[prev in list] [next in list] [prev in thread] [next in thread] 

List:       bugtraq
Subject:    ESA-2013-092: EMC Replication Manager Unquoted File Path Enumeration Vulnerability
From:       Security Alert <Security_Alert () emc ! com>
Date:       2013-12-24 15:10:17
Message-ID: 37F0BE0896DB1544B5BEFBE34F79D05330FF81E7 () MX103CL01 ! corp ! emc ! com
[Download RAW message or body]

["ESA-2013-092.txt" (text/plain)]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

ESA-2013-092: EMC Replication Manager Unquoted File Path Enumeration Vulnerability 

EMC Identifier: ESA-2013-092 

CVE Identifier: CVE-2013-6182

Severity Rating: CVSS v2 Base Score: 6.8 (AV:L/AC:L/Au:S/C:C/I:C/A:C)


Affected products:  

EMC Replication Manager versions prior to 5.5


Summary:  

EMC Replication Manager uses scripts that may include unquoted elements in file \
paths. 


Details:  

EMC Replication Manager allows a user to create scripts with unquoted element such as \
whitespace or other separators.  This may allow local malicious users to access \
resources in a parent path and execute them. 


Resolution:  

The following products contain the resolution to this issue:
•	EMC Replication Manager version 5.5.0 and later.

After upgrade, customers must re-write existing user scripts to fully mitigate the \
vulnerability. See Replication Manager Administrator’s Guide (P/N 302-000-519) and \
refer to the Replication Manager Online Help for instructions how to create scripts. 

EMC strongly recommends all customers upgrade at the earliest opportunity to version \
5.5 or higher and apply steps above.


Link to remedies:

Customers can download software from https://support.emc.com/products/1293.



Read and use the information in this EMC Security Advisory to assist in avoiding any \
situation that might arise from the problems described herein. If you have any \
questions regarding this product alert, contact EMC Software Technical Support at \
1-877-534-2867.

For an explanation of Severity Ratings, refer to EMC Knowledgebase solution \
emc218831. EMC recommends all customers take into account both the base score and any \
relevant temporal and environmental scores which may impact the potential severity \
associated with particular security vulnerability.

EMC Corporation distributes EMC Security Advisories, in order to bring to the \
attention of users of the affected EMC products, important security information. EMC \
recommends that all users determine the applicability of this information to their \
individual situations and take appropriate action. The information set forth herein \
is provided "as is" without warranty of any kind. EMC disclaims all warranties, \
either express or implied, including the warranties of merchantability, fitness for a \
particular purpose, title and non-infringement. In no event, shall EMC or its \
suppliers, be liable for any damages whatsoever including direct, indirect, \
incidental, consequential, loss of business profits or special damages, even if EMC \
or its suppliers have been advised of the possibility of such damages. Some states do \
not allow the exclusion or limitation of liability for consequential or incidental \
                damages, so the foregoing limitation may not apply.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (Cygwin)

iEYEARECAAYFAlK5oyQACgkQtjd2rKp+ALxo2QCeM8q5vWBETcNtvxiVuOIE967i
iHcAoLNzjJv0sD+v7bDDffVScQ+9PgjX
=oweC
-----END PGP SIGNATURE-----



[prev in list] [next in list] [prev in thread] [next in thread]