The Register® — Biting the hand that feeds IT

Feeds

EMC vuln gives mere sysadmins the power of storage admins

Time to patch VNX and Celerra software before non-experts do something silly

By Simon Sharwood, 19th May 2013

Email delivery: Hate phishing emails? You'll love DMARC

EMC has warned a flaw in the Control Station software for its VNX and Celerra arrays could allow just about anyone logged into them to do just about anything.

EMC's described the fault as stemming from “Script files in affected products exist with ownership permissions for the nasadmin group account.”

The nasadmin group is designed as a group of general users, while the user with the same name “has system-wide management capabilities for the box and is authorized to make extensive changes to the storage system.” The flaw means folks in the group get the same privileges as nasdmin, the user.

That means mere sysadmins allowed to log into to VNX and Celerra devices and “exploit this vulnerability to run arbitrary commands as the root user.”

Which may get storage admins more than a little jumpy, lest those less familiar with their arrays' operation

Celerra owners know their boxen are already obsolete, but nonetheless have been urged by EMC to upgrade “at the earliest opportunity” by getting their hands on this download. VNX users are urged to do likewise, with their download available here.

EMC has tipped its hat to Doug DePerry of iSEC Partners for finding the flaw. ®

5 ways to reduce advertising network latency

Whitepapers

Microsoft’s Cloud OS
System Center Virtual Machine manager and how this product allows the level of virtualization abstraction to move from individual physical computers and clusters to unifying the whole Data Centre as an abstraction layer.
5 ways to prepare your advertising infrastructure for disaster
Being prepared allows your brand to greatly improve your advertising infrastructure performance and reliability that, in the end, will boost confidence in your brand.
Supercharge your infrastructure
Fusion­‐io has developed a shared storage solution that provides new performance management capabilities required to maximize flash utilization.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Avere FXT with FlashMove and FlashMirror
This ESG Lab validation report documents hands-on testing of the Avere FXT Series Edge Filer with the AOS 3.0 operating environment.
Search more Resources

More from The Register

next story
Multipath TCP: Siri's new toy isn't a game-changer
This experiment is an alpha and carriers could swat it like a bug
67
Ellison ditches own cloud keynote for billionaires' America's Cup boat race
Mass exodus after King Database snubs attendees
42
Barmy Army to get Wi-Fi to the seat for cricket's Ashes
Sydney Test Match will offer replays to the smartmobe
13
How many apps does it take to back up your data?
Trevor Pott counts the ways
28
Microsoft follows Amazon in gaining critical US gov certification
Redmond zooms onto FedRAMP, but where's Google?
9
Dedupe-dedupe, dedupe-dedupe-dedupe: Flashy clients crowd around Permabit diamond
3 of the top six flash vendors are casing the OEM dedupe tech, claims analyst
8
Seagate to storage bods: You CAN touch this (at last). Stop, HAMR time
We've talked about it for a while... next month, you'll actually *see* it
14
Disk-pushers, get reel: Even GOOGLE relies on tape
Prepare to be beaten by your old, cheap rival
13
French data cops to Google: RIGHT, you had your chance. PUNISHMENT time
Prepare yourself for fines, snarls CNIL
63
Dragons' Den star's biz Outsourcery sends yet more millions up in smoke
Telly moneybags went into the cloud and still nobody's making any profit
15
prev story