[<prev] [next>] [day] [month] [year] [list]
Message-ID: <1BF8853173D9704A93EF882F85952A892F90FE@MX304CL04.corp.emc.com>
Date: Tue, 26 Sep 2017 18:51:31 +0000
From: EMC Product Security Response Center <Security_Alert@....com>
To: "fulldisclosure@...lists.org" <fulldisclosure@...lists.org>
Subject: [FD] ESA-2017-119: EMC Elastic Cloud Storage Undocumented Account
Vulnerability
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
ESA-2017-119: EMC Elastic Cloud Storage Undocumented Account Vulnerability
EMC Identifier: ESA-2017-119
CVE Identifier: CVE-2017-8021
Severity Rating: CVSS Base Score: 9.4 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:H)
Affected products:
* EMC Elastic Cloud Storage all versions prior to 3.1
Summary:
EMC Elastic Cloud Storage (ECS) is affected by an undocumented account vulnerability that could potentially be leveraged by malicious users to compromise the affected system.
Details:
ECS versions prior to 3.1 contain an undocumented account (emcservice) that is protected with a default password. This user account is intended for use by customer support representatives to troubleshoot ECS configuration issues. A remote malicious user with the knowledge of the default password could potentially login to compromise the affected system.
Resolution:
Information about this account has been added to the ECS 3.1 Security Configuration Guide. EMC recommends all customers to change the default password at the earliest opportunity.
Link to Remedy:
Customers are requested to contact Customer Support to help change the default password for this account.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQEcBAEBCAAGBQJZypJ7AAoJEHbcu+fsE81Zox4H/R/y4X7VOWaM7dH/tZHcwdvr
kPZ+2OF/qGqArBpOQxO3l8tZp986Ru2BOz+VSZeh/4ZUl91o2SyNv5WdB3tT6bIl
VhWm9NtrCU60m5m2LAGvDnaycqjC+oDQOYJ0uD6bgYu5VGNPySaQ1Nd7yGucQ+nR
/8yxLWomiUmXJkW/7xeEBZ9sNugL9RdKBq30B4K9FPKtYQ8wcf7PF5rv8JHVqGax
bkbtJOjnYHeC+LUFtcJ9CPpC8MUQ2ua70LBSDeunPsOZdwjDLm8KhYZ75v0hCEi3
veye1eNG2/NRLFf25hMmNh7rh/nT2p4jsSAU6qYu11lQKPH36Iq6N9DXCSC/l44=
=8t9r
-----END PGP SIGNATURE-----
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists