'[FD] ESA-2017-157: EMC Data Domain DD OS Memory Overflow Vulnerability'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       full-disclosure
Subject:    [FD] ESA-2017-157: EMC Data Domain DD OS Memory Overflow Vulnerability
From:       EMC Product Security Response Center <Security_Alert () emc ! com>
Date:       2017-12-18 19:07:00
Message-ID: 1BF8853173D9704A93EF882F85952A8938CF61 () MX304CL04 ! corp ! emc ! com
[Download RAW message or body]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

ESA-2017-157: EMC Data Domain DD OS Memory Overflow Vulnerability

EMC Identifier: ESA-2017-157
CVE Identifier: CVE-2017-14385
Severity Rating: CVSS v3 Base Score: 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

Affected products:   
The following EMC Data Domain DD OS releases contain this vulnerability: 

* EMC Data Domain DD OS 5.7 family, versions prior to 5.7.5.6
* EMC Data Domain DD OS 6.0 family, versions prior to 6.0.2.9
* EMC Data Domain DD OS 6.1 family, versions prior to 6.1.0.21
* EMC Data Domain Virtual Edition 2.0 family, all versions
* EMC Data Domain Virtual Edition 3.0 family, versions prior to 3.0 SP2 Update 1
* EMC Data Domain Virtual Edition 3.1 family, versions prior to 3.1 Update 2

Summary:  
EMC Data Domain DD OS includes a memory overflow vulnerability in the SMB1 handler.

Details:  
EMC Data Domain DD OS contains a memory overflow vulnerability in SMBv1 which may potentially \
be exploited by an unauthenticated remote attacker. An attacker may completely shut down both \
the SMB service and active directory authentication. This may also allow remote code injection \
and execution.

Resolution:  
The following EMC Data Domain DD OS releases address this vulnerability:  

* EMC Data Domain DD OS 5.7 family, version 5.7.5.6 and later
* EMC Data Domain DD OS 6.0 family, version 6.0.2.9 and later
* EMC Data Domain DD OS 6.1 family, version 6.1.0.21 and later
* EMC Data Domain Virtual Edition 3.0 family, version 3.0 SP2 Update 1 and later
* EMC Data Domain Virtual Edition 3.1 family, version 3.1 Update 2 and later

EMC recommends all customers upgrade at the earliest opportunity.

Link to remedies:

Registered EMC Online Support customers can download patches and software from EMC Online \
Support at https://support.emc.com/downloads/32697_DD-OS

Review the Release Notes before upgrading Data Domain systems. Information on release status \
and release notes can be found in KB article 334649: DD OS Software Versions.

Note: When considering DD OS upgrades, verify that the upgraded DD OS version is compatible \
with your backup software and related hardware. Refer to the respective compatibility guides.

Contact your service representative or the EMC Customer Support Center for assistance and \
reference this ESA article ID.

[The following is standard text included in all security advisories.  Please do not change or \
delete.]

Read and use the information in this EMC Security Advisory to assist in avoiding any situation \
that might arise from the problems described herein. If you have any questions regarding this \
product alert, contact EMC Software Technical Support at 1-877-534-2867.

For an explanation of Severity Ratings, refer to EMC Knowledgebase solution emc218831. EMC \
recommends all customers take into account both the base score and any relevant temporal and \
environmental scores which may impact the potential severity associated with particular \
security vulnerability.

EMC recommends that all users determine the applicability of this information to their \
individual situations and take appropriate action. The information set forth herein is provided \
"as is" without warranty of any kind. EMC disclaims all warranties, either express or implied, \
including the warranties of merchantability, fitness for a particular purpose, title and \
non-infringement. In no event, shall EMC or its suppliers, be liable for any damages whatsoever \
including direct, indirect, incidental, consequential, loss of business profits or special \
damages, even if EMC or its suppliers have been advised of the possibility of such damages. \
Some states do not allow the exclusion or limitation of liability for consequential or \
incidental damages, so the foregoing limitation may not apply.