Zero-days discovered in EMC VMAX products

By

Full compromise of appliances possible.

Dell-owned enterprise storage company EMC has issued alerts for its VMAX device management product family after a security vendor discovered six previously undisclosed vulnerabilities in the software.

Zero-days discovered in EMC VMAX products

Texas-based security vendor Digital Defense said it had found zero-day vulnerabilities in the web-based Unisphere for VMAX storage systems and the vApp configuration tool for VMware vApp deployments.

Two of the vulnerabilities are rated as critical, allowing attackers to run any code with full, root superuser privileges. Such an attack would result in the complete compromise of the virtual EMC appliance, Digital Defense said.

A further three are rated as high risk, and also allow attackers to fully compromise EMC appliances remotely. Another high-risk vulnerability can be exploited for arbitrary file retrieval and a denial of service attack on storage appliances.

Most of the vulnerabilities for the Adobe Flash-based EMC vApp Manager for Unisphere are due to insecure Java code with lack of input validation for commands.

One other flaw for the vApp configuration tool means communication sessions between the Flash interface and the server running commands are not validated. This allows attackers to bypass authentication and issue arbitrary commands with root level privileges, Digital Defense said.

Dell-EMC has issued two security advisories that address the vulnerabilities, which require users to create logins for access.

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © iTnews.com.au . All rights reserved.
Tags:

Most Read Articles

Qantas facing 'significant' data theft after cyber attack

Qantas facing 'significant' data theft after cyber attack

Home Affairs officer accessed data on "friends and associates"

Home Affairs officer accessed data on "friends and associates"

Ex-student charged over Western Sydney University cyberattacks

Ex-student charged over Western Sydney University cyberattacks

International Criminal Court hit by cyber attack

International Criminal Court hit by cyber attack

Log In

  |  Forgot your password?