| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 20 Nov 2017 18:07:35 +0000 From: EMC Product Security Response Center <Security_Alert@....com> To: "fulldisclosure@...lists.org" <fulldisclosure@...lists.org> Subject: [FD] ESA-2017-094: EMC ScaleIO Multiple Vulnerabilities -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ESA-2017-094: EMC ScaleIO Multiple Vulnerabilities EMC Identifier: ESA-2017-094 CVE Identifier: CVE-2017-8001, CVE-2017-8019, CVE-2017-8020 Severity Rating: CVSSv3 Base Score: See below for CVSS scores for individual CVEs Affected products: EMC ScaleIO 2.0.1.x version family (2.0.1.3, 2.0.1.2, 2.0.1.1, 2.0.1) Summary: EMC ScaleIO contains a number of vulnerabilities which could potentially be exploited by malicious users to compromise an affected system. Details: EMC ScaleIO contains the following vulnerabilities: * Sensitive Information Disclosure (CVE-2017-8001) In a Linux environment, one of the EMC ScaleIO support scripts saves the credentials of the ScaleIO MDM user who executed the script in clear text in temporary log files. The temporary files may potentially be read by an unprivileged user with access to the server where the script was executed to recover exposed credentials. CVSSv3 Base Score: 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) * Denial of Service (CVE-2017-8019) A vulnerability in ScaleIO message parsers (MDM,SDS, and LIA) could potentially allow an unauthenticated remote attacker to send specifically crafted packets to stop ScaleIO services and cause denial of service situation . CVSSv3 Base Score: 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) * ScaleIO Debugging (SDBG) Service Buffer Overflow CVE-2017-8020) A buffer overflow vulnerability in ScaleIO SDBG service may potentially allow a remote unauthenticated attacker to execute arbitrary commands with root privileges on affected server. CVSSv3 Base Score: 8.1 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H) Resolution: The following EMC ScaleIO release contains resolution to these vulnerabilities: * EMC ScaleIO version 2.0.1.4 For CVE-2017-8001, EMC recommends all customers follow additional steps documented in knowledgebase article 503560. Link to remedies: Customers can download software from https://support.emc.com/downloads/33925_ScaleIO-Software. Credit: EMC would like to thank David Berard, from Ubisoft Security & Risk Management team, for reporting these vulnerabilities. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQEcBAEBCAAGBQJaEwJcAAoJEHbcu+fsE81Z6ssH/3ULyHNPndX3ZkRb6CT4MRnq K6iS3DFCacSumvs8O1NjCZFMQH2PkR5AFGx2Ttb308t9/MPimtxIWJt2Cq7ssXAX PYpvYAiwo0LxFcltfZhJ06PIr1x64CrBWLpZxxiJVZkqpSzqHLfiY1M3CW5eJLEN 7TWX5g6k8PyQ1rAxmtP0AJu1LdacRBsQNWqnKUSf+0JoaPBWpFl5NOqaPCm+YTEt YIfpWOUbC/R7k22P+/r/TaUw3JiYz+vGFDGs+tVVof5BuB7IgTvioqZHA6mh9W11 nRYGxyil0h/1g9t4/KBFMGpr0XqWGUANSjWOsPxYA5ejTyJvXRK4bsoudP0zLlg= =lLMW -----END PGP SIGNATURE----- _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists