[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[FD] ESA-2017-119: EMC Elastic Cloud Storage Undocumented Account Vulnerability

To: "fulldisclosure@xxxxxxxxxxxx" <fulldisclosure@xxxxxxxxxxxx>
Subject: [FD] ESA-2017-119: EMC Elastic Cloud Storage Undocumented Account Vulnerability
From: EMC Product Security Response Center <Security_Alert@xxxxxxx>
Date: Tue, 26 Sep 2017 18:51:31 +0000

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

ESA-2017-119: EMC Elastic Cloud Storage Undocumented Account Vulnerability

EMC Identifier: ESA-2017-119
CVE Identifier: CVE-2017-8021
Severity Rating: CVSS Base Score: 9.4 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:H)

Affected products: 
*       EMC Elastic Cloud Storage all versions prior to 3.1

Summary:  
EMC Elastic Cloud Storage (ECS) is affected by an undocumented account 
vulnerability that could potentially be leveraged by malicious users to 
compromise the affected system.

Details:  
ECS versions prior to 3.1 contain an undocumented account (emcservice) that is 
protected with a default password. This user account is intended for use by 
customer support representatives to troubleshoot ECS configuration issues. A 
remote malicious user with the knowledge of the default password could 
potentially login to compromise the affected system. 

Resolution:  
Information about this account has been added to the ECS 3.1 Security 
Configuration Guide. EMC recommends all customers to change the default 
password at the earliest opportunity.

Link to Remedy:
Customers are requested to contact Customer Support to help change the default 
password for this account.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQEcBAEBCAAGBQJZypJ7AAoJEHbcu+fsE81Zox4H/R/y4X7VOWaM7dH/tZHcwdvr
kPZ+2OF/qGqArBpOQxO3l8tZp986Ru2BOz+VSZeh/4ZUl91o2SyNv5WdB3tT6bIl
VhWm9NtrCU60m5m2LAGvDnaycqjC+oDQOYJ0uD6bgYu5VGNPySaQ1Nd7yGucQ+nR
/8yxLWomiUmXJkW/7xeEBZ9sNugL9RdKBq30B4K9FPKtYQ8wcf7PF5rv8JHVqGax
bkbtJOjnYHeC+LUFtcJ9CPpC8MUQ2ua70LBSDeunPsOZdwjDLm8KhYZ75v0hCEi3
veye1eNG2/NRLFf25hMmNh7rh/nT2p4jsSAU6qYu11lQKPH36Iq6N9DXCSC/l44=
=8t9r
-----END PGP SIGNATURE-----

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Prev by Date: [FD] CSRF/XSS in Content Audit allowing an unauthenticated attacker to do almost anything an admin can (WordPress plugin)
Next by Date: [FD] ESA-2017-115: EMC AppSync Host Plug-in Denial of Service Vulnerability
Previous by thread: [FD] CSRF/XSS in Content Audit allowing an unauthenticated attacker to do almost anything an admin can (WordPress plugin)
Next by thread: [FD] ESA-2017-115: EMC AppSync Host Plug-in Denial of Service Vulnerability
Index(es):
- Date
- Thread