[prev in list] [next in list] [prev in thread] [next in thread] 

List:       full-disclosure
Subject:    [FD] DSA-2018-058: Dell EMC ScaleIO Multiple Security Vulnerabilities
From:       EMC Product Security Response Center <Security_Alert () emc ! com>
Date:       2018-03-26 13:23:57
Message-ID: 1BF8853173D9704A93EF882F85952A89445065 () MX304CL04 ! corp ! emc ! com
[Download RAW message or body]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

DSA-2018-058: Dell EMC ScaleIO Multiple Security Vulnerabilities

Dell EMC Identifier: DSA-2018-058
CVE Identifier: CVE-2018-1205, CVE-2018-1237, CVE-2018-1238
Severity: Medium
Severity Rating: CVSS v3 Base Score: See below for CVSS v3 scores

Affected products:  
Dell EMC ScaleIO versions prior to 2.5  

Summary:  
Dell EMC ScaleIO customers are encouraged to update to ScaleIO v2.5, which contains fixes for \
multiple security vulnerabilities in earlier ScaleIO software versions that could potentially \
be exploited by malicious users to compromise the affected system. 

Details:  
The vulnerability details are as follows:

*	Buffer overflow vulnerability (CVE-2018-1205) 
Dell EMC ScaleIO, versions prior to 2.5, do not properly handle some packet data in the MDM \
service. As a result, a remote attacker could potentially send specifically crafted packet data \
to the MDM service causing it to crash. CVSSv3 Base Score: 5.9 \
(AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H)

*	Improper Restriction of Excessive Authentication Attempts Vulnerability  (CVE-2018-1237) 
Dell EMC ScaleIO versions prior to 2.5, contain improper restriction of excessive \
authentication attempts on the Light installation Agent (LIA). This component is deployed on \
every server in the ScaleIO cluster and is used for central management of ScaleIO nodes. A \
remote malicious user, having network access to LIA, could potentially exploit this \
vulnerability to launch brute force guessing of user names and passwords of user accounts on \
the LIA. CVSSv3 Base Score: 5.9 (AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H)

*	Command injection vulnerability (CVE-2018-1238)
Dell EMC ScaleIO versions prior to 2.5, contain a command injection vulnerability in the Light \
Installation Agent (LIA). This component is used for central management of ScaleIO deployment \
and uses shell commands for certain actions. A remote malicious user, with network access to \
LIA and knowledge of the LIA administrative password, could potentially exploit this \
vulnerability to run arbitrary commands as root on the systems where LIAs are installed. CVSSv3 \
Base Score: 6.6 (AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H)


Resolution:  
The following Dell EMC ScaleIO release contains resolutions to these vulnerabilities:
*	Dell EMC ScaleIO version 2.5

Dell EMC recommends all customers upgrade at the earliest opportunity. 

Link to remedies:

Customers can download software from  \
https://support.emc.com/downloads/40635_ScaleIO-Product-Family 

Credit:
Dell EMC would like to thank David Berard, from the Ubisoft Security & Risk Management team, \
for reporting these vulnerabilities.


Read and use the information in this Dell EMC Security Advisory to assist in avoiding any \
situation that might arise from the problems described herein. If you have any questions \
regarding this product alert, contact Dell EMC Software Technical Support at 1-877-534-2867.

For an explanation of Severity Ratings, refer to Dell EMC Knowledgebase solution emc218831. \
Dell EMC recommends all customers take into account both the base score and any relevant \
temporal and environmental scores which may impact the potential severity associated with \
particular security vulnerability.

Dell EMC recommends that all users determine the applicability of this information to their \
individual situations and take appropriate action. The information set forth herein is provided \
"as is" without warranty of any kind. Dell EMC disclaims all warranties, either express or \
implied, including the warranties of merchantability, fitness for a particular purpose, title \
and non-infringement. In no event, shall Dell EMC or its suppliers, be liable for any damages \
whatsoever including direct, indirect, incidental, consequential, loss of business profits or \
special damages, even if Dell EMC or its suppliers have been advised of the possibility of such \
damages. Some states do not allow the exclusion or limitation of liability for consequential or \
                incidental damages, so the foregoing limitation may not apply.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQEcBAEBCAAGBQJauOjDAAoJEHbcu+fsE81Z3/wH/jL9Ub908R9cXBOLhTbwCohq
pVPgYZwy8ew96iuUaqDgqy3KmarYebeZ9MAG2gxW5URYqNSO7LJBZG8Jo4qWB3gB
QuShn8UvJ0yfo4vxznkXtGjxhFLopYaoN+tgDQ3IjkcH3chvAHS0dnUk9Uj7OQsx
KEltBIFJmzv97ZxkCLxqEtNu0LSTFsvKhjyKl6lOJZ8yVfTZR/p+Awx1czEyJc8Z
/sfRBBgqJnK3LHBNEsuqCy+wedlDHwj+/d3wBr51eR0+3UrD2jRaDQVx3VkcE7Gb
DGjCoZRJ8qiWp7muB0rC7/6PxxxQcNlBludSiYDTkdrQpjot1G37w+TX1GFVUUk=
=FvDE
-----END PGP SIGNATURE-----

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/


[prev in list] [next in list] [prev in thread] [next in thread]

Configure | About | News | Add a list | Sponsored by KoreLogic