Numerous security vulnerabilities were just identified in Dell EMC RecoverPoint, containing a serious distant code implementation flaw, security firm Foregenix exposes. Investigators from Foregenix identified about a total of six security problems influencing complete versions of Dell EMC RecoverPoint preceding to 5.1.2, besides RecoverPoint for Virtual Machines previous to 18.104.22.168.
The vulnerabilities were stated to Dell this year in February, however the firm announced an update merely previous week, which simply described some of the flaws. The existing patches are available from side to side Dell EMC support. Of the six flaws, merely three received CVE numbers till date. Such contains CVE-2018-1235 (CVSS 9.8, Critical severity), CVE-2018-1242 (CVSS 6.7, Medium severity), and CVE-2018-1241 (CVSS 6.2, Medium sternness).
The very significant of the problems permits a no valid distant hacker to perform random code with root rights via an indefinite threat vector.
“The critical vulnerability allows unauthenticated remote code execution with root privileges. This means, that if an attacker with no knowledge of any credentials has visibility of RecoverPoint on the network, or local access to it, they can gain complete control over the RecoverPoint and its underlying Linux operating system,” Foregenix reveals.
The safety researchers observe that, once they increased whole regulation over the influenced device, they could achieve additional unfixed flaws “to pivot and gain control of the Microsoft Active Directory network that the RecoverPoints were integrated with.”
The secondly exposed vulnerability is an organizational menu random file read, which permit a hacker with could acquire to the boxmgmt organizational menu to read files from the file system.
RecoverPoint escapes plaintext Lightweight Directory Access Protocol credentials into the Tomcat log file in definite circumstances.
“When the LDAP server is not contactable by RecoverPoint, and a log in attempt is made to an LDAP linked account via a RecoverPoint web interface, LDAP credentials are leaked into the tomcat.log file. These credentials may remain in the log file indefinitely, providing opportunity for attackers with access to the RecoverPoint file system to obtain them and resulting in LDAP account compromise,” Foregenix notes.
The investigators also identified that RecoverPoint is transported with “root” password jumbles for sustenance stored in /distribution.log, a file decipherable by user’s end. CVE was primarily allotted for the vulnerability, but Dell seemingly repealed it, requesting that the file would be only readable by root, however the researchers assertion they could read the file as the www-data user.
Dell performed patches the vulnerability for new installations of RecoverPoint although the CVE was cancelled. “At the time of writing it was not clear whether the vendor would reinstate the CVE, or whether performing an upgrade would remove the hash from previous versions of the world-readable log file,” Foregenix says.
RecoverPoint was also identified to practice a hardcoded source password that the user cannot alter except they contact the company. A Hacker conscious the password could “gain control over all of the devices by logging in at the local console, or gaining console access as an unprivileged user, and changing to root.”
A CVE was not problems for the flaw, however the company seemingly stated that a documentation update will create it vibrant that a devoted script from the sustenance team is essential to alter the password. The sixth flaw exists in an uncertain configuration selection that consequences in LDAP credentials being directed by the RecoverPoint in vibrant text, consequently possibly revealing them to observers.
“When the LDAP simple bind configuration is used, credentials are sent from the RecoverPoint server in cleartext. This means that a man-in-the-middle attacker or an attacker who has gained access to the RecoverPoint using another vulnerability, can monitor the traffic and discover LDAP credentials which have been entrusted to the RecoverPoint,” Foregenix says.
The RecoverPoint documentation contains a cautionary threat about the uncertain configuration, however the RecoverPoint menu itself does not contain likewise alert.