Connect with us

Hi, what are you looking for?


Data Protection

Flaws Found in Dell EMC Data Protection, ESRS Products

Dell EMC informed customers this week that its Data Protection Advisor and ESRS Policy Manager products are affected by high and medium severity vulnerabilities, and provided patches and workarounds for addressing the issues.

Dell EMC informed customers this week that its Data Protection Advisor and ESRS Policy Manager products are affected by high and medium severity vulnerabilities, and provided patches and workarounds for addressing the issues.

According to an advisory published by the company on the Full Disclosure mailing list, versions prior to 6.8 of the EMC Secure Remote Support (ESRS) Policy Manager are affected by a high severity flaw.

The security hole, discovered by Travis Emmert from Salesforce and tracked as CVE-2017-4976, is caused by the existence of an undocumented account that can be used by a remote attacker to gain unauthorized access to a targeted system.

“EMC ESRS Policy Manager contains an undocumented account (OpenDS admin) with a default password. A remote attacker with the knowledge of the default password may login to the system and gain administrator privileges to the local LDAP directory server,” the company said in its advisory.

Starting with ESRS Policy Manager 6.8, users are prompted to change this default password during the installation process. Customers have also been provided instructions on how to change the password on their existing installations.

A separate advisory published by Dell EMC this week describes medium severity vulnerabilities affecting the EMC Data Protection Advisor data protection management software.

The product is affected by several blind SQL injection flaws (CVE-2017-8002) that can be exploited by a remote, authenticated attacker to gain access to data by executing arbitrary SQL commands, and a path traversal weakness (CVE-2017-8003) that can be exploited by a high privileged user to access information from the underlying OS server.

Advertisement. Scroll to continue reading.

Users have been advised to update EMC Data Protection Advisor to version 6.4 as soon as possible.

Earlier this month, Beyond Security’s SecuriTeam Secure Disclosure (SSD) project published the details and proof-of-concept (PoC) code for a command injection vulnerability affecting EMC’s IsilonSD Edge software-defined storage solution.

The flaw allows a remote, authenticated attacker to execute arbitrary OS commands, including with root privileges. Researchers reported their findings to EMC on April 24, but it’s unclear if the vulnerability has been patched by the vendor.

Related: EMC Patches Critical Flaws in VMAX Storage Products

Related: EMC Patches Flaws in M&R, Secure Remote Services

Related: Critical Flaws Found in Dell SonicWALL Product

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.

Artificial Intelligence

The CRYSTALS-Kyber public-key encryption and key encapsulation mechanism recommended by NIST for post-quantum cryptography has been broken using AI combined with side channel attacks.

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.