[prev in list] [next in list] [prev in thread] [next in thread]
List: full-disclosure
Subject: [FD] DSA-2018-120: Dell EMC NetWorker Clear-Text authentication over network vulnerability
From: Dell EMC Product Security Response Center <Security_Alert () emc ! com>
Date: 2018-07-25 19:26:29
Message-ID: 1BF8853173D9704A93EF882F85952A89524B19 () MX304CL04 ! corp ! emc ! com
[Download RAW message or body]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
DSA-2018-120: Dell EMC NetWorker Clear-Text authentication over network vulnerability
Dell EMC Identifier: DSA-2018-120
CVE Identifier: CVE-2018-11050
Severity: Medium
Severity Rating: CVSS v3 Base Score 6.3 (AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)
Affected products:
* Dell EMC NetWorker 9.0
* Dell EMC NetWorker 9.1.1.8 and prior
* Dell EMC NetWorker 9.2.1.3 and prior
* Dell EMC NetWorker 18.1.0.1
Summary:
Dell EMC NetWorker Server has been updated to remediate a Clear-Text authentication over \
network vulnerability that could potentially be exploited by malicious users to compromise the \
affected system.
Details:
Dell EMC NetWorker versions between 9.0 and 9.1.1.8 through 9.2.1.3, and the version 18.1.0.1 \
contain a Clear-Text authentication over network vulnerability in the Rabbit MQ Advanced \
Message Queuing Protocol (AMQP) component. User credentials are sent unencrypted to the remote \
AMQP service. An unauthenticated attacker in the same network collision domain, could \
potentially sniff the password from the network and use it to access the component using the \
privileges of the compromised user.
Resolution:
The following Dell EMC NetWorker releases contain resolutions to this vulnerability:
* Dell EMC NetWorker 9.1.1.9 and later
* Dell EMC NetWorker 9.2.1.4 and later
* Dell EMC NetWorker 18.1.0.2 and later
Customers running NetWorker Server versions 9.x and 18.1.0.1 should upgrade to one of the above \
fixed versions.
Dell EMC recommends all customers upgrade at the earliest opportunity. Customers can download \
a fixed version directly at the links below.
Link to remedies:
For more information and access to the various releases, see \
https://support.emc.com/downloads/1095_NetWorker
Severity Rating
For an explanation of Severity Ratings, refer to Dell EMC Knowledgebase article 468307 \
(https://support.emc.com/kb/468307). Dell EMC recommends all customers take into account both \
the base score and any relevant temporal and environmental scores which may impact the \
potential severity associated with particular security vulnerability.
Legal Information
Read and use the information in this Dell EMC Security Advisory to assist in avoiding any \
situation that might arise from the problems described herein. If you have any questions \
regarding this advisory, contact Dell EMC Technical Support \
(https://support.emc.com/servicecenter/contactEMC/). Dell EMC distributes Dell EMC Security \
Advisories, in order to bring to the attention of users of the affected Dell EMC products, \
important security information. Dell EMC recommends that all users determine the applicability \
of this information to their individual situations and take appropriate action. The information \
set forth herein is provided "as is" without warranty of any kind. Dell EMC disclaims all \
warranties, either express or implied, including the warranties of merchantability, fitness for \
a particular purpose, title and non-infringement. In no event, shall Dell EMC or its suppliers, \
be liable for any damages whatsoever including direct, indirect, incidental, consequential, \
loss of bus iness profits or special damages, even if Dell EMC or its suppliers have been \
advised of the possibility of such damages. Some states do not allow the exclusion or \
limitation of liability for consequential or incidental damages, so the foregoing limitation \
may not apply.
Dell EMC Product Security Response Center
security_alert@emc.com
http://www.emc.com/products/security/product-security-response-center.htm
-----BEGIN PGP SIGNATURE-----
iQEzBAEBCAAdFiEEazKDH3UU9DEtTDc5dty75+wTzVkFAltYym8ACgkQdty75+wT
zVni7gf+OdRos9pBAxu6Q0HePcbikxSojfZ7lPV7C+v0tm57U6m8tezCMK/Vr2Tp
UjkwvAhCbuYPjauffqaKh2zZ1OgaibbMTp1y3cDtVbvO0rrM0dnKydnpOzTyAI4a
ooKA7OvFrw1qJpmv8zABzv4c9A2+YjBRRMlHX2OFTWei7ZR17Uux+LvBZOpj3/dF
cqSMj8LKxaZBQ/w7F3e8fDxMKazHf422N3Hc/P2mDe4d/GAPovs5yd8Urpl/UHno
V7QhwmRdaxmFf7T/GfFw58ZOEOI2B19K5PLFtLnrgBLAOc+SPvJELyAwJi4W4NFG
ihUimCnuTW6200OY6l+4/AsdJpfEEQ==
=P3D/
-----END PGP SIGNATURE-----
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic