Multiple vulnerabilities in EMC products



Published: 2017-09-22
Risk Low
Patch available YES
Number of vulnerabilities 2
CVE-ID CVE-2017-8007
CVE-2017-8012
CWE-ID CWE-22
CWE-20
Exploitation vector Network
Public exploit N/A
Vulnerable software
Subscribe 		Storage M&R
Client/Desktop applications / Other client software

VNX M&R
Client/Desktop applications / Other client software

EMC M&R (Watch4Net)
Client/Desktop applications / Other client software

EMC ViPR SRM
Client/Desktop applications / Software for archiving

Vendor Dell

Security Bulletin

This security bulletin contains information about 2 vulnerabilities.

1) Directory traversal

EUVDB-ID: #VU8570

Risk: Low

CVSSv3.1: 5.5 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:U/RL:O/RC:C]

CVE-ID: CVE-2017-8007

CWE-ID: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Exploit availability: No

Description

The vulnerability allows a remote authenticated attacker to access information on the target system.

The weakness exists due to directory traversal in Webservice Gateway. A remote attacker can with knowledge of Webservice Gateway credentials can supply specially crafted strings in input parameters of the web service call to access, modify or delete data.

Mitigation

Update the software to version 4.1.
Install 6.7.x fox for EMC M&R Watch4net for SAS Solution Packs.

Vulnerable software versions

Storage M&R: 4.0.1 - 4.0.3

EMC ViPR SRM: 4.0.1 - 4.0.3

VNX M&R: 4.0.1 - 4.0.3

EMC M&R (Watch4Net): All versions

External links

http://seclists.org/fulldisclosure/2017/Sep/51


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Improper input validation

EUVDB-ID: #VU8571

Risk: Low

CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2017-8012

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote attacker to cause DoS condition on the target system.

The weakness exists due to input validation flaw. A remote attacker can with knowledge of JMX agent user credentials can leverage inherent JMX protocol capabilities to create arbitrary files and cause the application to crash.

Successful exploitation of the vulnerability results in denial of service.

Mitigation

Update the software to version 4.1.

Vulnerable software versions

Storage M&R: 4.0.1 - 4.0.3

EMC ViPR SRM: 4.0.1 - 4.0.3

VNX M&R: 4.0.1 - 4.0.3

External links

http://seclists.org/fulldisclosure/2017/Sep/51


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###