Sign-up

ID

VAR-201803-1466


CVE

CVE-2018-1237


TITLE

Dell EMC ScaleIO Authentication vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2018-003556

DESCRIPTION

Dell EMC ScaleIO versions prior to 2.5, contain improper restriction of excessive authentication attempts on the Light installation Agent (LIA). This component is deployed on every server in the ScaleIO cluster and is used for central management of ScaleIO nodes. A remote malicious user, having network access to LIA, could potentially exploit this vulnerability to launch brute force guessing of user names and passwords of user accounts on the LIA. Dell EMC ScaleIO Contains an authentication vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Dell EMC ScaleIO is a software-defined solution for converting DAS storage into shared data block storage from Dell. Light Installation Agent (LIA) is one of the installation agents. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 DSA-2018-058: Dell EMC ScaleIO Multiple Security Vulnerabilities Dell EMC Identifier: DSA-2018-058 CVE Identifier: CVE-2018-1205, CVE-2018-1237, CVE-2018-1238 Severity: Medium Severity Rating: CVSS v3 Base Score: See below for CVSS v3 scores Affected products: Dell EMC ScaleIO versions prior to 2.5 Summary: Dell EMC ScaleIO customers are encouraged to update to ScaleIO v2.5, which contains fixes for multiple security vulnerabilities in earlier ScaleIO software versions that could potentially be exploited by malicious users to compromise the affected system. Details: The vulnerability details are as follows: * Buffer overflow vulnerability (CVE-2018-1205) Dell EMC ScaleIO, versions prior to 2.5, do not properly handle some packet data in the MDM service. As a result, a remote attacker could potentially send specifically crafted packet data to the MDM service causing it to crash. CVSSv3 Base Score: 6.6 (AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H) Resolution: The following Dell EMC ScaleIO release contains resolutions to these vulnerabilities: * Dell EMC ScaleIO version 2.5 Dell EMC recommends all customers upgrade at the earliest opportunity. Link to remedies: Customers can download software from https://support.emc.com/downloads/40635_ScaleIO-Product-Family Credit: Dell EMC would like to thank David Berard, from the Ubisoft Security & Risk Management team, for reporting these vulnerabilities. Read and use the information in this Dell EMC Security Advisory to assist in avoiding any situation that might arise from the problems described herein. If you have any questions regarding this product alert, contact Dell EMC Software Technical Support at 1-877-534-2867. For an explanation of Severity Ratings, refer to Dell EMC Knowledgebase solution emc218831. Dell EMC recommends all customers take into account both the base score and any relevant temporal and environmental scores which may impact the potential severity associated with particular security vulnerability. Dell EMC recommends that all users determine the applicability of this information to their individual situations and take appropriate action. The information set forth herein is provided "as is" without warranty of any kind. Dell EMC disclaims all warranties, either express or implied, including the warranties of merchantability, fitness for a particular purpose, title and non-infringement. In no event, shall Dell EMC or its suppliers, be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Dell EMC or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages, so the foregoing limitation may not apply. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQEcBAEBCAAGBQJauOjDAAoJEHbcu+fsE81Z3/wH/jL9Ub908R9cXBOLhTbwCohq pVPgYZwy8ew96iuUaqDgqy3KmarYebeZ9MAG2gxW5URYqNSO7LJBZG8Jo4qWB3gB QuShn8UvJ0yfo4vxznkXtGjxhFLopYaoN+tgDQ3IjkcH3chvAHS0dnUk9Uj7OQsx KEltBIFJmzv97ZxkCLxqEtNu0LSTFsvKhjyKl6lOJZ8yVfTZR/p+Awx1czEyJc8Z /sfRBBgqJnK3LHBNEsuqCy+wedlDHwj+/d3wBr51eR0+3UrD2jRaDQVx3VkcE7Gb DGjCoZRJ8qiWp7muB0rC7/6PxxxQcNlBludSiYDTkdrQpjot1G37w+TX1GFVUUk= =FvDE -----END PGP SIGNATURE-----

Trust: 1.8

sources: NVD: CVE-2018-1237 // JVNDB: JVNDB-2018-003556 // VULHUB: VHN-122322 // PACKETSTORM: 146920

AFFECTED PRODUCTS

vendor:dellmodel:emc scaleioscope:ltversion:2.5

Trust: 1.0

vendor:dell emc old emcmodel:scaleioscope:ltversion:2.5

Trust: 0.8

sources: JVNDB: JVNDB-2018-003556 // NVD: CVE-2018-1237

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2018-1237
value: CRITICAL

Trust: 1.0

NVD: CVE-2018-1237
value: CRITICAL

Trust: 0.8

CNNVD: CNNVD-201803-948
value: MEDIUM

Trust: 0.6

VULHUB: VHN-122322
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2018-1237
severity: MEDIUM
baseScore: 5.0
vectorString: AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 10.0
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

VULHUB: VHN-122322
severity: MEDIUM
baseScore: 5.0
vectorString: AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 10.0
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2018-1237
baseSeverity: CRITICAL
baseScore: 9.8
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 3.9
impactScore: 5.9
version: 3.0

Trust: 1.8

sources: VULHUB: VHN-122322 // JVNDB: JVNDB-2018-003556 // CNNVD: CNNVD-201803-948 // NVD: CVE-2018-1237

PROBLEMTYPE DATA

problemtype:CWE-287

Trust: 1.9

sources: VULHUB: VHN-122322 // JVNDB: JVNDB-2018-003556 // NVD: CVE-2018-1237

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201803-948

TYPE

authorization issue

Trust: 0.6

sources: CNNVD: CNNVD-201803-948

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2018-003556

PATCH
title:Dell EMC ScaleIOurl:https://www.dellemc.com/ja-jp/storage/scaleio/index.htm#collapse
Trust: 0.8
title:Dell EMC ScaleIO Light Installation Agent Security vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=79438
Trust: 0.6
sources:
            
            
            JVNDB: JVNDB-2018-003556 // 
            
            
            
            CNNVD: CNNVD-201803-948

EXTERNAL IDS
db:NVDid:CVE-2018-1237
Trust: 2.6
db:JVNDBid:JVNDB-2018-003556
Trust: 0.8
db:CNNVDid:CNNVD-201803-948
Trust: 0.7
db:VULHUBid:VHN-122322
Trust: 0.1
db:PACKETSTORMid:146920
Trust: 0.1
sources:
            
            
            VULHUB: VHN-122322 // 
            
            
            
            JVNDB: JVNDB-2018-003556 // 
            
            
            
            PACKETSTORM: 146920 // 
            
            
            
            CNNVD: CNNVD-201803-948 // 
            
            
            
            NVD: CVE-2018-1237

REFERENCES
url:http://seclists.org/fulldisclosure/2018/mar/59
Trust: 2.5
url:https://nvd.nist.gov/vuln/detail/cve-2018-1237
Trust: 0.9
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-1237
Trust: 0.8
url:https://support.emc.com/downloads/40635_scaleio-product-family
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2018-1238
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2018-1205
Trust: 0.1
sources:
            
            
            VULHUB: VHN-122322 // 
            
            
            
            JVNDB: JVNDB-2018-003556 // 
            
            
            
            PACKETSTORM: 146920 // 
            
            
            
            CNNVD: CNNVD-201803-948 // 
            
            
            
            NVD: CVE-2018-1237

CREDITS
David Berard
Trust: 0.1
sources:
            
            
            PACKETSTORM: 146920

SOURCES
db:VULHUBid:VHN-122322
db:JVNDBid:JVNDB-2018-003556
db:PACKETSTORMid:146920
db:CNNVDid:CNNVD-201803-948
db:NVDid:CVE-2018-1237

LAST UPDATE DATE
2024-11-23T22:17:37.492000+00:00

SOURCES UPDATE DATE
db:VULHUBid:VHN-122322date:2018-04-24T00:00:00
db:JVNDBid:JVNDB-2018-003556date:2018-05-28T00:00:00
db:CNNVDid:CNNVD-201803-948date:2018-03-28T00:00:00
db:NVDid:CVE-2018-1237date:2024-11-21T03:59:26.450

SOURCES RELEASE DATE
db:VULHUBid:VHN-122322date:2018-03-27T00:00:00
db:JVNDBid:JVNDB-2018-003556date:2018-05-28T00:00:00
db:PACKETSTORMid:146920date:2018-03-27T23:23:23
db:CNNVDid:CNNVD-201803-948date:2018-03-28T00:00:00
db:NVDid:CVE-2018-1237date:2018-03-27T21:29:00.860