Vulnerability identifier: #VU8570

Vulnerability risk: Low

CVSSv3.1: 5.5 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:U/RL:O/RC:C]

CVE-ID: CVE-2017-8007

CWE-ID: CWE-22

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Storage M&R
Client/Desktop applications / Other client software
VNX M&R
Client/Desktop applications / Other client software
EMC M&R (Watch4Net)
Client/Desktop applications / Other client software
EMC ViPR SRM
Client/Desktop applications / Software for archiving

Vendor: Dell

Description
The vulnerability allows a remote authenticated attacker to access information on the target system.

The weakness exists due to directory traversal in Webservice Gateway. A remote attacker can with knowledge of Webservice Gateway credentials can supply specially crafted strings in input parameters of the web service call to access, modify or delete data.

Mitigation
Update the software to version 4.1.
Install 6.7.x fox for EMC M&R Watch4net for SAS Solution Packs.

Vulnerable software versions

Storage M&R: 4.0.1 - 4.0.3

EMC ViPR SRM: 4.0.1 - 4.0.3

VNX M&R: 4.0.1 - 4.0.3

EMC M&R (Watch4Net): All versions

---

External links
http://seclists.org/fulldisclosure/2017/Sep/51

---

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.