Dell-owned enterprise storage company EMC has issued alerts for its VMAX device management product family after a security vendor discovered six previously undisclosed vulnerabilities in the software.
Texas-based security vendor Digital Defense said it had found zero-day vulnerabilities in the web-based Unisphere for VMAX storage systems and the vApp configuration tool for VMware vApp deployments.
Two of the vulnerabilities are rated as critical, allowing attackers to run any code with full, root superuser privileges. Such an attack would result in the complete compromise of the virtual EMC appliance, Digital Defense said.
A further three are rated as high risk, and also allow attackers to fully compromise EMC appliances remotely. Another high-risk vulnerability can be exploited for arbitrary file retrieval and a denial of service attack on storage appliances.
Most of the vulnerabilities for the Adobe Flash-based EMC vApp Manager for Unisphere are due to insecure Java code with lack of input validation for commands.
One other flaw for the vApp configuration tool means communication sessions between the Flash interface and the server running commands are not validated. This allows attackers to bypass authentication and issue arbitrary commands with root level privileges, Digital Defense said.
Dell-EMC has issued two security advisories that address the vulnerabilities, which require users to create logins for access.