Connect with us

Hi, what are you looking for?



Critical Flaw Impacts Dell EMC RecoverPoint

Several security flaws were recently found in

Several security flaws were recently found in Dell EMC RecoverPoint, including a Critical remote code execution vulnerability, security firm Foregenix reveals.

Researchers from Foregenix found a total of six security issues impacting all versions of Dell EMC RecoverPoint prior to 5.1.2, as well as RecoverPoint for Virtual Machines prior to

The flaws were reported to Dell in February, but the company released an update only last week, which only addressed some of the bugs. The available fixes are available through Dell EMC support.

Of the six vulnerabilities, only three received CVE numbers to date. These include CVE-2018-1235 (CVSS 9.8, Critical severity), CVE-2018-1242 (CVSS 6.7, Medium severity), and CVE-2018-1241 (CVSS 6.2, Medium severity).

The most important of the issues allows an unauthenticated remote attacker to execute arbitrary code with root privileges via an unspecified attack vector.

“The critical vulnerability allows unauthenticated remote code execution with root privileges. This means, that if an attacker with no knowledge of any credentials has visibility of RecoverPoint on the network, or local access to it, they can gain complete control over the RecoverPoint and its underlying Linux operating system,” Foregenix reveals.

The security researchers note that, once they gained complete control over the impacted device, they could exploit other unpatched vulnerabilities “to pivot and gain control of the Microsoft Active Directory network that the RecoverPoints were integrated with.”

Advertisement. Scroll to continue reading.

The second newly discovered flaw is an administrative menu arbitrary file read, which could allow an attacker with access to the boxmgmt administrative menu to read files from the file system (which are accessible to the boxmgmt user).

In certain conditions, RecoverPoint leaks plaintext Lightweight Directory Access Protocol credentials into the Tomcat log file, the security firm says.

“When the LDAP server is not contactable by RecoverPoint, and a log in attempt is made to an LDAP linked account via a RecoverPoint web interface, LDAP credentials are leaked into the tomcat.log file. These credentials may remain in the log file indefinitely, providing opportunity for attackers with access to the RecoverPoint file system to obtain them and resulting in LDAP account compromise,” Foregenix notes.

The researchers also discovered that RecoverPoint is shipped with “root” password hashes for grub stored in /distribution.log, a file readable by any user. CVE was initially issued for the flaw, but Dell apparently revoked it, claiming that the file would be only readable by root, but the researchers claim they could read the file as the www-data user.

Although the CVE was revoked, Dell did fix the flaw for new installations of RecoverPoint. “At the time of writing it was not clear whether the vendor would reinstate the CVE, or whether performing an upgrade would remove the hash from previous versions of the world-readable log file,” Foregenix says.

RecoverPoint was also found to use a hardcoded root password that the user cannot change unless they contact the vendor. An attacker knowing the password could “gain control over all of the devices by logging in at the local console, or gaining console access as an unprivileged user, and changing to root.”

A CVE was not issued for the vulnerability, but the vendor apparently said that a documentation update will make it clear that a dedicated script from the support team is necessary to change the password.

The sixth vulnerability resides in an insecure configuration option that results in LDAP credentials being sent by the RecoverPoint in clear text, thus potentially exposing them to eavesdroppers.

“When the LDAP simple bind configuration is used, credentials are sent from the RecoverPoint server in cleartext. This means that a man-in-the-middle attacker or an attacker who has gained access to the RecoverPoint using another vulnerability, can monitor the traffic and discover LDAP credentials which have been entrusted to the RecoverPoint,” Foregenix says.

The RecoverPoint documentation includes a warning about the insecure configuration, but the RecoverPoint menu itself does not include such an alert.

Related: Nine Remotely Exploitable Vulnerabilities Found in Dell EMC Storage Platform

Related: Dell Patches Vulnerability in Pre-installed SupportAssist Utility

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

IoT Security

A vulnerability affecting Dahua cameras and video recorders can be exploited by threat actors to modify a device’s system time.