Dell EMC squashes pair of VMAX virtual appliance bugs
vApp Manager contained undocumented default account
Dell EMC has patched two serious flaws in the management interface for its VMAX enterprise storage systems, one of which could potentially allow a remote attacker to gain unauthorised access to systems.
The vendor announced that the VMAX vApp Manager had "Multiple Vulnerabilities" in a security advisory earlier this week.
The message said the vApp Manager, embedded in four Dell EMC products, contains two security vulnerabilities. It has reserved a spot on Mitre's Common Vulnerabilities and Exposures list (CVE-2018-1215) for an "Arbitrary file upload vulnerability", and another at CVE-2018-1216 for a "Hard-coded password vulnerability".
The second, as you might imagine, is the more serious one, as "a remote attacker with the knowledge of the hard-coded password and the message format may use vulnerable servlets to gain unauthorized access to the system".
Dell EMC said it had "removed the undocumented default account – ÒsmcÓ – for all fresh installations of versions of the products that contain the fixes. The account cannot be removed from the user database for upgrade situations, however all servlets that use this account have been removed from the application making the account obsolete."
The first flaw allows "an authenticated, remote attacker to upload arbitrary files on a targeted system", but the attacker must authenticate to the targeted system. Potentially, miscreants could chain the vuln with CVE-2018-1216 – the "default account" vuln – for this, Dell EMC warned.
Admins are advised to install updates and, of course, keep strangers out of the network.
Four Dell EMC products are listed together with seven fixes:
- Unisphere for VMAX Virtual Appliance versions prior to 126.96.36.199
- Fix – Unisphere for VMAX Virtual Appliance 188.8.131.52 OVA hotfix 1090, service alert 1059
- Fix – Unisphere for VMAX Virtual Appliance 184.108.40.206 ISO upgrade hotfix 1089, service alert 1058
- Solutions Enabler Virtual Appliance versions prior to 220.127.116.11
- Fix – Solutions Enabler Virtual Appliance 18.104.22.168 OVA hotfix 2058, service alert 1891
- Fix – Solutions Enabler Virtual Appliance 22.214.171.124 ISO upgrade hotfix 2057, service alert 1890
- VASA Virtual Appliance versions prior to 126.96.36.1994
- Fix – VASA Virtual Appliance 188.8.131.526 OVA
- Fix – VASA Virtual Appliance 184.108.40.2066 ISO upgrade
- VMAX Embedded Management (eManagement) versions prior to and including 1.4 (Enginuity Release 5977.1125.1125 and earlier
- Fix – eMGMT 220.127.116.115 (Service Pack 6848)
Dell EMC recommends all customers upgrade at the earliest opportunity. Customers can download software for Dell EMC VASA Virtual Appliance 18.104.22.1686 OVA and ISO from Dell EMC Online Support at https://support.emc.com/downloads/40557_VASA-Provider. ®