Authentication bypass in EMC Unisphere

Published: 2017-11-01 16:25:38 | Updated: 2017-11-01 16:25:54
Severity Low
Patch available YES
Number of vulnerabilities 1
CVSSv2 5.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P/E:U/RL:OF/RC:C)
CVSSv3 8.5 [CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE ID CVE-2017-14375
CWE ID CWE-284
Exploitation vector Network
Public exploit Not available
Vulnerable software EMC Unisphere
Vulnerable software versions EMC Unisphere 8.4
EMC Unisphere 8.3
EMC Unisphere 8.2
Show more
Vendor URL EMC Corporation
Advisory type Public

Security Advisory

1) Authentication bypass

Description

The vulnerability allows a remote attacker to gain access to the target system.

The weakness exists due to improper access controls. A remote attacker can supply specially crafted AMF messages to the target vApp Manager servlet, bypass authentication and create new user accounts with administrative privileges.

Successful exploitation of the vulnerability may result in system compromise.

Remediation

Update EMC Unisphere to version 8.3.0.10 or 8.4.0.15.

External links

http://seclists.org/fulldisclosure/2017/Oct/70

Back to List