[prev in list] [next in list] [prev in thread] [next in thread]
List: full-disclosure
Subject: [FD] DSA-2018-058: Dell EMC ScaleIO Multiple Security Vulnerabilities
From: EMC Product Security Response Center <Security_Alert () emc ! com>
Date: 2018-03-26 13:23:57
Message-ID: 1BF8853173D9704A93EF882F85952A89445065 () MX304CL04 ! corp ! emc ! com
[Download RAW message or body]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
DSA-2018-058: Dell EMC ScaleIO Multiple Security Vulnerabilities
Dell EMC Identifier: DSA-2018-058
CVE Identifier: CVE-2018-1205, CVE-2018-1237, CVE-2018-1238
Severity: Medium
Severity Rating: CVSS v3 Base Score: See below for CVSS v3 scores
Affected products:
Dell EMC ScaleIO versions prior to 2.5
Summary:
Dell EMC ScaleIO customers are encouraged to update to ScaleIO v2.5, which contains fixes for \
multiple security vulnerabilities in earlier ScaleIO software versions that could potentially \
be exploited by malicious users to compromise the affected system.
Details:
The vulnerability details are as follows:
* Buffer overflow vulnerability (CVE-2018-1205)
Dell EMC ScaleIO, versions prior to 2.5, do not properly handle some packet data in the MDM \
service. As a result, a remote attacker could potentially send specifically crafted packet data \
to the MDM service causing it to crash. CVSSv3 Base Score: 5.9 \
(AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H)
* Improper Restriction of Excessive Authentication Attempts Vulnerability (CVE-2018-1237)
Dell EMC ScaleIO versions prior to 2.5, contain improper restriction of excessive \
authentication attempts on the Light installation Agent (LIA). This component is deployed on \
every server in the ScaleIO cluster and is used for central management of ScaleIO nodes. A \
remote malicious user, having network access to LIA, could potentially exploit this \
vulnerability to launch brute force guessing of user names and passwords of user accounts on \
the LIA. CVSSv3 Base Score: 5.9 (AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H)
* Command injection vulnerability (CVE-2018-1238)
Dell EMC ScaleIO versions prior to 2.5, contain a command injection vulnerability in the Light \
Installation Agent (LIA). This component is used for central management of ScaleIO deployment \
and uses shell commands for certain actions. A remote malicious user, with network access to \
LIA and knowledge of the LIA administrative password, could potentially exploit this \
vulnerability to run arbitrary commands as root on the systems where LIAs are installed. CVSSv3 \
Base Score: 6.6 (AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H)
Resolution:
The following Dell EMC ScaleIO release contains resolutions to these vulnerabilities:
* Dell EMC ScaleIO version 2.5
Dell EMC recommends all customers upgrade at the earliest opportunity.
Link to remedies:
Customers can download software from \
https://support.emc.com/downloads/40635_ScaleIO-Product-Family
Credit:
Dell EMC would like to thank David Berard, from the Ubisoft Security & Risk Management team, \
for reporting these vulnerabilities.
Read and use the information in this Dell EMC Security Advisory to assist in avoiding any \
situation that might arise from the problems described herein. If you have any questions \
regarding this product alert, contact Dell EMC Software Technical Support at 1-877-534-2867.
For an explanation of Severity Ratings, refer to Dell EMC Knowledgebase solution emc218831. \
Dell EMC recommends all customers take into account both the base score and any relevant \
temporal and environmental scores which may impact the potential severity associated with \
particular security vulnerability.
Dell EMC recommends that all users determine the applicability of this information to their \
individual situations and take appropriate action. The information set forth herein is provided \
"as is" without warranty of any kind. Dell EMC disclaims all warranties, either express or \
implied, including the warranties of merchantability, fitness for a particular purpose, title \
and non-infringement. In no event, shall Dell EMC or its suppliers, be liable for any damages \
whatsoever including direct, indirect, incidental, consequential, loss of business profits or \
special damages, even if Dell EMC or its suppliers have been advised of the possibility of such \
damages. Some states do not allow the exclusion or limitation of liability for consequential or \
incidental damages, so the foregoing limitation may not apply.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQEcBAEBCAAGBQJauOjDAAoJEHbcu+fsE81Z3/wH/jL9Ub908R9cXBOLhTbwCohq
pVPgYZwy8ew96iuUaqDgqy3KmarYebeZ9MAG2gxW5URYqNSO7LJBZG8Jo4qWB3gB
QuShn8UvJ0yfo4vxznkXtGjxhFLopYaoN+tgDQ3IjkcH3chvAHS0dnUk9Uj7OQsx
KEltBIFJmzv97ZxkCLxqEtNu0LSTFsvKhjyKl6lOJZ8yVfTZR/p+Awx1czEyJc8Z
/sfRBBgqJnK3LHBNEsuqCy+wedlDHwj+/d3wBr51eR0+3UrD2jRaDQVx3VkcE7Gb
DGjCoZRJ8qiWp7muB0rC7/6PxxxQcNlBludSiYDTkdrQpjot1G37w+TX1GFVUUk=
=FvDE
-----END PGP SIGNATURE-----
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic