Zero-days discovered in EMC VMAX products

By

Full compromise of appliances possible.

Dell-owned enterprise storage company EMC has issued alerts for its VMAX device management product family after a security vendor discovered six previously undisclosed vulnerabilities in the software.

Zero-days discovered in EMC VMAX products

Texas-based security vendor Digital Defense said it had found zero-day vulnerabilities in the web-based Unisphere for VMAX storage systems and the vApp configuration tool for VMware vApp deployments.

Two of the vulnerabilities are rated as critical, allowing attackers to run any code with full, root superuser privileges. Such an attack would result in the complete compromise of the virtual EMC appliance, Digital Defense said.

A further three are rated as high risk, and also allow attackers to fully compromise EMC appliances remotely. Another high-risk vulnerability can be exploited for arbitrary file retrieval and a denial of service attack on storage appliances.

Most of the vulnerabilities for the Adobe Flash-based EMC vApp Manager for Unisphere are due to insecure Java code with lack of input validation for commands.

One other flaw for the vApp configuration tool means communication sessions between the Flash interface and the server running commands are not validated. This allows attackers to bypass authentication and issue arbitrary commands with root level privileges, Digital Defense said.

Dell-EMC has issued two security advisories that address the vulnerabilities, which require users to create logins for access.

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © iTnews.com.au . All rights reserved.
Tags:

Most Read Articles

Woolworths' CSO is Optus-bound

Woolworths' CSO is Optus-bound

Australia's super funds told to assess authentication controls

Australia's super funds told to assess authentication controls

Hackers abuse modified Salesforce app to steal data, extort companies

Hackers abuse modified Salesforce app to steal data, extort companies

The Northern Beaches Women's Shelter hones focus on tech-enabled abuse

The Northern Beaches Women's Shelter hones focus on tech-enabled abuse

Log In

  |  Forgot your password?