Dell EMC fixed two critical flaws in its management interfaces for its VMAX enterprise storage systems. One of the vulnerabilities could allow a remote attacker to use a hard-coded password to a default account to gain unauthorized access to systems.
The company issued updates that address the two vulnerabilities, CVE-2018-1215 and CVE-2018-1216, on Tuesday. Dell EMC’s VMAX Virtual Appliance (vApp) Manager is a key component to a wide range of the company’s enterprise storage systems.
“The vApp Manager which is embedded in Dell EMC Unisphere for VMAX, Dell EMC Solutions Enabler, Dell EMC VASA Virtual Appliances, and Dell EMC VMAX Embedded Management (eManagement) contains multiple security vulnerabilities that may potentially be exploited by malicious users to compromise the affected system,” wrote Dell EMC in a security advisory.
The most serious flaw (CVE-2018-1216) in the vApp Manager is tied to an undocumented default account (ÒsmcÓ) which has a hard-coded password that can be used in conjunction with web-based Java servlets. Java servlets are server-side programs which run on the server side, handling specialized requests.
“A remote attacker with the knowledge of the hard-coded password and the message format may use vulnerable servlets to gain unauthorized access to the system,” according to the security bulletin. The vulnerability has a Common Vulnerability Scoring System (CVSS) base score of 9.8.
The other critical vulnerability (CVE-2018-1215) fixed in the vApp Manager application is also rated critical with a CVSS score of 8.8. In the case of this vulnerability, a remote authenticated malicious user could upload arbitrary maliciously crafted files to any location on a targeted web server.
Researchers point out this vulnerability requires a chaining of the previous vulnerability CVE-2018-1216 in order to exploit it.
Credited for finding the bug is Carlos Perez, a researcher with Tenable.
Dell EMC says part of its mitigation efforts have included removing the default ÒsmcÓ account from fresh installs. However, it said the account will not be removed when customers upgrade the vApp Manager application. “However all servlets that use this account have been removed from the application making the account obsolete,” Dell EMC noted.
Affected products include:
Dell EMC Unisphere for VMAX Virtual Appliance versions prior to 188.8.131.52
Dell EMC Solutions Enabler Virtual Appliance versions prior to 184.108.40.206
Dell EMC VASA Virtual Appliance versions prior to 220.127.116.114
Dell EMC VMAX Embedded Management (eManagement) versions prior to and including 1.4 (Enginuity Release 5977.1125.1125 and earlier)