Six Vulnerabilities Found in Dell EMC’s Disaster Recovery System, One Critical

A pen-tester has found five vulnerabilities in Dell EMC RecoverPoint devices, including a critical RCE that could allow total system compromise.

A pen-tester has found six vulnerabilities in Dell EMC RecoverPoint devices, including a critical remote code execution flaw that could allow total system compromise.

EMC RecoverPoint is a disaster recovery tool that can be used to back up local and remote information storage, across data centers and across physical and virtual machines. It continuously, in real time, replicates the data, so in the event a system is compromised or data is lost (from, say, a ransomware attack or a natural disaster), RecoverPoint allows a company to go back in time and recover an exact image of that data from a specific moment in time.

Each of the flaws affect all versions of Dell EMC RecoverPoint prior to 5.1.2 and RecoverPoint for Virtual Machines prior to 5.1.1.3. The vendor has so far patched three of the issues, released Monday in advisory DSA-2018-095 (the non-public advisory is available to registered customers via the vendor’s Product Security Response Center). One of the reported issues (PSRC-5489) is treated as a product defect and has been addressed in the same releases; and Dell EMC offers remediation for the other two with updated product configuration guidance.

The most serious of the vulnerabilities, and one of the patched bugs, is rated critical (CVE-2018-1235, CVSS 9.8). It allows unauthenticated remote code execution with root privileges – which can pretty much hand over the keys to the kingdom to an attacker.

According to Foregenix penetration-tester Paul Taylor, a bad actor with visibility of a RecoverPoint device on the network (either remotely or locally) can not only gain complete control over the RecoverPoint device itself, but also the underlying Linux operating system. No credentials are needed to carry out the attack. From there, the perpetrators can pivot to wreak more havoc.

“To show the extent of compromise possible, during the engagement, once Foregenix had complete control of the RecoverPoint devices, it was then possible to exploit some of the other zero-day vulnerabilities discovered in order to pivot and gain control of the Microsoft Active Directory network that the RecoverPoints were integrated with,” he said in a disclosure posting, in particular the aforementioned insecure configuration option.

Dell EMC and Taylor are providing no further details on the critical-rated flaw for fear attackers could use them as a blueprint to exploit the flaw while companies work to apply the fix.

Another patched vulnerability is a medium-severity administrative menu arbitrary file read flaw (CVE-2018-1242, CVSS 6.7). It allows an attacker with local access to the “boxmgmt” administrative menu to read files from the file system, the vendor said. Interestingly, this same system was patched for a different vulnerability back in February, for a privilege escalation issue that could allow a local attacker to run arbitrary commands with root privileges on the targeted system.

The third patched issue is also a medium-severity bug (CVE-2018-1241, CVSS 6.2). Here, LDAP plaintext credentials are leaked into a Tomcat log file if a user logs into an LDAP account via RecoverPoint’s web interface. The problem is that the credentials can remain in the log file indefinitely, and attackers with access to the RecoverPoint file system can hijack them to then compromise the LDAP account.

The two unpatched vulnerabilities involve the fact that RecoverPoint is shipped with a system password hash stored in a world-readable file (i.e., it can be read by any user, according to Taylor); and the use of a default root password that can only be changed in some versions by contacting the vendor.

Dell EMC initially issued a CVE for the first vulnerability, but then revoked it. A spokesperson told Threatpost that the reported issue, when not chained with other known, patched vulnerabilities, does not result in a negative outcome by itself.

“Based on our internal investigation, the files that contained the grub password hash can only be read by the root user via SSH access (regardless of the file permissions),” he explained. “The root level user already has access to the grub configuration file that contains the same hash. The root level user can also reset grub password at any time. For these reasons we decided not to assign a CVE for this issue.”

Nonetheless, Dell EMC has fixed the flaw in the latest upgrade, which will also remove exposed hashes from the listed files.

As for the password concern, Taylor said that the password at issue is for the root account for RecoverPoint’s underlying Linux OS. Thus, compromising the root password of one device means that an attacker could gain control over all of the devices using that same default password, by logging in at the local console, or gaining console access as an unprivileged user, and changing to root.

“Remote login for the root account is disabled by default in RecoverPoint and Dell EMC recommends against changing this default setting for security reasons,” the spokesperson told us. However, he added that customers can self-manage the root password in newer versions, and the vendor has updated its documentation to include detailed instructions for how to change it. For older versions of the product, Dell EMC is advising customers to contact customer support for assistance.

And finally, the insecure configuration allows LDAP credentials to be sent in clear text, which means they can be intercepted by attackers in a a man-in-the-middle offensive, or by someone who has gained access to the RecoverPoint device using another vulnerability. The stakes are high on this one if the critical patch hasn’t been applied: Foregenix was able to exploit this flaw to intercept credentials sent from the RecoverPoint device, in order to compromise a Microsoft Active Directory domain.

LDAP settings are configured during the product installation. Dell EMC said that the RecoverPoint documentation provides a warning about the insecure nature of that particular configuration, so users are setting it up that way at their own risk. The vendor advises customers to use LDAP over SSL for security reasons, instead, and provides instructions for how to do that in the documentation.

“We thank Forgenix Ltd. for bringing this to our attention and its cooperation with Dell EMC to ensure coordinated disclosure,” the vendor said in a media statement. “Dell EMC follows best practices in managing and responding to security vulnerabilities discovered in our products. Our goal is to provide customers with timely information, guidance and mitigation to address threats from vulnerabilities.”

Suggested articles