DSA-2018-058: Dell EMC ScaleIO Multiple Security Vulnerabilities

[EMC Product Security Response Center <Security_Alert () emc com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

DSA-2018-058: Dell EMC ScaleIO Multiple Security Vulnerabilities

Dell EMC Identifier: DSA-2018-058
CVE Identifier: CVE-2018-1205, CVE-2018-1237, CVE-2018-1238
Severity: Medium
Severity Rating: CVSS v3 Base Score: See below for CVSS v3 scores

Affected products:  
Dell EMC ScaleIO versions prior to 2.5  

Summary:  
Dell EMC ScaleIO customers are encouraged to update to ScaleIO v2.5, which contains fixes for multiple security 
vulnerabilities in earlier ScaleIO software versions that could potentially be exploited by malicious users to 
compromise the affected system. 

Details:  
The vulnerability details are as follows:

*       Buffer overflow vulnerability (CVE-2018-1205) 
Dell EMC ScaleIO, versions prior to 2.5, do not properly handle some packet data in the MDM service. As a result, a 
remote attacker could potentially send specifically crafted packet data to the MDM service causing it to crash.
CVSSv3 Base Score: 5.9 (AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H)

*       Improper Restriction of Excessive Authentication Attempts Vulnerability  (CVE-2018-1237) 
Dell EMC ScaleIO versions prior to 2.5, contain improper restriction of excessive authentication attempts on the Light 
installation Agent (LIA). This component is deployed on every server in the ScaleIO cluster and is used for central 
management of ScaleIO nodes. A remote malicious user, having network access to LIA, could potentially exploit this 
vulnerability to launch brute force guessing of user names and passwords of user accounts on the LIA.
CVSSv3 Base Score: 5.9 (AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H)

*       Command injection vulnerability (CVE-2018-1238)
Dell EMC ScaleIO versions prior to 2.5, contain a command injection vulnerability in the Light Installation Agent 
(LIA). This component is used for central management of ScaleIO deployment and uses shell commands for certain actions. 
A remote malicious user, with network access to LIA and knowledge of the LIA administrative password, could potentially 
exploit this vulnerability to run arbitrary commands as root on the systems where LIAs are installed.
CVSSv3 Base Score: 6.6 (AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H)


Resolution:  
The following Dell EMC ScaleIO release contains resolutions to these vulnerabilities:
*       Dell EMC ScaleIO version 2.5

Dell EMC recommends all customers upgrade at the earliest opportunity. 

Link to remedies:

Customers can download software from  https://support.emc.com/downloads/40635_ScaleIO-Product-Family 

Credit:
Dell EMC would like to thank David Berard, from the Ubisoft Security & Risk Management team, for reporting these 
vulnerabilities.


Read and use the information in this Dell EMC Security Advisory to assist in avoiding any situation that might arise 
from the problems described herein. If you have any questions regarding this product alert, contact Dell EMC Software 
Technical Support at 1-877-534-2867.

For an explanation of Severity Ratings, refer to Dell EMC Knowledgebase solution emc218831. Dell EMC recommends all 
customers take into account both the base score and any relevant temporal and environmental scores which may impact the 
potential severity associated with particular security vulnerability.

Dell EMC recommends that all users determine the applicability of this information to their individual situations and 
take appropriate action. The information set forth herein is provided "as is" without warranty of any kind. Dell EMC 
disclaims all warranties, either express or implied, including the warranties of merchantability, fitness for a 
particular purpose, title and non-infringement. In no event, shall Dell EMC or its suppliers, be liable for any damages 
whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if 
Dell EMC or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion 
or limitation of liability for consequential or incidental damages, so the foregoing limitation may not apply.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQEcBAEBCAAGBQJauOjDAAoJEHbcu+fsE81Z3/wH/jL9Ub908R9cXBOLhTbwCohq
pVPgYZwy8ew96iuUaqDgqy3KmarYebeZ9MAG2gxW5URYqNSO7LJBZG8Jo4qWB3gB
QuShn8UvJ0yfo4vxznkXtGjxhFLopYaoN+tgDQ3IjkcH3chvAHS0dnUk9Uj7OQsx
KEltBIFJmzv97ZxkCLxqEtNu0LSTFsvKhjyKl6lOJZ8yVfTZR/p+Awx1czEyJc8Z
/sfRBBgqJnK3LHBNEsuqCy+wedlDHwj+/d3wBr51eR0+3UrD2jRaDQVx3VkcE7Gb
DGjCoZRJ8qiWp7muB0rC7/6PxxxQcNlBludSiYDTkdrQpjot1G37w+TX1GFVUUk=
=FvDE
-----END PGP SIGNATURE-----

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/