Penetration tester pokes six holes in Dell EMC's RecoverPoint products
Three fixed, including critical remote code execution bug
Infosec outfit Foregenix has uncovered six vulnerabilities in Dell EMC's data protection platform RecoverPoint, three of which have been fixed.
Paul Taylor, a senior penetration tester at Foregenix, found five zero-day vulnerabilities in RecoverPoint devices, as well as an insecure configuration option.
The flaws, one of which is of critical severity, affected all versions of RecoverPoint prior to 5.1.2 and RecoverPoint for Virtual Machines prior to 18.104.22.168.
The critical vulnerability allowed unauthenticated remote code execution with root privileges. If an attacker had visibility of RecoverPoint on the network, or local access to it, they could gain complete control over RecoverPoint and its underlying Linux operating system.
Foregenix has reported all six vulnerabilities to Dell EMC. At the time of writing Dell EMC had issued CVE notices for three of the flaws and included them in an advisory published today. Details are as follows:
- Critical unauthenticated remote code execution with root privileges via unspecified attack vector (CVE-2018-1235, CVSS 9.8, critical severity) – permits an attacker with visibility of a RecoverPoint device on the network to gain complete control over the underlying Linux operating system
- Admin CLI arbitrary file read (CVE-2018-1242, CVSS 6.7, medium severity) – an attacker with access to the boxmgmt administrative menu can read files from the file system which are accessible to the boxmgmt user
- LDAP credentials in Tomcat log file (CVE-2018-1241, CVSS 6.2, medium severity) – in certain conditions, RecoverPoint will leak plaintext credentials into a log file
- World-readable log contains password hash (CVE not issued at time of writing) – RecoverPoint is shipped with a system password hash stored in a world-readable file
- Hardcoded root password (CVE not issued at time of writing) – RecoverPoint uses a hardcoded root password which can only be changed by contacting the manufacturer
- LDAP credentials sent in cleartext (CVE not issued at time of writing) – an insecure configuration option permits LDAP credentials sent by the RecoverPoint to be intercepted by an attacker
Foregenix has provided more information about these vulnerabilities here. ®