EMC Cloud Tiering Appliance XXE / Information Disclosure

2014.04.17
Credit: EMC
Risk: High
Local: No
Remote: Yes
CWE: N/A

ESA-2014-028: EMC Cloud Tiering Appliance XML External Entity (XXE) and Information Disclosure Vulnerabilities EMC Identifier: ESA-2014-028 CVE Identifier: CVE-2014-0644, CVE-2014-0645 Severity Rating: CVSS v2 Base Score: See below for individual scores Affected products: EMC Cloud Tiering Appliance (CTA) 10 EMC Cloud Tiering Appliance (CTA) 10 SP1 EMC Cloud Tiering Appliance (CTA) 9.x EMC File Management Appliance (FMA) 7.x Summary: EMC CTA is vulnerable to XML External Entity (XXE) and information disclosure vulnerabilities that may allow a remote malicious user to compromise the affected system. Details: EMC CTA versions 10 and 10 SP1 are vulnerable to XXE attack (CVE-2014-0644) which may allow a remote unauthenticated user to access arbitrary files on the affected system with root privileges. The exploit code that exposes the password file has been made available to the public. This vulnerability does not affect CTA 9.x and FMA 7.x versions. CVSS 8.5 (AV:N/AC:L/Au:N/C:C/I:N/A:P) In addition, the default passwords for built-in accounts (root, super, admin) are stored using a weak DES encryption algorithm (CVE-2014-0644). This issue does not affect passwords changed during installation/usage of the product and/or for newly added accounts. This issue affects all versions of CTA and FMA. CVSS 6.6 (AV:L/AC:M/Au:S/C:C/I:C/A:C) Resolution: The following EMC CTA Hot Fixes contain a resolution to the XXE vulnerability: CTA 10.0 SP1 Hot Fix for ESA-2014-028 CTA 10.0 Hot Fix for ESA-2014-028 EMC strongly recommends all CTA 10.0 and 10SP1 customers apply the hotfixes above at the earliest opportunity. EMC strongly recommends all CTA and FMA customers change the default password for all users namely SSH users "root" and "super" as well as GUI "admin" accounts. See CTA Getting Started Guide for information on how to change passwords. Link to remedies: Customers with CTA 10.0 and CTA 10.0 SP1 can download the hotfix and instructions to apply the hotfix from the following Support Zone links. 10.0: https://download.emc.com/downloads/DL53068_CTA-10.0-Hot-Fix-for-ESA-2014-028.zip 10.0 SP1: https://download.emc.com/downloads/DL53069_CTA-10.0-SP1-Hot-Fix-for-ESA-2014-028.zip

References:

https://download.emc.com/downloads/DL53069_CTA-10.0-SP1-Hot-Fix-for-ESA-2014-028.zip


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2021, cxsecurity.com

 

Back to Top