Today Digital Defense is publishing six zero-day vulnerabilities found in the Dell EMC VMAX Management Product family that our vulnerability research team discovered and brought to the attention of Dell EMC. Dell EMC has been extremely professional and worked diligently with Digital Defense engineering staff to understand, resolve and verify the fixes for these security issues.
Dell EMC has confirmed they will be releasing an update for these flaws in the near future. Dell EMC follows coordinated disclosure practices and requests that the above information be treated with strict confidentiality until complete resolutions are available for customers and have been published by the EMC Product Security Response Center through the appropriate coordinated disclosure process. For more details on EMC Vulnerability Response Policy see https://www.emc.com/products/security/product-security-response-center.htm. Please contact EMC technical support representatives for further details.
Clients who currently use our Frontline™ VM platform, or prospects using our trial-system to check their external networks, can sweep for the presence of all of these issues by performing a full vulnerability assessment scan.
Details of the vulnerabilities are as follows:
Vendor: EMC
Product: VMAX Management Product Family
Version Tested: 8.1.2.3
Link: https://www.emc.com/storage/symmetrix-vmax/management.htm
Brief product description:
- Unisphere for VMAX provides a web based management interface to provision, manage and monitor VMAX storage systems.
- vApp Manager is a configuration and support tool for VMware vApp deployments.
Summary:
- DDI-VRT-2016-61: Unauthenticated XML External Entity Injection via Crafted AMF Message (GraniteDS library, CVE-2016-2340) (High)
- DDI-VRT-2016-62: Unauthenticated Command Execution in GetSymmCmdRequest via Crafted AMF Message (Critical)
- DDI-VRT-2016-63: Authenticated Command Execution in GeneralCmdRequest via Crafted AMF Message (High)
- DDI-VRT-2016-64: Authenticated Command Execution in PersistantDataRequest via Crafted AMF Message (High)
- DDI-VRT-2016-65: Authenticated Command Execution in GetCommandExecRequest via Crafted AMF Message (High)
- DDI-VRT-2016-66: Authentication Bypass in the RemoteServiceHandler Class (Critical)
Vulnerability: Unauthenticated XML External Entity Injection via Crafted AMF Message
(CVE-2016-2340, GraniteDS library, granite-core-2.2.1.GA.jar)
Product versions affected: Unisphere for VMAX 8.0.x - 8.2.x
Impact: Arbitrary file retrieval with root privileges and denial of service.
Details: No authentication is required to exploit this vulnerability. The Unisphere for VMAX application uses the GraniteDS library to provide server side support for the Flash based portion of the Unisphere web application. The version of the library used by the application does not prevent the use of XML external entities which allows an attacker to retrieve arbitrary text files from the virtual appliance with root privileges.
Vulnerability: Unauthenticated Command Execution in GetSymmCmdRequest via Crafted AMF Message
Product versions affected: vApp Manager 8.0.x - 8.2.x
Impact: Arbitrary command execution with root privileges, complete compromise of the virtual appliance.
Details: No authentication is required to exploit this vulnerability. The EMC vApp Manager for Unisphere for VMAX web app runs on port 5480 and the Flash based user interface uses the AMF protocol to communicate with the server. The server side implementation is located in EMC_SE_SERVER.jar. The GetSymmCmdRequest AMF message uses 2 parameters, the first is a string array containing the command and it's arguments and the second is a placeholder for the command output. The GetSymmCmdCommand class then executes this using the ExecUtil class which calls Java's Runtime exec method with the string array as the argument before returning the output to the client. No validation is done on the input for this command.
Vulnerability: Authenticated Command Execution in GeneralCmdRequest via Crafted AMF Message
Product versions affected: vApp Manager 8.0.x - 8.2.x
Impact: Arbitrary command execution with root privileges, complete compromise of the virtual appliance.
Details: Authentication is required to exploit this vulnerability, however this requirement is easily bypassed using another vulnerability to add a new admin user without authentication. The EMC vApp Manager for Unisphere for VMAX web app runs on port 5480 and the Flash based user interface uses the AMF protocol to communicate with the server. The server side implementation is located in EMC_SE_SERVER.jar. The GeneralCmdRequest AMF message uses 4 parameters, the first is a string array containing the command and it's arguments, the second is a placeholder for the command output, and the third is an integer representing the request type, and the fourth is an ArrayList used to store the output from parsing a license file if the request type is 47. The GeneralCmdCommand class then executes this using the ExecUtil class which calls Java's Runtime exec method with the string array as the argument before returning the output to the client. No validation is done on the input for this command.
Vulnerability: Authenticated Command Execution in PersistantDataRequest via Crafted AMF Message
Product versions affected: vApp Manager 8.0.x - 8.2.x
Impact: Arbitrary command execution with root privileges, complete compromise of the virtual appliance.
Details: Authentication is required to exploit this vulnerability, however this requirement is easily bypassed using another vulnerability to add a new admin user without authentication. The EMC vApp Manager for Unisphere for VMAX web app runs on port 5480 and the Flash based user interface uses the AMF protocol to communicate with the server. The server side implementation is located in EMC_SE_SERVER.jar. The PersistantDataRequest AMF message uses 3 parameters, the first is a string array containing the command and it's arguments, the second is a placeholder for the command output, and the third is an integer representing the request type. The PersistantDataCommand class then executes this using the ExecUtil class which calls Java's Runtime exec method with the string array as the argument. No validation is done on the input for this command.
Vulnerability: Authenticated Command Execution in GetCommandExecRequest via Crafted AMF Message
Product versions affected: vApp Manager 8.0.x - 8.2.x
Impact: Arbitrary command execution with root privileges, complete compromise of the virtual appliance.
Details: Authentication is required to exploit this vulnerability, however this requirement is easily bypassed using another vulnerability to add a new admin user without authentication. The EMC vApp Manager for Unisphere for VMAX web app runs on port 5480 and the Flash based user interface uses the AMF protocol to communicate with the server. The server side implementation is located in EMC_SE_SERVER.jar. The GetCommandExecRequest AMF message uses 3 parameters, the first is a string array containing the command and it's arguments, the second is a placeholder for the command output, and the third is an integer representing the request type. The GetCommandExecCommand class then executes this using the ExecUtil class which calls Java's Runtime exec method with the string array as the argument before returning the output to the client. No validation is done on the input for this command.
Vulnerability: Authentication Bypass in the RemoteServiceHandler Class
Product versions affected: vApp Manager 8.0.x - 8.2.x
Impact: Arbitrary command execution with root privileges, ability to add new admin users, and complete compromise of the virtual appliance.
Details: The EMC vApp Manager for Unisphere for VMAX web app runs on port 5480 and the Flash based user interface uses the AMF protocol to communicate with the server. The server side implementation is located in EMC_SE_SERVER.jar. The RemoteServiceHandler class handles AMF messages using the "executeCommand" operation. This class only verifies that the client session is valid for the GeneralCmdRequest, GetCommandExecRequest, and PersistantDataRequest AMF messages. The lack of session validation by this class for other AMF messages types allows unauthenticated users to bypass authentication and call several other classes such as UserManagementRequest (can be used to add new admin user) and GetSymmCmdRequest (arbitrary root command execution).