ESA-2017-010: EMC RecoverPoint SSL Stripping Vulnerability

[EMC Product Security Response Center <Security_Alert@xxxxxxx>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

ESA-2017-010: EMC RecoverPoint SSL Stripping Vulnerability

EMC Identifier: ESA-2017-010
CVE Identifier: CVE-2016-6650
Severity Rating: CVSS v3 Base Score: CVSS v3 Score: 6.8 
(AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N).

 
Affected products: 

?EMC RecoverPoint versions prior to 5.0

?EMC RecoverPoint for Virtual Machines versions prior to 5.0



Summary: 
EMC RecoverPoint update contains a fix for a SSL Stripping Vulnerability that 
may potentially be exploited by malicious users to compromise the affected 
system.
 
Details:  
The Unisphere for RecoverPoint management interface does not enforce SSL 
encryption from the client side. A man-in-the-middle attacker may trick the 
Unisphere for RecoverPoint browser to send information like login credentials 
in plain text. RecoverPoint 5.0 now supports HTTP Strict Transport Security 
(HSTS) to mitigate this issue. It can be enabled with a configuration change. 
For more information, see RecoverPoint?s Security Configuration Guide and 
RecoverPoint for Virtual Machines Security Configuration Guide. 



Resolution:  

The following EMC RecoverPoint releases contain resolutions to these 
vulnerabilities:

?EMC RecoverPoint 5.0

?EMC RecoverPoint for Virtual Machines 5.0


EMC recommends all customers upgrade to one of the above versions at the 
earliest opportunity. Customers are strongly advised to limit administrator 
privileges to trusted users and change default passwords to minimize the risk. 
See Security Configuration Guide for details.

Link to remedies:
Customers can download software from:  
https://support.emc.com/search/?text=RecoverPoint&searchLang=en_US&facetResource=DOWN

Credits:
EMC would like to thank Mike Erman, Jack Baker and Joshua Burbrink from 
Northrop Grumman for reporting this vulnerability
        
[The following is standard text included in all security advisories.  Please do 
not change or delete.]

Read and use the information in this EMC Security Advisory to assist in 
avoiding any situation that might arise from the problems described herein. If 
you have any questions regarding this product alert, contact EMC Software 
Technical Support at 1-877-534-2867.

For an explanation of Severity Ratings, refer to EMC Knowledgebase solution 
emc218831. EMC recommends all customers take into account both the base score 
and any relevant temporal and environmental scores which may impact the 
potential severity associated with particular security vulnerability.

EMC recommends that all users determine the applicability of this information 
to their individual situations and take appropriate action. The information set 
forth herein is provided "as is" without warranty of any kind. EMC disclaims 
all warranties, either express or implied, including the warranties of 
merchantability, fitness for a particular purpose, title and non-infringement. 
In no event, shall EMC or its suppliers, be liable for any damages whatsoever 
including direct, indirect, incidental, consequential, loss of business profits 
or special damages, even if EMC or its suppliers have been advised of the 
possibility of such damages. Some states do not allow the exclusion or 
limitation of liability for consequential or incidental damages, so the 
foregoing limitation may not apply.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQEcBAEBCAAGBQJYngUyAAoJEHbcu+fsE81Zid8IAJJykyuG5hmvHAGNODIe+Oc8
bcKB8I5vp9w4EARKLMRkebK2B1y9ShDmqMYegfLBog7Q0JDsW+OXbhVndU2Js7Qt
wMKmlyWhCxl1GPmEuko9WKFAsljFJfO9QxOE9zrzYeQU7LksFoXYyFTsEW/YXRZn
ykMNS3pfDLnvYAwvQm+XxI0sSoYG9K9L/ytoSGpN1VMnnDN/bcka7ZoSGdC92U7V
3LLpSDuabYY2a2dO6Oempn45fiVbWgehE29AROcZ5paom+ROujjqIXWdBhqm+E1T
KPD69lPTCkkJusdcSmXgMFLKJ7VdCepM/QIGMUE/UFRdIWXmt8NttT6shxsoVL8=
=ZnO6
-----END PGP SIGNATURE-----