Vulnerabilities Found in the Dell EMC VMAX Management Product Family

By Vulnerability Research Team

The Digital Defense, Inc. Vulnerability Research Team (VRT) has identified six previously undisclosed security vulnerabilities found in the Dell EMC VMAX Management Product family. Summary information for these flaws can be found below.

Checks for the identified vulnerabilities are available now in Frontline™ Vulnerability Manager. Clients are encouraged to run a full vulnerability assessment which includes the checks for the Dell EMC VMAX Management Product vulnerabilities or run Scan Policy EMC Unisphere for VMAX September 2016 to check specifically for only the vulnerabilities identified in this advisory.

 

Affected Platforms

Vendor: Dell EMC

Product: Dell EMC Unisphere for VMAX and vApp Manager

Versions Tested:  8.1.2.3

Linkhttps://www.emc.com/storage/symmetrix-vmax/management.htm

Brief product description: Unisphere for VMAX provides a web based management interface to provision, manage and monitor VMAX storage systems. vApp Manager is a configuration and support tool for VMware vApp deployments.

 

Vulnerability Information

DDI-VRT-2016-61: Unauthenticated XML External Entity Injection via Crafted AMF Message (High)

Impact: Arbitrary file retrieval with root privileges and denial of service.

Product versions affected: Unisphere for VMAX 8.0.x - 8.2.x

Vulnerability: The Unisphere for VMAX application uses the GraniteDS library to provide server side support for the Flash based portion of the Unisphere web application. The version of the library used by the application does not prevent the use of XML external entities which allows an attacker to retrieve arbitrary text files from the virtual appliance with root privileges. No authentication is required to exploit this vulnerability.

 

DDI-VRT-2016-62: Unauthenticated Command Execution in GetSymmCmdRequest via Crafted AMF Message (Critical)

Impact: Arbitrary command execution with root privileges, complete compromise of the virtual appliance.

Product versions affected: vApp Manager 8.0.x - 8.2.x

Vulnerability: The vApp Manager for Unisphere for VMAX web app runs on port 5480 and the Flash based user interface uses the AMF protocol to communicate with the server. The GetSymmCmdCommand class executes the AMF message using the ExecUtil class which calls Java's Runtime exec method with the string array as the argument before returning the output to the client. No validation is done on the input for this command. No authentication is required to exploit this vulnerability.

 

DDI-VRT-2016-63: Authenticated Command Execution in GeneralCmdRequest via Crafted AMF Message (High)

Impact: Arbitrary command execution with root privileges, complete compromise of the virtual appliance.

Product versions affected: vApp Manager 8.0.x - 8.2.x

Vulnerability: The vApp Manager for Unisphere for VMAX web app runs on port 5480 and the Flash based user interface uses the AMF protocol to communicate with the server. The GeneralCmdCommand class executes the AMF message using the ExecUtil class which calls Java's Runtime exec method with a string array as the argument before returning the output to the client. No validation is done on the input for this command. Authentication is required to exploit this vulnerability, however this requirement is easily bypassed using another vulnerability to add a new admin user without authentication.

  

DDI-VRT-2016-64: Authenticated Command Execution in PersistantDataRequest via Crafted AMF Message (High)

Impact: Arbitrary command execution with root privileges, complete compromise of the virtual appliance.

Product versions affected: vApp Manager 8.0.x – 8.2.x

Vulnerability: The vApp Manager for Unisphere for VMAX web app runs on port 5480 and the Flash based user interface uses the AMF protocol to communicate with the server. The PersistantDataCommand class executes the AMF message using the ExecUtil class which calls Java's Runtime exec method with a string array as the argument. No validation is done on the input for this command.  Authentication is required to exploit this vulnerability, however this requirement is easily bypassed using another vulnerability to add a new admin user without authentication

 

DDI-VRT-2016-65: Authenticated Command Execution in GetCommandExecRequest via Crafted AMF Message (High)

Impact: Arbitrary command execution with root privileges, complete compromise of the virtual appliance.

Product versions affected: vApp Manager 8.0.x - 8.2.x

Vulnerability: The vApp Manager for Unisphere for VMAX web app runs on port 5480 and the Flash based user interface uses the AMF protocol to communicate with the server. The GetCommandExecCommand class executes the AMF message using the ExecUtil class which calls Java's Runtime exec method with a string array as the argument before returning the output to the client. No validation is done on the input for this command. Authentication is required to exploit this vulnerability, however this requirement is easily bypassed using another vulnerability to add a new admin user without authentication.

DDI-VRT-2016-66: Authentication Bypass in the RemoteServiceHandler Class (Critical)

Impact: Arbitrary command execution with root privileges, ability to add new admin users, and complete compromise of the virtual appliance.

Product versions affected: vApp Manager 8.0.x – 8.2.x

Vulnerability: The vApp Manager for Unisphere for VMAX web app runs on port 5480 and the Flash based user interface uses the AMF protocol to communicate with the server. The RemoteServiceHandler class handles AMF messages using the "executeCommand" operation. This class only verifies that the client session is valid for the GeneralCmdRequest, GetCommandExecRequest, and PersistantDataRequest AMF messages. The lack of session validation by this class for other AMF messages types allows unauthenticated users to bypass authentication and call several other classes such as UserManagementRequest (can be used to add new admin user) and GetSymmCmdRequest (arbitrary root command execution).

 

Solution Description:

Dell EMC has released two security advisories to address these vulnerabilities. The security advisories are accessible to customers on the Dell EMC Online Support website. Dell EMC follows coordinated disclosure practices and requests that the above information be treated with strict confidentiality until complete resolutions are available for customers and have been published by the Dell EMC Product Security Response Center through the appropriate coordinated disclosure process. For more details on Dell EMC Vulnerability Response Policy see https://www.emc.com/products/security/product-security-response-center.htm. Please contact Dell EMC technical support representatives for further details.

 

Vendor Contact:

Dell EMC Corporation

https://support.emc.com/

Share This