[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[FD] DSA-2018-058: Dell EMC ScaleIO Multiple Security Vulnerabilities

To: "'fulldisclosure@xxxxxxxxxxxx'" <fulldisclosure@xxxxxxxxxxxx>
Subject: [FD] DSA-2018-058: Dell EMC ScaleIO Multiple Security Vulnerabilities
From: EMC Product Security Response Center <Security_Alert@xxxxxxx>
Date: Mon, 26 Mar 2018 13:23:57 +0000

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

DSA-2018-058: Dell EMC ScaleIO Multiple Security Vulnerabilities

Dell EMC Identifier: DSA-2018-058
CVE Identifier: CVE-2018-1205, CVE-2018-1237, CVE-2018-1238
Severity: Medium
Severity Rating: CVSS v3 Base Score: See below for CVSS v3 scores

Affected products:  
Dell EMC ScaleIO versions prior to 2.5  

Summary:  
Dell EMC ScaleIO customers are encouraged to update to ScaleIO v2.5, which 
contains fixes for multiple security vulnerabilities in earlier ScaleIO 
software versions that could potentially be exploited by malicious users to 
compromise the affected system. 

Details:  
The vulnerability details are as follows:

*       Buffer overflow vulnerability (CVE-2018-1205) 
Dell EMC ScaleIO, versions prior to 2.5, do not properly handle some packet 
data in the MDM service. As a result, a remote attacker could potentially send 
specifically crafted packet data to the MDM service causing it to crash.
CVSSv3 Base Score: 5.9 (AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H)

*       Improper Restriction of Excessive Authentication Attempts Vulnerability 
 (CVE-2018-1237) 
Dell EMC ScaleIO versions prior to 2.5, contain improper restriction of 
excessive authentication attempts on the Light installation Agent (LIA). This 
component is deployed on every server in the ScaleIO cluster and is used for 
central management of ScaleIO nodes. A remote malicious user, having network 
access to LIA, could potentially exploit this vulnerability to launch brute 
force guessing of user names and passwords of user accounts on the LIA.
CVSSv3 Base Score: 5.9 (AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H)

*       Command injection vulnerability (CVE-2018-1238)
Dell EMC ScaleIO versions prior to 2.5, contain a command injection 
vulnerability in the Light Installation Agent (LIA). This component is used for 
central management of ScaleIO deployment and uses shell commands for certain 
actions. A remote malicious user, with network access to LIA and knowledge of 
the LIA administrative password, could potentially exploit this vulnerability 
to run arbitrary commands as root on the systems where LIAs are installed.
CVSSv3 Base Score: 6.6 (AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H)


Resolution:  
The following Dell EMC ScaleIO release contains resolutions to these 
vulnerabilities:
*       Dell EMC ScaleIO version 2.5

Dell EMC recommends all customers upgrade at the earliest opportunity. 

Link to remedies:

Customers can download software from  
https://support.emc.com/downloads/40635_ScaleIO-Product-Family 

Credit:
Dell EMC would like to thank David Berard, from the Ubisoft Security & Risk 
Management team, for reporting these vulnerabilities.


Read and use the information in this Dell EMC Security Advisory to assist in 
avoiding any situation that might arise from the problems described herein. If 
you have any questions regarding this product alert, contact Dell EMC Software 
Technical Support at 1-877-534-2867.

For an explanation of Severity Ratings, refer to Dell EMC Knowledgebase 
solution emc218831. Dell EMC recommends all customers take into account both 
the base score and any relevant temporal and environmental scores which may 
impact the potential severity associated with particular security vulnerability.

Dell EMC recommends that all users determine the applicability of this 
information to their individual situations and take appropriate action. The 
information set forth herein is provided "as is" without warranty of any kind. 
Dell EMC disclaims all warranties, either express or implied, including the 
warranties of merchantability, fitness for a particular purpose, title and 
non-infringement. In no event, shall Dell EMC or its suppliers, be liable for 
any damages whatsoever including direct, indirect, incidental, consequential, 
loss of business profits or special damages, even if Dell EMC or its suppliers 
have been advised of the possibility of such damages. Some states do not allow 
the exclusion or limitation of liability for consequential or incidental 
damages, so the foregoing limitation may not apply.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQEcBAEBCAAGBQJauOjDAAoJEHbcu+fsE81Z3/wH/jL9Ub908R9cXBOLhTbwCohq
pVPgYZwy8ew96iuUaqDgqy3KmarYebeZ9MAG2gxW5URYqNSO7LJBZG8Jo4qWB3gB
QuShn8UvJ0yfo4vxznkXtGjxhFLopYaoN+tgDQ3IjkcH3chvAHS0dnUk9Uj7OQsx
KEltBIFJmzv97ZxkCLxqEtNu0LSTFsvKhjyKl6lOJZ8yVfTZR/p+Awx1czEyJc8Z
/sfRBBgqJnK3LHBNEsuqCy+wedlDHwj+/d3wBr51eR0+3UrD2jRaDQVx3VkcE7Gb
DGjCoZRJ8qiWp7muB0rC7/6PxxxQcNlBludSiYDTkdrQpjot1G37w+TX1GFVUUk=
=FvDE
-----END PGP SIGNATURE-----

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Prev by Date: [FD] ManageEngine Service Desk Plus < 9403 Cross-Site Scripting
Next by Date: [FD] DSA-2018-040: RSA® Authentication Agent for Web for IIS and Apache Web Server Multiple Vulnerabilities
Previous by thread: [FD] ManageEngine Service Desk Plus < 9403 Cross-Site Scripting
Next by thread: [FD] DSA-2018-040: RSA® Authentication Agent for Web for IIS and Apache Web Server Multiple Vulnerabilities
Index(es):
- Date
- Thread