[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

ESA-2017-036: EMC Data Domain Privilege Escalation Vulnerability

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

ESA-2017-036: EMC Data Domain Privilege Escalation Vulnerability 

EMC Identifier: ESA-2017-036
        
CVE Identifier: CVE-2017-4983

Severity Rating: CVSS v3 Base Score: 6.7 (AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H)

Affected products: 

?       EMC Data Domain OS 5.2 All versions 
?       EMC Data Domain OS 5.4 All versions
?       EMC Data Domain OS 5.5 All versions
?       EMC Data Domain OS 5.6 All versions
?       EMC Data Domain OS 5.7 All versions prior to DD OS 5.7.3.0
?       EMC Data Domain OS 6.0 All versions prior to DD OS 6.0.1.0

Summary: 

EMC Data Domain  OS is affected by a privilege escalation vulnerability that 
may potentially be exploited by attackers to compromise the affected system. 

Details: 

EMC Data Domain OS is potentially vulnerable to a privilege escalation 
vulnerability. 
A rogue administrator may be able to log in as the Security Office (SO) and 
escalate privileges by using SO user?s public key that is stored unprotected on 
the Data Domain system.  

Resolution: 

EMC recommends all customers upgrade to one of the versions listed below at the 
earliest opportunity, after verifying environment compatibility:

?       EMC Data Domain 5.7 - DD OS 5.7.3.0 or later
?       EMC Data Domain 6.0 - DD OS 6.0.1.0 or later

Please verify that the backup software in your environment is compatible with 
the target DD OS version before upgrading your system.


Link to remedies:
Registered EMC Online Support customers can download patches and software from: 

?       EMC Data Domain OS 5.7 version 5.7.3.0 is available at: 
https://support.emc.com
?       EMC Data Domain OS 6.0 version 6.0.1.0 is available at: 
https://support.emc.com

If you have any questions, please contact EMC Support.

Credit:
EMC would like to thank Geoffrey Janjua from Northrop Grumman for reporting 
this vulnerability.

Read and use the information in this EMC Security Advisory to assist in 
avoiding any situation that might arise from the problems described herein. If 
you have any questions regarding this product alert, contact EMC Software 
Technical Support at 1-877-534-2867. 


For an explanation of Severity Ratings, refer to EMC Knowledgebase solution 
emc218831. EMC recommends all customers take into account both the base score 
and any relevant temporal and environmental scores which may impact the 
potential severity associated with particular security vulnerability. EMC 
Corporation distributes EMC Security Advisories, in order to bring to the 
attention of users of the affected EMC products, important security 
information. EMC recommends that all users determine the applicability of this 
information to their individual situations and take appropriate action. The 
information set forth herein is provided "as is" without warranty of any kind. 
EMC disclaims all warranties, either express or implied, including the 
warranties of merchantability, fitness for a particular purpose, title and 
non-infringement. In no event, shall EMC or its suppliers, be liable for any 
damages whatsoever including direct, indirect, incidental, consequential, loss 
of business profits or special damages, even if EMC or its suppliers have been 
advised of the possibility of such damages. Some states do not allow the 
exclusion or limitation of liability for consequential or incidental damages, 
so the foregoing limitation may not apply.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQEcBAEBCAAGBQJY3A//AAoJEHbcu+fsE81ZuGcH/3k5BGtFdpaWGGpRzJiPXAQ0
mlYXqe+sPw/zDBn5Km6VF+mKBDJ2RzJAEkahhBDtrIBzAzczwpbwQ/20RQ2FI7Jq
wRWeMkfeFxEKuFm+Gkwf8QRve9tTKJnibebA1NLg4S9TSj5wR63iy4kXq/ldZvul
MG2x2Nyaoscz2AgNna0qZYFtD+jMSferX/nOAQQPxR60duw7B/AEnI7QgaO9uFH0
t6YuhGdQXsqHOFx3uIxcDpgQIuGtA3eD/ZCPAUqcFfXFLHu2ygoNBhHUJ0kEO7XO
yUw2J03cTscSyE7C6J/sc+kAHQvC4dFOkK1gYmD/V0EAV5U5iBP/IN1AdbMFG7c=
=qekP
-----END PGP SIGNATURE-----