'[FD] ESA-2017-119: EMC Elastic Cloud Storage Undocumented Account Vulnerability'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       full-disclosure
Subject:    [FD] ESA-2017-119: EMC Elastic Cloud Storage Undocumented Account Vulnerability
From:       EMC Product Security Response Center <Security_Alert () emc ! com>
Date:       2017-09-26 18:51:31
Message-ID: 1BF8853173D9704A93EF882F85952A892F90FE () MX304CL04 ! corp ! emc ! com
[Download RAW message or body]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

ESA-2017-119: EMC Elastic Cloud Storage Undocumented Account Vulnerability

EMC Identifier: ESA-2017-119
CVE Identifier: CVE-2017-8021
Severity Rating: CVSS Base Score: 9.4 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:H)

Affected products: 
*	EMC Elastic Cloud Storage all versions prior to 3.1

Summary:  
EMC Elastic Cloud Storage (ECS) is affected by an undocumented account vulnerability that could \
potentially be leveraged by malicious users to compromise the affected system.

Details:  
ECS versions prior to 3.1 contain an undocumented account (emcservice) that is protected with a \
default password. This user account is intended for use by customer support representatives to \
troubleshoot ECS configuration issues. A remote malicious user with the knowledge of the \
default password could potentially login to compromise the affected system. 

Resolution:  
Information about this account has been added to the ECS 3.1 Security Configuration Guide. EMC \
recommends all customers to change the default password at the earliest opportunity.

Link to Remedy:
Customers are requested to contact Customer Support to help change the default password for \
this account.