[prev in list] [next in list] [prev in thread] [next in thread]
List: full-disclosure
Subject: [FD] ESA-2018-015: EMC RecoverPoint Command Injection Vulnerabilities
From: EMC Product Security Response Center <Security_Alert () emc ! com>
Date: 2018-01-31 17:26:22
Message-ID: 1BF8853173D9704A93EF882F85952A893CF213 () MX304CL04 ! corp ! emc ! com
[Download RAW message or body]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
ESA-2018-015: EMC RecoverPoint Command Injection Vulnerabilities
EMC Identifier: ESA-2018-015
CVE Identifier: CVE-2018-1184, CVE-2018-1185
Severity Rating: See below for individual scores
Affected products:
* EMC RecoverPoint for Virtual Machines versions prior to 5.1.1
* EMC RecoverPoint version 5.1.0.0
* EMC RecoverPoint versions prior to 5.0.1.3
Summary:
EMC RecoverPoint contains command injection vulnerabilities that could potentially be exploited \
by malicious users to compromise the affected systems.
Details:
EMC RecoverPoint is susceptible to the following command injection vulnerabilities:
* Command injection vulnerability in Admin CLI may allow a malicious user with admin privileges \
to escape from the restricted shell to an interactive shell and run arbitrary commands with \
root privileges (CVE-2018-1185).
CVSS v3 Base Score: 6.7 (AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H)
* Command injection vulnerability in Boxmgmt CLI may allow a malicious user with boxmgmt \
privileges to bypass Boxmgmt CLI and run arbitrary commands with root privileges \
(CVE-2018-1184).
CVSS v3 Base Score: 6.7 (AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H)
Resolution:
The following EMC RecoverPoint releases contain resolutions to these vulnerabilities:
* EMC RecoverPoint for Virtual Machines 5.1.1
* EMC RecoverPoint for Virtual Machines 5.0.1.3
* EMC RecoverPoint 5.1.0.1
* EMC RecoverPoint 5.0.1.3
EMC recommends all customers upgrade to one of the above versions at the earliest opportunity. \
Customers are strongly advised to limit administrator privileges to trusted users and change \
default passwords to minimize the risk. See Security Configuration Guide for details.
Link to remedies:
Customers can download software from: \
https://support.emc.com/search/?text=RecoverPoint&searchLang=en_US&facetResource=DOWN
Credits:
EMC would like to thank Geoffrey Janjua, Mike Erman, Jack Backer, and Alexander Gonzalez from \
Northrop Grumman for reporting these vulnerabilities.
Read and use the information in this EMC Security Advisory to assist in avoiding any situation \
that might arise from the problems described herein. If you have any questions regarding this \
product alert, contact EMC Software Technical Support at 1-877-534-2867.
For an explanation of Severity Ratings, refer to EMC Knowledgebase solution emc218831. EMC \
recommends all customers take into account both the base score and any relevant temporal and \
environmental scores which may impact the potential severity associated with particular \
security vulnerability.
EMC recommends that all users determine the applicability of this information to their \
individual situations and take appropriate action. The information set forth herein is provided \
"as is" without warranty of any kind. EMC disclaims all warranties, either express or implied, \
including the warranties of merchantability, fitness for a particular purpose, title and \
non-infringement. In no event, shall EMC or its suppliers, be liable for any damages whatsoever \
including direct, indirect, incidental, consequential, loss of business profits or special \
damages, even if EMC or its suppliers have been advised of the possibility of such damages. \
Some states do not allow the exclusion or limitation of liability for consequential or \
incidental damages, so the foregoing limitation may not apply.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQEcBAEBCAAGBQJacfuGAAoJEHbcu+fsE81ZXXEH/jmPlsfbucZdxcvxW69ICyeA
6xMF+iB0U9bp4xyE3tW07oxr/E0zXO5aDVEIvgwEzeuZ9d2rDVqqayO4nKLAP+34
YMlj+Zo36g3JL2HdaAxv4MwmoPgwTMVoWjmkW2eRUGx5HoBlLLxYsnpXxH+/7Nr5
9d5Vs0HdHXeQWYALUwhe6ypza8iUq2KJsJb4dkuHGzr66/qiOQuTCU+kMuWYfKqN
wKNk5jscd/EWEehXOeHFd2rRvAha/Gyt54Z6bqz1/VrsOtUkPjtOsavhFuuJMSdX
7fxFpE1GaeTmA0dX4LGjcf1o3cjuvfKoQR1JJiXHXjsKSNuoWdKSNYjnySfdyxA=
=BcQ/
-----END PGP SIGNATURE-----
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic