lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <1BF8853173D9704A93EF882F85952A892DD1A6@MX304CL04.corp.emc.com>
Date: Thu, 14 Sep 2017 13:39:28 +0000
From: EMC Product Security Response Center <Security_Alert@....com>
To: "fulldisclosure@...lists.org" <fulldisclosure@...lists.org>
Subject: [FD] ESA-2017-098: EMC Data Protection Advisor Hardcoded Password
 Vulnerability

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

ESA-2017-098: EMC Data Protection Advisor Hardcoded Password Vulnerability 

EMC Identifier: ESA-2017-098
CVE Identifier: CVE-2017-8013
Severity Rating: CVSS v3 Base Score: 9.4 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:H)

Affected products:  
*	EMC Data Protection Advisor versions 6.3.x
*	EMC Data Protection Advisor versions 6.4.x  

Summary:  
EMC Data Protection Advisor contains undocumented accounts with hard-coded passwords that could potentially be exploited by malicious users to compromise the affected system. 

Details:  
EMC Data Protection Advisor contains undocumented accounts with hard-coded passwords and various privileges. Affected accounts are: "Apollo System Test", "emc.dpa.agent.logon" and "emc.dpa.metrics.logon". An attacker with knowledge of the password could potentially use these accounts via REST APIs to gain unauthorized access to EMC Data Protection Advisor (including potentially access with administrative privileges). 

Resolution:  
The following EMC Data Protection Advisor release contains resolutions to this vulnerability:
*	EMC Data Protection Advisor version 6.4 patch 130 
*	EMC Data Protection Advisor version 6.3 patch 67
 
"Apollo System Test" and "emc.dpa.metrics.logon" accounts are no longer required for product functionality and have been removed in versions listed above. 

The password for "emc.dpa.agent.logon" account can be now changed via the remediated patches listed above. See release notes for more information.  

EMC recommends all customers upgrade at the earliest opportunity. 


Link to remedies:
Registered EMC Online Support customers can download the required patch from support.emc.com at https://support.emc.com/downloads/829_Data-Protection-Advisor 
If you have any questions, contact DELL/EMC Support.

Credits:
EMC would like to thank rgod working with Trend Micro's Zero Day Initiative, for reporting this issue.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQEcBAEBCAAGBQJZuS8nAAoJEHbcu+fsE81ZpsYH/1dCtL7yvXP9PzWayZ+rkp0H
9tPyftwFfObW7LhUqfVfUPafsoZrU6RFmHlVgwGe2p2xAYM9DroFxhDAh2yL1+W7
1XkL5OGtVA+RE+zt4mrAle+lUP+2esg+hg/uijTeC1xlwtNZRKp3sOCBmwIqqhzv
g3j7XTn6jWXDRnBeY8EOMv/9J5ArmF/CWqeDIEclSMCytNI3j5CLi5nuuowEd79p
eWxoYE/zSOZGWd/lXG3xG6tzBTe9w/7bkO4u/ZECS6HpOvajtOvprvj2rE+dV4qR
MIycphNyNHgFhaNRv9f/H0srni8boTDcQehUWGdEO7vXEnBHyBucNNnxKuRmyUM=
=KDW2
-----END PGP SIGNATURE-----

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ