Lucene search
Rgod1337DAY-ID-28935HistoryNov 01, 2017 - 12:00 a.m.
EMC VMAX Virtual Appliance (vApp) Authentication Bypass Vulnerability
2017-11-0100:00:00
rgod
0day.today
35
EPSS
0.014
Percentile
86.3%
The vApp Manager which is embedded in EMC Unisphere for VMAX, Solutions Enabler, VASA Virtual Appliances, and EMC VMAX Embedded Management (eManagement) contains an authentication bypass vulnerability that may potentially be exploited by malicious users to compromise the affected system. Affected products include EMC Unisphere for VMAX Virtual Appliance versions prior to 8.4.0.15, EMC Solutions Enabler Virtual Appliance versions prior to 8.4.0.15, EMC VASA Virtual Appliance versions prior to 8.4.0.512, and EMC VMAX Embedded Management (eManagement) versions prior to and including 1.4 (Enginuity Release 5977.1125.1125 and earlier).
EMC VMAX Virtual Appliance (vApp) Authentication Bypass Vulnerability
CVE Identifier: CVE-2017-14375
Severity Rating: CVSSv3 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
Affected products:
*EMC Unisphere for VMAX Virtual Appliance versions prior to 8.4.0.15
*EMC Solutions Enabler Virtual Appliance versions prior to 8.4.0.15
*EMC VASA Virtual Appliance versions prior to 8.4.0.512
*EMC VMAX Embedded Management (eManagement) versions prior to and including 1.4 (Enginuity Release 5977.1125.1125 and earlier)
Summary:
The vApp Manager which is embedded in EMC Unisphere for VMAX, Solutions Enabler, VASA Virtual Appliances, and EMC VMAX Embedded Management (eManagement) contains an authentication bypass vulnerability that may potentially be exploited by malicious users to compromise the affected system.
Details:
The vApp Manager contains a servlet that does not perform proper authentication checks before processing AMF messages for user creation requests. A remote unauthenticated attacker, by having knowledge of the message format, may potentially create new user accounts with administrative privileges, and then log in to the affected application.
Resolution:
The following VMAX products contain a resolution for this vulnerability:
ESX Server Installs:
*EMC Unisphere for VMAX Virtual Appliance 8.4.0.15 OVA
*EMC Unisphere for VMAX Virtual Appliance 8.4.0.15 ISO
*EMC Unisphere for VMAX Virtual Appliance 8.3.0.10 OVA hotfix 1084, Service Alert 1054
*EMC Unisphere for VMAX Virtual Appliance 8.3.0.10 ISO upgrade hotfix 1083, Service Alert 1053
*EMC Solutions Enabler Virtual Appliance 8.4.0.15 OVA hotfix 2051, Service Alert 1884
*EMC Solutions Enabler Virtual Appliance 8.4.0.15 ISO upgrade hotfix 2050, Service Alert 1883
*EMC Solutions Enabler Virtual Appliance 8.3.0.33 OVA hotfix 2049, Service Alert 1882
*EMC Solutions Enabler Virtual Appliance 8.3.0.33 ISO upgrade hotfix 2048, Service Alert 1881
*EMC VASA Virtual Appliance 8.4.0.512 OVA
*EMC VASA Virtual Appliance 8.4.0.512 ISO upgrade
eManagement:
*eMGMT 1.4.0.350 ePack kit 6684
*eMGMT 1.3.0.312 ePack kit 6700
EMC recommends all customers upgrade at the earliest opportunity.
Link to remedies:
Customers can download software for EMC Unisphere for VMAX Virtual Appliance 8.4.0.15 OVA and ISO from EMC Online Support at https://support.emc.com/downloads/27045_Unisphere-for-VMAX
Customers are recommended to contact Customer Support and place a Customer Service Request for all other fixes.
Credit:
EMC would like to thank rgod working with Trend Micro's Zero Day Initiative, for reporting this issue.
# 0day.today [2018-03-19] #Related
nessus
nessus
prion
prion
Authentication flaw
2017-11-01 01:29:00
zdi
zdi
cvelist
cvelist
CVE-2017-14375
2017-11-01 01:00:00
nvd
nvd
CVE-2017-14375
2017-11-01 01:29:00
cve
cve
CVE-2017-14375
2017-11-01 01:29:00