Multiple Dell EMC RecoverPoint Zero-Day Vulnerabilities
Dell EMC RecoverPoint (Dell EMC RecoverPoint) products provide continuous data protection for operational recovery and disaster recovery. It supports the any-point-in-time recovery of a diverse storage environment within and across the data center. In simple terms, with RecoverPoint technology, users can recover lost data to ensure data security.
Foregenix, a British information company, publicly disclosed six security vulnerabilities discovered in Dell EMC RecoverPoint products on Monday (May 21). One of the most serious vulnerabilities affected all versions of Dell RecoverPoint prior to 5.1.2 and 5.1, all versions of RecoverPoint for Virtual Machines prior to 1.3.
This vulnerability allows unauthenticated remote attackers to execute arbitrary code with root privileges. This means that as long as an attacker can discover RecoverPoint over the Internet, RecoverPoint and its underlying Linux operating system can be fully controlled without any login credentials.
Foregenix said that their researchers submitted a notification to Dell EMC in February this year that the vendor has released a security fix last Friday (May 18th), in which three relatively serious vulnerabilities have been It has been fixed, and three other loopholes remain to be resolved.
Critical unauthenticated remote code execution with root privileges via unspecified attack vector (CVE-2018-1235, CVSS 9.8, critical severity)
- Permits an attacker with visibility of a RecoverPoint device on the network to gain complete control over the underlying Linux operating system.
Administrative menu arbitrary file read (CVE-2018-1242, CVSS 6.7, medium severity)
- An attacker with access to the boxmgmt administrative menu can read files from the file system which are accessible to the boxmgmt user.
LDAP credentials in Tomcat log file (CVE-2018-1241, CVSS 6.2, medium severity)
- In certain conditions, RecoverPoint will leak plaintext credentials into a log file.
World readable log contains password hash (CVE not issued at time of writing)
- RecoverPoint is shipped with a system password hash stored in a world readable file.
Hardcoded root password (CVE not issued at time of writing)
- RecoverPoint uses a hardcoded root password which can only be changed by contacting the vendor.
LDAP credentials sent in cleartext (CVE not issued at time of writing)
- An insecure configuration option permits LDAP credentials sent by the RecoverPoint to be intercepted by attackers.
