[prev in list] [next in list] [prev in thread] [next in thread] 

List:       full-disclosure
Subject:    [FD] ESA-2017-137: EMC VMAX Virtual Appliance (vApp) Authentication Bypass Vulnerability
From:       EMC Product Security Response Center <Security_Alert () emc ! com>
Date:       2017-10-30 16:38:13
Message-ID: 1BF8853173D9704A93EF882F85952A89337AD8 () MX304CL04 ! corp ! emc ! com
[Download RAW message or body]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

ESA-2017-137: EMC VMAX Virtual Appliance (vApp) Authentication Bypass Vulnerability

EMC Identifier: ESA-2017-137
CVE Identifier: CVE-2017-14375
Severity Rating: CVSSv3 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

Affected products:  
*EMC Unisphere for VMAX Virtual Appliance versions prior to 8.4.0.15

*EMC Solutions Enabler Virtual Appliance versions prior to 8.4.0.15

*EMC VASA Virtual Appliance versions prior to 8.4.0.512

*EMC VMAX Embedded Management (eManagement) versions prior to and including 1.4 (Enginuity \
Release 5977.1125.1125 and earlier)


Summary:  
The vApp Manager which is embedded in EMC Unisphere for VMAX, Solutions Enabler, VASA Virtual \
Appliances, and EMC VMAX Embedded Management (eManagement) contains an authentication bypass \
vulnerability that may potentially be exploited by malicious users to compromise the affected \
system.

Details:  
The vApp Manager contains a servlet that does not perform proper authentication checks before \
processing AMF messages for user creation requests. A remote unauthenticated attacker, by \
having knowledge of the message format, may potentially create new user accounts with \
administrative privileges, and then log in to the affected application.

Resolution:  
The following VMAX products contain a resolution for this vulnerability:
ESX Server Installs:  

*EMC Unisphere for VMAX Virtual Appliance 8.4.0.15 OVA

*EMC Unisphere for VMAX Virtual Appliance 8.4.0.15 ISO

*EMC Unisphere for VMAX Virtual Appliance 8.3.0.10 OVA hotfix 1084, Service Alert 1054

*EMC Unisphere for VMAX Virtual Appliance 8.3.0.10 ISO upgrade hotfix 1083, Service Alert 1053

*EMC Solutions Enabler Virtual Appliance 8.4.0.15 OVA hotfix 2051, Service Alert 1884

*EMC Solutions Enabler Virtual Appliance 8.4.0.15 ISO upgrade hotfix 2050, Service Alert 1883

*EMC Solutions Enabler Virtual Appliance 8.3.0.33 OVA hotfix 2049, Service Alert 1882

*EMC Solutions Enabler Virtual Appliance 8.3.0.33 ISO upgrade hotfix 2048, Service Alert 1881

*EMC VASA Virtual Appliance 8.4.0.512 OVA

*EMC VASA Virtual Appliance 8.4.0.512 ISO upgrade


eManagement:  

*eMGMT 1.4.0.350 ePack kit 6684

*eMGMT 1.3.0.312 ePack kit 6700

EMC recommends all customers upgrade at the earliest opportunity.


Link to remedies:

Customers can download software for EMC Unisphere for VMAX Virtual Appliance 8.4.0.15 OVA and \
ISO from EMC Online Support at https://support.emc.com/downloads/27045_Unisphere-for-VMAX

Customers are recommended to contact Customer Support and place a Customer Service Request for \
all other fixes.

Credit:
EMC would like to thank rgod working with Trend Micro's Zero Day Initiative, for reporting this \
                issue.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQEcBAEBCAAGBQJZ90fjAAoJEHbcu+fsE81ZtNYIAIQvi8RPtbxQv8PA5Q2vIsij
sCo3qsDMMA1wSViqiHVS03HmJXC/ju/snPKEwC7tGAyrwzdNxSrqUzQNwQur9V94
r7Uqfk/LxhuyXypUujw61UsPd9v7mhZ1x/kzxSkVP8000LMi2r6eihyBC3pI+eZ8
d3vr7V8x+jtco9YD9bzMYqwXsMWqINJTwZrTam+xpHIqZax/qsaHLx7aFK6nwT4d
6V2t9Jlyt7B80TyQuHDlA4CXJXMbW37zPi9iOiJwdHIB8QbM6tz8cVuM1jjCq922
5xDA27SEKPFXyl6O9zNqrFL0tahMwtLAizO8QM9b03FXaqdq7pnaCMBjgZS2jVc=
=Dt5B
-----END PGP SIGNATURE-----

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/


[prev in list] [next in list] [prev in thread] [next in thread]