EMC Patches Flaws in M&R, Secure Remote Services

Researchers at Dutch software security company Securify have identified a total of eight vulnerabilities in EMC M&R and EMC Secure Remote Services.

One of the issues identified in EMC Secure Remote Services Virtual Edition (ESRS VE) is a SQL injection vulnerability (CVE-2015-0524). The flaw exists in the product’s “Provisioning” component and it can be exploited by an attacker to execute arbitrary SQL commands.

According to an advisory published this week by Securify, an attacker can exploit the vulnerability to “retrieve arbitrary data from the application, interfere with its logic, or execute commands on the database server itself.”

ESRS VE is also affected by a command injection flaw (CVE-2015-0525) that can be leveraged by an attacker to execute arbitrary system commands and take full control of the product, the security firm said.

The vulnerabilities affect ESRS VE versions 3.02 and 3.03, and they have been fixed with the release of version 3.04.

Researchers have identified multiple security holes in the EMC M&R platform, formerly known as Watch4net. Two of the bugs are path traversals (CVE-2015-0516) affecting the management information base (MIB) browser and the device discovery module.

The vulnerabilities can be exploited by an authenticated attacker to access files containing sensitive information such as configuration data, passwords, database records, log data, source code, and program scripts and binaries, Securify said.

The product is also plagued by cross-site scripting (XSS) bugs (CVE-2015-0513). These weaknesses affect the EMC M&R centralized management console, Alerting Frontend, and the Web portal.

“This issue allows attackers to perform a wide variety of actions, such as stealing victims’ session tokens or login credentials, performing arbitrary actions on their behalf, logging their keystrokes, or exploit issues in other areas of Watch4net,” Securify explained in an advisory.

Finally, researchers discovered that EMC M&R data storage collector credentials are encrypted using a hardcoded password, making it easy for an attacker to decrypt them (CVE-2015-0514).

The EMC M&R vulnerabilities also impact the EMC ViPR SRM storage management software. EMC M&R versions prior 6.5u1 and EMC ViPR SRM versions prior to 3.6.1 are affected.

According to EMC, the severity of these vulnerabilities ranged from “high” to “medium” on a four-point sliding scale (critical, high, medium, low).

“EMC received reports directly from the customer late last year and quickly initiated our established investigative-response process. We quickly confirmed that several of the issues raised had already been fixed/addressed via historic product upgrades and updates. Fixes for the outstanding issues were then identified, initiated, and communicated to our customers via the normal channels. This was all dealt with within industry expected timelines with mutual agreement between EMC and the researcher,” Reeny Sondhi, Senior Director of the EMC Product Security Office, told SecurityWeek.

“A point worth mentioning is that the researcher has worked responsively by not disclosing the detail of the vulnerability until a remedy was made available by EMC. This is a good example of coordinated disclosure between both vendor and researcher,” Sondhi added.

EMC Secure Remote Services provides a two-way remote connection between EMC Customer Service and EMC products and solutions. ESRS maintains connectivity with EMC products and automatically notifies the vendor if a problem occurs. EMC Customer Service professionals can use the connection to establish a remote session to diagnose or repair the issues.

EMC M&R delivers enterprise and carrier-class cross-domain performance and service level management. The solution is designed to help organizations improve operational efficiency, and optimize IT resources.