DELL EMC PATCHES CRITICAL FLAWS IN VMAX ENTERPRISE STORAGE SYSTEMS
@DellEMC fixed two critical flaws in its management interfaces for its @VMAX #enterprisestorage systems. One of the vulnerabilities could allow a remote attacker to use a hard-coded password to a default account to gain unauthorized access to systems. The company issued updates that address the two vulnerabilities, CVE-2018-1215 and CVE-2018-1216, on Tuesday. Dell EMC’s VMAX Virtual Appliance (vApp) Manager is a key component to a wide range of the company’s enterprise storage systems. “The vApp Manager which is embedded in Dell EMC Unisphere for VMAX, Dell EMC Solutions Enabler, Dell EMC VASA Virtual Appliances, and Dell EMC VMAX Embedded Management (eManagement) contains multiple security vulnerabilities that may potentially be exploited by malicious users to compromise the affected system,” wrote Dell EMC in a security advisory. The most serious flaw (CVE-2018-1216) in the vApp Manager is tied to an undocumented default account (ÒsmcÓ) which has a hard-coded password that can be used in conjunction with web-based Java servlets. Java servlets are server-side programs which run on the server side, handling specialized requests. “A remote attacker with the knowledge of the hard-coded password and the message format may use vulnerable servlets to gain unauthorized access to the system,” according to the security bulletin. The vulnerability has a Common Vulnerability Scoring System (CVSS) base score of 9.8. The other critical vulnerability (CVE-2018-1215) fixed in the vApp Manager application is also rated critical with a CVSS score of 8.8. In the case of this vulnerability, a remote authenticated malicious user could upload arbitrary maliciously crafted files to any location on a targeted web server.