[prev in list] [next in list] [prev in thread] [next in thread]
List: full-disclosure
Subject: [FD] ESA-2017-123: EMC Networker Remote Code Execution Vulnerability
From: <secure () Dell ! com>
Date: 2019-03-22 19:27:47
Message-ID: 10fcdd8a07af4da9a745e7d2da5fd73f () AUSX13MPS306 ! AMER ! DELL ! COM
[Download RAW message or body]
Restricted - Confidential
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
ESA-2017-123: EMC Networker Remote Code Execution Vulnerability
EMC Identifier: ESA-2017-123
CVE Identifier: CVE-2017-8023
Severity Rating: CVSSv3 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
Affected products:
EMC NetWorker versions 8.2.x
EMC NetWorker versions 9.0.x
EMC NetWorker versions prior to 9.1.1.5
EMC NetWorker versions prior to 9.2.1
Summary:
EMC NetWorker includes an unauthenticated remote code execution vulnerability that may \
potentially be exploited by malicious users to compromise the affected system.
Details:
EMC NetWorker may potentially be vulnerable to an unauthenticated remote code execution \
vulnerability in the Networker Client execution service (nsrexecd) when oldauth authentication \
method is used. An unauthenticated remote attacker could send arbitrary commands via RPC \
service to be executed on the host system with the privileges of the nsrexecd service, which \
runs with administrative privileges.
Resolution:
The following EMC NetWorker releases address this vulnerability:
EMC NetWorker 9.1.1.5
EMC NetWorker 9.2.1
EMC NetWorker 8.2.4.11
The two options below can be used as a workaround:
1. Use nsrauth exclusively and do not allow a fallback to oldauth.
2. For customers who must use oldauth, ensure all 'servers' files are properly configured and \
review the "Restricting remote program executions and client-tasking rights" section in the EMC \
NetWorker Security Configuration Guide for how to update the servers file.
EMC recommends all customers upgrade at the earliest opportunity. Oldauth is an insecure \
authentication mode and supported for compatibility purposes only. Customers are strongly \
recommended to use nsrauth exclusively in their environment. See EMC NetWorker Security \
Configuration Guides listed below for additional information:
https://support.emc.com/docu57698_NetWorker-8.2--Security-Configuration-Guide.pdf
https://support.emc.com/docu61097_NetWorker_9.0.x_Security_Configuration_Guide.pdf
https://support.emc.com/docu81539_NetWorker-9.1.x-Security-Configuration-Guide.pdf
https://support.emc.com/docu85867_NetWorker-9.2-Security-Configuration-Guide.pdf
Link to remedies:
Customers can download software from two different locations:
For EMC NetWorker version 9.1.1: \
https://support.emc.com/docu86749_NetWorker,-NVE,-NVP-and-Modules-9.1.1-Cumulative-Hotfixes.pdf \
For EMC NetWorker version 9.2.1: https://support.emc.com/downloads/1095_NetWorker For EMC \
NetWorker version 8.2.4.11: \
https://support.emc.com/docu81710_NetWorker-and-NMM-8.2.4-Cumulative-Hotfixes.pdf
Severity Rating:
For an explanation of Severity Ratings, refer to Dell EMC Knowledgebase article 468307. Dell \
EMC recommends all customers take into account both the base score and any relevant temporal \
and environmental scores which may impact the potential severity associated with particular \
security vulnerability.
Legal Information:
Read and use the information in this Dell EMC Security Advisory to assist in avoiding any \
situation that might arise from the problems described herein. If you have any questions \
regarding this product alert, contact Dell EMC Software Technical Support at 1-877-534-2867. \
Dell EMC distributes Dell EMC Security Advisories, in order to bring to the attention of users \
of the affected Dell EMC products, important security information. Dell EMC recommends that all \
users determine the applicability of this information to their individual situations and take \
appropriate action. The information set forth herein is provided "as is" without warranty of \
any kind. Dell EMC disclaims all warranties, either express or implied, including the \
warranties of merchantability, fitness for a particular purpose, title and non-infringement. In \
no event, shall Dell EMC or its suppliers, be liable for any damages whatsoever including \
direct, indirect, incidental, consequential, loss of business profits or spe cial damages, \
even if Dell EMC or its suppliers have been advised of the possibility of such damages. Some \
states do not allow the exclusion or limitation of liability for consequential or incidental \
damages, so the foregoing limitation may not apply.
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEP5nobPoCj3pTvhAZgSlofD2Yi6cFAlyVNowACgkQgSlofD2Y
i6d1Uw//bMPx1u7Eg7q8oa5+Cuoi90nP4WqhOfUHw/2p7ocXJZ9zpwHgQGS2b+XL
Et1WPLt/HfUgUz0ej66by46mKwxjvSc00dOouorp+3r0rcqKnQCs8YxYEvF3E6Fa
XJyoPsjP6Cn03IAkcRV0busFhCrfrh3njcpwUFy5Sx9XYc+8CzphHFswbggODfgA
tjolOTX4SuOLZDZhbnqB4RygNvb1xHGS4rNIhyRLLhQUBHL8+kqj0uWc/q6QsT/9
2NuIg1R+EbC8ojmmCb0p9fRwqOMOdgO9owg/IF4V2p6gIlV+J/hAbr9eGHqdVN7N
js1bfJrqsjCNQ0iR7j/ifUs0EiMRdP/OShf5kdFCMafcNKlJoaLd/2elLha+VHDD
T+0GT6nL67luUhLo9SlMm+LeqUkXCm20peml6/D9/FFALADe4Si03hnWnaBZL120
JgildayMavnvNv30+JEoX77hud2dsieJkiKPcb/FOhmft1x2vBKBNrH60QGf5qEZ
xBWCCVqhKxIKM/K0FtfqoY+cUpotBOvkjikoKqiHSCZGEHGCx5Gfdk6D1IGWh6Fu
lRPXCg3tjP1QlwLxLSdcXp7U3IWzgvxV0VBtGMEUkxHSXlp5zsDf1DwgpjqoChAm
WHBtRbsMAEpqF21pHXCAT5RO29SNcBDd7w02Fur8II1hS4JeFkc=
=lMbT
-----END PGP SIGNATURE-----
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic