'[FD] DSA-2018-141: Dell EMC Unity Family Incorrect File Permissions vulnerability'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       full-disclosure
Subject:    [FD] DSA-2018-141: Dell EMC Unity Family Incorrect File Permissions vulnerability
From:       <secure () Dell ! com>
Date:       2018-09-26 19:07:30
Message-ID: 69a0a4424cad41bcaf135faade758fcd () AUSX13MPS306 ! AMER ! DELL ! COM
[Download RAW message or body]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

DSA-2018-141: Dell EMC Unity Family Incorrect File Permissions vulnerability 

Dell EMC Identifier: DSA-2018-141

CVE Identifier: CVE-2018-11064 

Severity Rating: CVSS v3 Base Score: 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)

Affected products:  
Dell EMC Unity Operating Environment (OE) versions 4.3.0.x and 4.3.1.x
Dell EMC UnityVSA Operating Environment (OE) versions 4.3.0.x and 4.3.1.x

Summary:  
Dell EMC Unity requires an update to address an Incorrect File Permissions vulnerability with \
multiple files. This vulnerability may potentially be exploited by malicious local users to \
compromise the affected system.

Details:  
Dell EMC Unity OE versions 4.3.0.x and 4.3.1.x and UnityVSA OE versions 4.3.0.x and 4.3.1.x \
contains an Incorrect File Permissions vulnerability. A locally authenticated malicious user \
could potentially exploit this vulnerability to alter multiple library files in service tools \
that might result in arbitrary code execution with elevated privileges. No user file systems \
are directly affected by this vulnerability.    

Resolution:  
The following Dell EMC Unity release contains resolutions to this vulnerability
*	Dell EMC Unity Operating Environment (OE) version 4.4.0.1534750794
*	Dell EMC UnityVSA Operating Environment (OE) versions 4.4.0.1534750794

To take advantage of the latest security fixes and enhancements, Dell EMC recommends upgrading \
to the latest Dell EMC Unity OE code.  Customers can refer to Dell EMC target code information \
at: https://support.emc.com/docu39695_Target_Revisions_and_Adoption_Rates.pdf?language=en_US&language=en_US. \

Link to remedies:
Registered Dell EMC Support customers can download Unity software from the EMC Online Support \
web site. https://support.emc.com/downloads/39949_Dell-EMC-Unity-Family 

Severity Rating
For an explanation of Severity Ratings, refer to Dell EMC Knowledgebase article 468307 \
(https://support.emc.com/kb/468307). Dell EMC recommends all customers take into account both \
the base score and any relevant temporal and environmental scores which may impact the \
potential severity associated with particular security vulnerability. Legal Information
Read and use the information in this Dell EMC Security Advisory to assist in avoiding any \
situation that might arise from the problems described herein. If you have any questions \
regarding this advisory, contact Dell EMC Technical Support \
(https://support.emc.com/servicecenter/contactEMC/). Dell EMC distributes Dell EMC Security \
Advisories, in order to bring to the attention of users of the affected Dell EMC products, \
important security information. Dell EMC recommends that all users determine the applicability \
of this information to their individual situations and take appropriate action. The information \
set forth herein is provided "as is" without warranty of any kind. Dell EMC disclaims all \
warranties, either express or implied, including the warranties of merchantability, fitness for \
a particular purpose, title and non-infringement. In no event, shall Dell EMC or its suppliers, \
be liable for any damages whatsoever including direct, indirect, incidental, consequential, \
loss of bus  iness profits or special damages, even if Dell EMC or its suppliers have been \
advised of the possibility of such damages. Some states do not allow the exclusion or \
limitation of liability for consequential or incidental damages, so the foregoing limitation \
may not apply.  
Dell EMC Product Security Incident Response Team
secure@dell.com
http://www.emc.com/products/security/product-security-response-center.htm