Multiple Vulnerabilities Discovered in Dell EMC vApp Manager Which Could Allow Arbitrary Code Execution

ITS Advisory Number: 
2016-168
Date(s) Issued: 
Tuesday, October 4, 2016
Subject: 
Multiple Vulnerabilities Discovered in Dell EMC vApp Manager Which Could Allow Arbitrary Code Execution
Overview: 

Multiple vulnerabilities have been discovered in Dell EMC's vApp Manager for Unisphere for VMAX. vApp Manager is a configuration and support tool for VMware vApp deployments and Unisphere for VMAX enables customers to easily provision, manage, and monitor VMAX environments. The worst of these is a vulnerability that allows arbitrary command execution. A successful exploitation may lead to an attacker bypassing authentication and adding a new admin user.

Systems Affected: 
  • EMC Unisphere for Vmax Virtual Appliance 8.3.0

  • EMC Solutions Enabler Virtual Appliance 8.3.0

  • EMC Replication Manager
    • 5.5 SP2 and 5.5 SP1
    • 5.5; 5.4; 5.3; 5.2; 5.1 and 5.0
    • 4.3; 3.0
    • 2.2.0
    • 2.1.1 and 2.1.0
    • 2.0.0
    • 1.2.0
    • 1.0.0
RISK
GOVERNMENT
Large and medium government entities: 
High
Small government entities: 
High
BUSINESS
Large and medium business entities: 
High
Small business entities: 
High
Home Users: 
N/A
Description: 

Multiple vulnerabilities have been discovered in Dell EMC's vApp Manager for Unisphere for VMAX. Unisphere for VMAX enables customers to easily provision, manage, and monitor VMAX environments and vApp Manager is a configuration and support tool for VMware vApp deployments. The worst of these is a vulnerability that allows arbitrary command execution. Details of these vulnerabilities are as follows:

 

  • A remote unauthenticated attacker may execute arbitrary commands on an RM Client, with high privileges, by starting a rogue RM Server that connects to the RM Client and executes the malicious script/payload that is placed in an SMB share, by the attacker, which is accessible to the RM Client. (

  • Unauthenticated Command Execution - The vApp Managers web application may be vulnerable to unauthenticated remote code execution vulnerability. The vApp Manager runs on port 5480 and has a Flash based user interface that uses the AMF protocol to communicate with the server. There are two classes, GetSymmCmdRequest and RemoteServiceHandler, which perform no input validation and require no authentication and may be leveraged by an attacker to run arbitrary code on the system with root privileges. (CVE-2016-6646)

  • Authenticated Command Execution - The vApp Managers web application may be vulnerable to authenticated remote code execution vulnerability. The vApp Manager runs on port 5480 and has a Flash based user interface that uses the AMF protocol to communicate with the server. There are three classes, GeneralCmdRequest, PersistantDataRequest, and GetCommandExecRequest, which perform no input validation and may be leveraged by an authenticated attacker to run arbitrary code on the system with root privileges. ()

  • ssl/s2_srvr.c in OpenSSL 1.0.1 before 1.0.1r and 1.0.2 before 1.0.2f does not prevent use of disabled ciphers, which may make it easier for man-in-the-middle attackers to defeat cryptographic protection mechanisms by performing computations on SSLv2 traffic, related to the get_client_master_key and get_client_hello functions. (CVE-2015-3197)

  • The DH_check_pub_key function in crypto/dh/dh_check.c in OpenSSL 1.0.2 before 1.0.2f does not ensure that prime numbers are appropriate for Diffie-Hellman (DH) key exchange, which may make it easier for remote attackers to discover a private DH exponent by making multiple handshakes with a peer that chose an inappropriate number, as demonstrated by a number in an X9.42 file. (CVE-2016-0701)

  • The AMF framework in Granite Data Services 3.1.1-SNAPSHOT may allow remote authenticated users to read arbitrary files, send TCP requests to intranet servers, or cause a denial of service from an XML external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue. (CVE-2016-2340)

 

A successful exploitation may lead to an attacker bypassing authentication and adding a new admin user.

Actions: 
  • After appropriate testing, apply patches provided by Dell EMC to vulnerable systems.

  • Dell EMC customers can download software upgrade from their web portal  at http://support.emc.com/downloads