EMC Patches VMAX Holes

Wednesday, October 5, 2016 @ 11:10 AM gHale

EMC released patches that mitigate six holes in the administration interface of its VMAX enterprise storage products.

EMC VMAX is an enterprise storage solution designed for storage area network (SAN) environments. The vulnerabilities affect versions 8.0.x through 8.2.x of the VMAX Unisphere web-based management console and the vApp Manager configuration and support tool for VMware deployments, said researchers at Digital Defense.

Reminder to Cisco: Remove Testing Interface
Analytics through Network Monitoring
Cisco Addresses Cloud Services Holes
Cisco Analyzing Issue, Finds a Flaw

Of the six vulnerabilities, two are critical, while the rest are high severity. The list includes arbitrary file retrieval, denial-of-service (DoS) and command execution issues.

One of the critical vulnerabilities is with vApp Manager’s use of the Action Message Format (AMF) for server communications. While the RemoteServiceHandler class verifies certain types of AMF messages, some types do not validate properly, allowing an attacker to bypass authentication and gain root privileges on the system.

An attacker could exploit this vulnerability to add new administrative users and completely compromise the virtual appliance.

The second critical security hole relates to vApp Manager’s use of GetSymmCmdRequest AMF messages. An unauthenticated attacker can execute arbitrary commands with root privileges and hijack the targeted appliance via specially crafted AMF messages.

A similar vulnerability, involving GeneralCmdRequest messages, requires an attacker to authenticate on the system before executing arbitrary commands with root privileges. However, researchers pointed out they can achieve this by leveraging the first flaw to create a new admin account.

Digital Defense said similar attacks can also be carried out via specially crafted GetCommandExecRequest and PersistantDataRequest AMF messages.