Researchers at vulnerability management services provider Digital Defense have identified a total of six flaws in the administration interface of EMC VMAX enterprise storage products.
EMC VMAX is an enterprise storage solution designed for storage area network (SAN) environments. The vulnerabilities found by Digital Defense affect versions 8.0.x through 8.2.x of the VMAX Unisphere web-based management console and the vApp Manager configuration and support tool for VMware deployments. EMC has released patches that address the security holes.
Of the six vulnerabilities, two have been rated critical, while the rest are high severity. The list includes arbitrary file retrieval, denial-of-service (DoS) and command execution issues.
One of the critical flaws is related to vApp Manager’s use of the Action Message Format (AMF) for server communications. While the RemoteServiceHandler class verifies certain types of AMF messages, some types are not validated properly, allowing an attacker to bypass authentication and gain root privileges on the system.
The attacker can exploit this vulnerability to add new admin users and completely compromise the virtual appliance.
The second critical security hole is related to vApp Manager’s use of GetSymmCmdRequest AMF messages. An unauthenticated attacker can execute arbitrary commands with root privileges and hijack the targeted appliance via specially crafted AMF messages.
A similar vulnerability, involving GeneralCmdRequest messages, requires an attacker to authenticate on the system before executing arbitrary commands with root privileges. However, researchers pointed out that they can achieve this by leveraging the first flaw to create a new admin account.
Digital Defense warned that similar attacks can also be carried out via specially crafted GetCommandExecRequest and PersistantDataRequest AMF messages.
An XML External Entity (XXE) flaw found by experts in the Unisphere interface allows unauthenticated attackers to retrieve arbitrary text files from the virtual appliance. The same weakness (CVE-2016-2340) can also be leveraged to cause a DoS condition.