[prev in list] [next in list] [prev in thread] [next in thread]
List: full-disclosure
Subject: [FD] ESA-2017-094: EMC ScaleIO Multiple Vulnerabilities
From: EMC Product Security Response Center <Security_Alert () emc ! com>
Date: 2017-11-20 18:07:35
Message-ID: 1BF8853173D9704A93EF882F85952A8936BC2E () MX304CL04 ! corp ! emc ! com
[Download RAW message or body]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
ESA-2017-094: EMC ScaleIO Multiple Vulnerabilities
EMC Identifier: ESA-2017-094
CVE Identifier: CVE-2017-8001, CVE-2017-8019, CVE-2017-8020
Severity Rating: CVSSv3 Base Score: See below for CVSS scores for individual CVEs
Affected products:
EMC ScaleIO 2.0.1.x version family (2.0.1.3, 2.0.1.2, 2.0.1.1, 2.0.1)
Summary:
EMC ScaleIO contains a number of vulnerabilities which could potentially be exploited by \
malicious users to compromise an affected system.
Details:
EMC ScaleIO contains the following vulnerabilities:
* Sensitive Information Disclosure (CVE-2017-8001)
In a Linux environment, one of the EMC ScaleIO support scripts saves the credentials of the \
ScaleIO MDM user who executed the script in clear text in temporary log files. The temporary \
files may potentially be read by an unprivileged user with access to the server where the \
script was executed to recover exposed credentials.
CVSSv3 Base Score: 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
* Denial of Service (CVE-2017-8019)
A vulnerability in ScaleIO message parsers (MDM,SDS, and LIA) could potentially allow an \
unauthenticated remote attacker to send specifically crafted packets to stop ScaleIO services \
and cause denial of service situation .
CVSSv3 Base Score: 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
* ScaleIO Debugging (SDBG) Service Buffer Overflow CVE-2017-8020)
A buffer overflow vulnerability in ScaleIO SDBG service may potentially allow a remote \
unauthenticated attacker to execute arbitrary commands with root privileges on affected server. \
CVSSv3 Base Score: 8.1 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)
Resolution:
The following EMC ScaleIO release contains resolution to these vulnerabilities:
* EMC ScaleIO version 2.0.1.4
For CVE-2017-8001, EMC recommends all customers follow additional steps documented in \
knowledgebase article 503560.
Link to remedies:
Customers can download software from https://support.emc.com/downloads/33925_ScaleIO-Software.
Credit:
EMC would like to thank David Berard, from Ubisoft Security & Risk Management team, for \
reporting these vulnerabilities.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQEcBAEBCAAGBQJaEwJcAAoJEHbcu+fsE81Z6ssH/3ULyHNPndX3ZkRb6CT4MRnq
K6iS3DFCacSumvs8O1NjCZFMQH2PkR5AFGx2Ttb308t9/MPimtxIWJt2Cq7ssXAX
PYpvYAiwo0LxFcltfZhJ06PIr1x64CrBWLpZxxiJVZkqpSzqHLfiY1M3CW5eJLEN
7TWX5g6k8PyQ1rAxmtP0AJu1LdacRBsQNWqnKUSf+0JoaPBWpFl5NOqaPCm+YTEt
YIfpWOUbC/R7k22P+/r/TaUw3JiYz+vGFDGs+tVVof5BuB7IgTvioqZHA6mh9W11
nRYGxyil0h/1g9t4/KBFMGpr0XqWGUANSjWOsPxYA5ejTyJvXRK4bsoudP0zLlg=
=lLMW
-----END PGP SIGNATURE-----
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic