[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[FD] ESA-2017-094: EMC ScaleIO Multiple Vulnerabilities

To: "fulldisclosure@xxxxxxxxxxxx" <fulldisclosure@xxxxxxxxxxxx>
Subject: [FD] ESA-2017-094: EMC ScaleIO Multiple Vulnerabilities
From: EMC Product Security Response Center <Security_Alert@xxxxxxx>
Date: Mon, 20 Nov 2017 18:07:35 +0000

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

ESA-2017-094: EMC ScaleIO Multiple Vulnerabilities

EMC Identifier:  ESA-2017-094

CVE Identifier:  CVE-2017-8001, CVE-2017-8019, CVE-2017-8020

Severity Rating: CVSSv3 Base Score:  See below for CVSS scores for individual 
CVEs

Affected products:  
EMC ScaleIO 2.0.1.x version family (2.0.1.3, 2.0.1.2, 2.0.1.1, 2.0.1)

Summary:  
EMC ScaleIO contains a number of vulnerabilities which could potentially be 
exploited by malicious users to compromise an affected system. 

Details:  
EMC ScaleIO contains the following vulnerabilities:

*       Sensitive Information Disclosure (CVE-2017-8001)
In a Linux environment, one of the EMC ScaleIO support scripts saves the 
credentials of the ScaleIO MDM user who executed the script in clear text in 
temporary log files. The temporary files may potentially be read by an 
unprivileged user with access to the server where the script was executed to 
recover exposed credentials. 

CVSSv3 Base Score: 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)

*       Denial of Service (CVE-2017-8019)
A vulnerability in ScaleIO message parsers (MDM,SDS, and LIA) could potentially 
allow an unauthenticated remote attacker to send specifically crafted packets 
to stop ScaleIO services and cause denial of service situation .

CVSSv3 Base Score: 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

*       ScaleIO Debugging (SDBG)  Service  Buffer Overflow CVE-2017-8020)
A buffer overflow vulnerability in ScaleIO SDBG service may potentially allow a 
remote unauthenticated attacker to execute arbitrary commands with root 
privileges on affected server. 

CVSSv3 Base Score: 8.1 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)

Resolution:  
The following EMC ScaleIO release contains resolution to these vulnerabilities:
*       EMC ScaleIO version 2.0.1.4

For CVE-2017-8001, EMC recommends all customers follow additional steps 
documented in knowledgebase article 503560. 

Link to remedies:
Customers can download software from 
https://support.emc.com/downloads/33925_ScaleIO-Software. 

Credit:
EMC would like to thank David Berard, from Ubisoft Security & Risk Management 
team, for reporting these vulnerabilities.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQEcBAEBCAAGBQJaEwJcAAoJEHbcu+fsE81Z6ssH/3ULyHNPndX3ZkRb6CT4MRnq
K6iS3DFCacSumvs8O1NjCZFMQH2PkR5AFGx2Ttb308t9/MPimtxIWJt2Cq7ssXAX
PYpvYAiwo0LxFcltfZhJ06PIr1x64CrBWLpZxxiJVZkqpSzqHLfiY1M3CW5eJLEN
7TWX5g6k8PyQ1rAxmtP0AJu1LdacRBsQNWqnKUSf+0JoaPBWpFl5NOqaPCm+YTEt
YIfpWOUbC/R7k22P+/r/TaUw3JiYz+vGFDGs+tVVof5BuB7IgTvioqZHA6mh9W11
nRYGxyil0h/1g9t4/KBFMGpr0XqWGUANSjWOsPxYA5ejTyJvXRK4bsoudP0zLlg=
=lLMW
-----END PGP SIGNATURE-----

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Prev by Date: [FD] ESA-2017-152: RSA® Authentication Manager Software Stored Cross-Site Scripting Vulnerability
Next by Date: [FD] Clickjacking vulnerability in CSRF error page pfSense
Previous by thread: [FD] ESA-2017-152: RSA® Authentication Manager Software Stored Cross-Site Scripting Vulnerability
Next by thread: [FD] Clickjacking vulnerability in CSRF error page pfSense
Index(es):
- Date
- Thread