[prev in list] [next in list] [prev in thread] [next in thread]
List: full-disclosure
Subject: [FD] DSA-2018-101: Dell EMC Unity Family Multiple Vulnerabilities
From: <secure () Dell ! com>
Date: 2018-09-18 13:03:03
Message-ID: de61994e06ad4e1682830607541c272b () AUSX13MPS306 ! AMER ! DELL ! COM
[Download RAW message or body]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
DSA-2018-101: Dell EMC Unity Family Multiple Vulnerabilities
Dell EMC Identifier: DSA-2018-101
CVE Identifier: CVE-2018-1246, CVE-2018-1250, CVE-2018-1251
Severity Rating: CVSS v3 Base Score: See below for individual CVEs
Affected products:
Dell EMC Unity Operating Environment (OE) versions prior to 4.3.1.1525703027
Dell EMC UnityVSA Operating Environment (OE) versions prior to 4.3.1.1525703027
Summary:
Dell EMC Unity requires an update to address multiple security vulnerabilities that may \
potentially be exploited by malicious users to compromise the affected system.
Details:
* Authorization Bypass (CVE-2018-1250)
Dell EMC Unity and UnityVSA versions prior to 4.3.1.1525703027 contains an Authorization Bypass \
vulnerability. A remote authenticated user could potentially exploit this vulnerability to read \
files in NAS server by directly interacting with certain APIs of Unity OE, bypassing Role-Based \
Authorization control implemented only in Unisphere GUI. CVSS v3 Base Score: 6.5 \
(AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N)
* Reflected Cross-site Scripting (XSS) (CVE-2018-1246)
Dell EMC Unity contains reflected cross-site scripting vulnerability. A remote unauthenticated \
attacker could potentially exploit this vulnerability by tricking a victim application user to \
supply malicious HTML or Java Script code to Unisphere, which is then reflected back to the \
victim and executed by the web browser. CVSS v3 Base Score: 4.7 \
(CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N)
* URL Redirection (CVE-2018-1251)
Dell EMC Unity and UnityVSA versions prior to 4.3.1.1525703027 contains a URL Redirection \
vulnerability. A remote unauthenticated attacker could potentially exploit this vulnerability \
to redirect Unity users to arbitrary web URLs by tricking the victim user to click on a \
maliciously crafted Unisphere URL. Attacker could potentially phish information, including \
Unisphere users' credentials, from the victim once they are redirected. CVSS v3 Base Score: 8.3 \
(AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:L)
Resolution:
The following Dell EMC Unity release contains resolutions to this vulnerability
* Dell EMC Unity Operating Environment (OE) version 4.3.1.1525703027
* Dell EMC UnityVSA Operating Environment (OE) versions 4.3.1.1525703027
To take advantage of the latest security fixes and enhancements, Dell EMC recommends upgrading \
to the latest Unity OE code. Customers can refer to Dell EMC target code information at: \
https://support.emc.com/docu39695_Target_Revisions_and_Adoption_Rates.pdf?language=en_US&language=en_US. \
Link to remedies:
Registered Dell EMC Support customers can download Unity software from the Dell EMC Online \
Support web site. https://support.emc.com/downloads/39949_Dell-EMC-Unity-Family
Severity Rating
For an explanation of Severity Ratings, refer to Dell EMC Knowledgebase article 468307 \
(https://support.emc.com/kb/468307). Dell EMC recommends all customers take into account both \
the base score and any relevant temporal and environmental scores which may impact the \
potential severity associated with particular security vulnerability.
Legal Information
Read and use the information in this Dell EMC Security Advisory to assist in avoiding any \
situation that might arise from the problems described herein. If you have any questions \
regarding this advisory, contact Dell EMC Technical Support \
(https://support.emc.com/servicecenter/contactEMC/). Dell EMC distributes Dell EMC Security \
Advisories, in order to bring to the attention of users of the affected Dell EMC products, \
important security information. Dell EMC recommends that all users determine the applicability \
of this information to their individual situations and take appropriate action. The information \
set forth herein is provided "as is" without warranty of any kind. Dell EMC disclaims all \
warranties, either express or implied, including the warranties of merchantability, fitness for \
a particular purpose, title and non-infringement. In no event, shall Dell EMC or its suppliers, \
be liable for any damages whatsoever including direct, indirect, incidental, consequential, \
loss of business profits or special damages, even if Dell EMC or its suppliers have been \
advised of the possibility of such damages. Some states do not allow the exclusion or \
limitation of liability for consequential or incidental damages, so the foregoing limitation \
may not apply.
Dell Product Security Incident Response Team
secure@dell.com
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEP5nobPoCj3pTvhAZgSlofD2Yi6cFAlug9xcACgkQgSlofD2Y
i6eFlg/9Gbfu4dYSTr8/33bFt7zXktPR49cGBV6Y0TVFTKfvfu8aAPjd6rVzRn4C
rmEviuxPvgGaa2P2d43DZulhlsfanNk4TNuIX1h8aoRZyj+9V6akDjVGAiojKlbG
iAvnZYn5FEv///UlRTM+Ysn1LESFCcShKs1mg3XO5wkbwYfAGuD4qubrauHCkhlx
Tbv6k73/qyyNXRrSb54xpJkZC9yuswvg+ledJ39r5YH4+JEZrnqAxUxos+emBO7y
KHKkZdcf+oZqbBtONefmDG/84KxgT2+X/msfT0d4mSIDmnRwQl3gVAZW093ZpRM+
E2rS18RH75G4UzXmY+m2+I5lF6t+L8TvcxMgRP2/mkkC552FSujBhJNKUyfP7ral
AP2DLMMXMrib8ddtVu9lk9HcBgATye2ibeu/Q2PUD7ld6gqGnFd7gJrexiT5Razq
WCPEMjgIBXWZZ4qgp3aMq8lLXZ//Zyub1awql4JYZIr8oUjxmV8Lnp/0V6hTWAfX
atznclE2+UGENlWqU4vOdhI+ZOeyn7bjrdUrktsAsvSg8LUECTtvjji5QsjLP+ui
57VcVKmX2j7+61mYslIs5HScgrEfubh73HL/Cm1JZ7aqsD1TUaGzlgqS/D2SMvL4
EgyXPpE3u9gBf0oNaNkbDNXyetLHIdmblJ8bz0zm00DoTMEaHZk=
=LLPx
-----END PGP SIGNATURE-----
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic