SB2019093010 - Multiple vulnerabilities in Dell EMC Integrated Data Protection Appliance

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2019093010

SB2019093010 - Multiple vulnerabilities in Dell EMC Integrated Data Protection Appliance

Published: September 30, 2019

Security Bulletin ID SB2019093010
CSH Severity
High
Patch available
YES
Number of vulnerabilities 3
Exploitation vector Remote access
Highest impact Code execution

Breakdown by Severity

High 33% Low 67%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 3 vulnerabilities.


1) Stored cross-site scripting (CVE-ID: CVE-2019-3747)

CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear


The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to insufficient sanitization of user-supplied data in the Cloud DR add-on specific field. A remote authenticated ACM administrator can inject and execute arbitrary HTML and script code in user's browser in context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.


2) Cryptographic issues (CVE-ID: CVE-2019-3736)

CWE-ID: CWE-310 - Cryptographic Issues

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote attacker to bypass certain security restrictions.

The vulnerability exists due to weak cryptography in the ACM component. A remote authenticated attacker with root privileges can use a support tool to decrypt encrypted passwords stored locally on the system and use it to access other components using the privileges of the compromised user.

3) Improper Restriction of Excessive Authentication Attempts (CVE-ID: CVE-2019-3746)

CWE-ID: CWE-307 - Improper Restriction of Excessive Authentication Attempts

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber


The vulnerability allows a remote attacker to gain access to the system.

The vulnerability exists due to the affected software does not limit the number of authentication attempts to the ACM API. A remote authenticated attacker can launch a brute-force authentication attack and gain access to the target system.

Remediation

Install update from vendor's website.

References