclusion or limitation of liability for consequential or incidental \
damages, so the foregoing limitation may not apply. 


EMC Product Security Response Center

Security_Alert@emc.com

http://www.emc.com/contact-us/contact/product-security-response-center.htm 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (Cygwin)

iEYEARECAAYFAlA/n5QACgkQtjd2rKp+ALzL8QCfY5yy3ZGpPOshEhWG0riaK9Vn
feoAnj9PnmFKQQ94S00W//5lqLQ2HEZ1
=OBiJ
-----END PGP SIGNATURE-----



[prev in list] [next in list] [prev in thread] [next in thread]