'ESA-2013-072: EMC NetWorker Information Disclosure Vulnerability'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       bugtraq
Subject:    ESA-2013-072: EMC NetWorker Information Disclosure Vulnerability
From:       Security Alert <Security_Alert () emc ! com>
Date:       2013-10-29 11:03:46
Message-ID: 37F0BE0896DB1544B5BEFBE34F79D05330FA7D25 () MX103CL01 ! corp ! emc ! com
[Download RAW message or body]

["ESA-2013-072.txt" (text/plain)]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

ESA-2013-072: EMC NetWorker Information Disclosure Vulnerability


EMC Identifier: ESA-2013-072


EMC Identifier: NW152441


CVE Identifier: CVE-2013-3285


Severity Rating: CVSS v2 Base Score: 6.8 (AV:L/AC:L/Au:S/C:C/I:C/A:C)


Affected products:  

EMC NetWorker version 8.0.x


Summary:  

A vulnerability exists in EMC NetWorker that could allow exposure of sensitive \
information under specific circumstances.


Details: 

When the NetWorker Management Console (NMC) is configured to use Active \
Directory/LDAP for user authentication through NMC administration GUI, an \
authenticated user may be able to see the AD/LDAP administrator password in clear \
text within certain NMC audit reports or by querying the NetWorker RAP resource.


Resolution:  

To address this issue, customers must perform the following steps
1.	Upgrade the NetWorker server and NMC server software to the following versions:
•	EMC NetWorker 8.0.2.3 and above
•	EMC NetWorker 8.1 and above
2.	Change existing Active Directory/LDAP Administrator password to mitigate the \
exposure.


Link to remedies:


Registered EMC Online Support customers can download software from support.emc.com. 

Select “Support by Product” and type “NetWorker”(Direct link NetWorker). From this \
page select “Downloads”, “Documentation” or “Advisories” as required.


Read and use the information in this EMC Security Advisory to assist in avoiding any \
situation that might arise from the problems described herein. If you have any \
questions regarding this product alert, contact EMC Software Technical Support at \
1-877-534-2867.

For an explanation of Severity Ratings, refer to EMC Knowledgebase solution \
emc218831. EMC recommends all customers take into account both the base score and any \
relevant temporal and environmental scores which may impact the potential severity \
associated with particular security vulnerability.

EMC Corporation distributes EMC Security Advisories, in order to bring to the \
attention of users of the affected EMC products, important security information. EMC \
recommends that all users determine the applicability of this information to their \
individual situations and take appropriate action. The information set forth herein \
is provided "as is" without warranty of any kind. EMC disclaims all warranties, \
either express or implied, including the warranties of merchantability, fitness for a \
particular purpose, title and non-infringement. In no event, shall EMC or its \
suppliers, be liable for any damages whatsoever including direct, indirect, \
incidental, consequential, loss of business profits or special damages, even if EMC \
or its suppliers have been advised of the possibility of such damages. Some states do \
not allow the exclusion or limitation of liability for consequential or incidental \
damages, so the foregoing limitation may not apply.







-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (Cygwin)

iEYEARECAAYFAlJvlVYACgkQtjd2rKp+ALw4QACgpKz23+Q2N5ytkMBfqY93DeFl
qzwAoIC3qg6qGEIWnCygk7olvASgciX6
=c935
-----END PGP SIGNATURE-----



[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic