Connect with us

Hi, what are you looking for?


M&A Tracker

EMC Patches Flaws in M&R, Secure Remote Services

Researchers at Dutch software security company Securify have identified a total of eight vulnerabilities in EMC M&R and EMC Secure Remote Services.

Researchers at Dutch software security company Securify have identified a total of eight vulnerabilities in EMC M&R and EMC Secure Remote Services.

One of the issues identified in EMC Secure Remote Services Virtual Edition (ESRS VE) is a SQL injection vulnerability (CVE-2015-0524). The flaw exists in the product’s “Provisioning” component and it can be exploited by an attacker to execute arbitrary SQL commands.

According to an advisory published this week by Securify, an attacker can exploit the vulnerability to “retrieve arbitrary data from the application, interfere with its logic, or execute commands on the database server itself.”

ESRS VE is also affected by a command injection flaw (CVE-2015-0525) that can be leveraged by an attacker to execute arbitrary system commands and take full control of the product, the security firm said.

The vulnerabilities affect ESRS VE versions 3.02 and 3.03, and they have been fixed with the release of version 3.04.

Researchers have identified multiple security holes in the EMC M&R platform, formerly known as Watch4net. Two of the bugs are path traversals (CVE-2015-0516) affecting the management information base (MIB) browser and the device discovery module.

The vulnerabilities can be exploited by an authenticated attacker to access files containing sensitive information such as configuration data, passwords, database records, log data, source code, and program scripts and binaries, Securify said.

Advertisement. Scroll to continue reading.

The product is also plagued by cross-site scripting (XSS) bugs (CVE-2015-0513). These weaknesses affect the EMC M&R centralized management console, Alerting Frontend, and the Web portal.

“This issue allows attackers to perform a wide variety of actions, such as stealing victims’ session tokens or login credentials, performing arbitrary actions on their behalf, logging their keystrokes, or exploit issues in other areas of Watch4net,” Securify explained in an advisory.

Finally, researchers discovered that EMC M&R data storage collector credentials are encrypted using a hardcoded password, making it easy for an attacker to decrypt them (CVE-2015-0514).

The EMC M&R vulnerabilities also impact the EMC ViPR SRM storage management software. EMC M&R versions prior 6.5u1 and EMC ViPR SRM versions prior to 3.6.1 are affected.

According to EMC, the severity of these vulnerabilities ranged from “high” to “medium” on a four-point sliding scale (critical, high, medium, low).

“EMC received reports directly from the customer late last year and quickly initiated our established investigative-response process. We quickly confirmed that several of the issues raised had already been fixed/addressed via historic product upgrades and updates. Fixes for the outstanding issues were then identified, initiated, and communicated to our customers via the normal channels. This was all dealt with within industry expected timelines with mutual agreement between EMC and the researcher,” Reeny Sondhi, Senior Director of the EMC Product Security Office, told SecurityWeek.

“A point worth mentioning is that the researcher has worked responsively by not disclosing the detail of the vulnerability until a remedy was made available by EMC. This is a good example of coordinated disclosure between both vendor and researcher,” Sondhi added.

EMC Secure Remote Services provides a two-way remote connection between EMC Customer Service and EMC products and solutions. ESRS maintains connectivity with EMC products and automatically notifies the vendor if a problem occurs. EMC Customer Service professionals can use the connection to establish a remote session to diagnose or repair the issues.

EMC M&R delivers enterprise and carrier-class cross-domain performance and service level management. The solution is designed to help organizations improve operational efficiency, and optimize IT resources.

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


Thirty-five cybersecurity-related M&A deals were announced in February 2023


Forty cybersecurity-related M&A deals were announced in January 2023.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


Seventeen cybersecurity-related M&A deals were announced in the first half of February 2023.