Virtual Event Now Live: Zero Trust Strategies Summit! - Login for Access
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Data Protection

Flaws Found in Dell EMC Data Protection, ESRS Products

Dell EMC informed customers this week that its Data Protection Advisor and ESRS Policy Manager products are affected by high and medium severity vulnerabilities, and provided patches and workarounds for addressing the issues.

Dell EMC informed customers this week that its Data Protection Advisor and ESRS Policy Manager products are affected by high and medium severity vulnerabilities, and provided patches and workarounds for addressing the issues.

According to an advisory published by the company on the Full Disclosure mailing list, versions prior to 6.8 of the EMC Secure Remote Support (ESRS) Policy Manager are affected by a high severity flaw.

The security hole, discovered by Travis Emmert from Salesforce and tracked as CVE-2017-4976, is caused by the existence of an undocumented account that can be used by a remote attacker to gain unauthorized access to a targeted system.

“EMC ESRS Policy Manager contains an undocumented account (OpenDS admin) with a default password. A remote attacker with the knowledge of the default password may login to the system and gain administrator privileges to the local LDAP directory server,” the company said in its advisory.

Starting with ESRS Policy Manager 6.8, users are prompted to change this default password during the installation process. Customers have also been provided instructions on how to change the password on their existing installations.

A separate advisory published by Dell EMC this week describes medium severity vulnerabilities affecting the EMC Data Protection Advisor data protection management software.

The product is affected by several blind SQL injection flaws (CVE-2017-8002) that can be exploited by a remote, authenticated attacker to gain access to data by executing arbitrary SQL commands, and a path traversal weakness (CVE-2017-8003) that can be exploited by a high privileged user to access information from the underlying OS server.

Users have been advised to update EMC Data Protection Advisor to version 6.4 as soon as possible.

Advertisement. Scroll to continue reading.

Earlier this month, Beyond Security’s SecuriTeam Secure Disclosure (SSD) project published the details and proof-of-concept (PoC) code for a command injection vulnerability affecting EMC’s IsilonSD Edge software-defined storage solution.

The flaw allows a remote, authenticated attacker to execute arbitrary OS commands, including with root privileges. Researchers reported their findings to EMC on April 24, but it’s unclear if the vulnerability has been patched by the vendor.

Related: EMC Patches Critical Flaws in VMAX Storage Products

Related: EMC Patches Flaws in M&R, Secure Remote Services

Related: Critical Flaws Found in Dell SonicWALL Product

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join SecurityWeek and Hitachi Vantara for this this webinar to gain valuable insights and actionable steps to enhance your organization's data security and resilience.

Register

Event: ICS Cybersecurity Conference

The leading industrial cybersecurity conference for Operations, Control Systems and IT/OT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.

Register

People on the Move

Threat intelligence firm Intel 471 has appointed Mark Huebeler as its COO and CFO.

Omkhar Arasaratnam, former GM at OpenSSF, is LinkedIn's first Distinguised Security Engineer

Defense contractor Nightwing has appointed Tricia Fitzmaurice as Chief Growth Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.