ESB-2017.2977 - [Virtual] EMC VMAX Virtual Appliance: Administrator compromise - Remote/unauthenticated 2017-11-21

Printable version
PGP/GPG verifiable version

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2017.2977
        Authentication Bypass leading to Administrator Creation in
                             EMC VMAX Products
                             21 November 2017

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:          EMC VMAX Virtual Appliance
                  EMC Unisphere for VMAX Virtual Appliance
                  EMC Solutions Enabler vApp
                  EMC VASA vApp
                  EMC VMAX eManagement
Publisher:        EMC
Operating System: Virtualisation
Impact/Access:    Administrator Compromise -- Remote/Unauthenticated
Resolution:       Patch/Upgrade
CVE Names:        CVE-2017-14375  

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

ESA-2017-137: EMC VMAX Virtual Appliance (vApp) Authentication Bypass Vulnerability

EMC Identifier: ESA-2017-137
CVE Identifier: CVE-2017-14375
Severity Rating: CVSSv3 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

Affected products:  
*EMC Unisphere for VMAX Virtual Appliance versions prior to 8.4.0.15

*EMC Solutions Enabler Virtual Appliance versions prior to 8.4.0.15

*EMC VASA Virtual Appliance versions prior to 8.4.0.512

*EMC VMAX Embedded Management (eManagement) versions prior to and including 1.4 (Enginuity Release 5977.1125.1125 and 
earlier)


Summary:  
The vApp Manager which is embedded in EMC Unisphere for VMAX, Solutions Enabler, VASA Virtual Appliances, and EMC VMAX 
Embedded Management (eManagement) contains an authentication bypass vulnerability that may potentially be exploited by 
malicious users to compromise the affected system.

Details:  
The vApp Manager contains a servlet that does not perform proper authentication checks before processing AMF messages 
for user creation requests. A remote unauthenticated attacker, by having knowledge of the message format, may 
potentially create new user accounts with administrative privileges, and then log in to the affected application.

Resolution:  
The following VMAX products contain a resolution for this vulnerability:
ESX Server Installs:  

*EMC Unisphere for VMAX Virtual Appliance 8.4.0.15 OVA

*EMC Unisphere for VMAX Virtual Appliance 8.4.0.15 ISO

*EMC Unisphere for VMAX Virtual Appliance 8.3.0.10 OVA hotfix 1084, Service Alert 1054

*EMC Unisphere for VMAX Virtual Appliance 8.3.0.10 ISO upgrade hotfix 1083, Service Alert 1053

*EMC Solutions Enabler Virtual Appliance 8.4.0.15 OVA hotfix 2051, Service Alert 1884

*EMC Solutions Enabler Virtual Appliance 8.4.0.15 ISO upgrade hotfix 2050, Service Alert 1883

*EMC Solutions Enabler Virtual Appliance 8.3.0.33 OVA hotfix 2049, Service Alert 1882

*EMC Solutions Enabler Virtual Appliance 8.3.0.33 ISO upgrade hotfix 2048, Service Alert 1881

*EMC VASA Virtual Appliance 8.4.0.512 OVA

*EMC VASA Virtual Appliance 8.4.0.512 ISO upgrade


eManagement:  

*eMGMT 1.4.0.350 ePack kit 6684

*eMGMT 1.3.0.312 ePack kit 6700

EMC recommends all customers upgrade at the earliest opportunity.


Link to remedies:

Customers can download software for EMC Unisphere for VMAX Virtual Appliance 8.4.0.15 OVA and ISO from EMC Online 
Support at https://support.emc.com/downloads/27045_Unisphere-for-VMAX

Customers are recommended to contact Customer Support and place a Customer Service Request for all other fixes.

Credit:
EMC would like to thank rgod working with Trend Micro's Zero Day Initiative, for reporting this issue.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQEcBAEBCAAGBQJZ90fjAAoJEHbcu+fsE81ZtNYIAIQvi8RPtbxQv8PA5Q2vIsij
sCo3qsDMMA1wSViqiHVS03HmJXC/ju/snPKEwC7tGAyrwzdNxSrqUzQNwQur9V94
r7Uqfk/LxhuyXypUujw61UsPd9v7mhZ1x/kzxSkVP8000LMi2r6eihyBC3pI+eZ8
d3vr7V8x+jtco9YD9bzMYqwXsMWqINJTwZrTam+xpHIqZax/qsaHLx7aFK6nwT4d
6V2t9Jlyt7B80TyQuHDlA4CXJXMbW37zPi9iOiJwdHIB8QbM6tz8cVuM1jjCq922
5xDA27SEKPFXyl6O9zNqrFL0tahMwtLAizO8QM9b03FXaqdq7pnaCMBjgZS2jVc=
=Dt5B
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBWhN6RYx+lLeg9Ub1AQhD6g//eSo9j21jEgjL5bgLqI/WKI+6RYfacpQM
rAqtE7BBj3UxrZso8mYuzCoQnvU4Yyy3beV32dOOXO8SC+SSBpgFvXrm4s9k3cj1
5S1d4fgNztCYahye8x5YkVurI71ZbnT/jx+W+ss6EbtdNtv8z2Qz1vrcuE2EqH1D
FMAUPN1lHgSyozQ8DpclOl4mK5JnJZiHxYdTljRn2PrcWY6J3K3XKhNdgcPU2kWs
zzure3YbPHzIHzg1Efs+/j00wJ+Ump2sChQ9oUHs18yhVf+WDMXQQZuEuJ7mJhBQ
5PcyAPcmkpNSy7D/mfC54Q5LDvKePxj1QFaBPKpJ9ctauS38qhe7hQUXdYVZK7hR
hyG7zeXSbHXd5ZeJomfNu00SFgnUtyVXY1oDXeSaIj1km1VRirvO4YF3RwcIfBA2
mhbh0OvLWYXFaZGc0yCCQxv/rktcCe7rfgclDN/mIm8CVKZ+EBWTQZIE+E+dL+JG
lb14x0l+JsJIxRLWHWispn4WU7O2P9Y+XX/0TLlIBayxHsIbfuDanqfKncf/jJbQ
4m0MPd1/luWs62ABzyRnmvOH2AEAnFFvG3wU/Ubaca1YddckFlTvUwiTdRXZeO3U
RShG9DB8mCjCvn2yxnTb9tgIhwCjDtAo/CauFea5Fl9fuwlY1RZaAJk8OIfLod6H
29Vr6BdQlRg=
=s9bH
-----END PGP SIGNATURE-----

« Back to bulletins