Sign-up

ID

VAR-201803-1637


CVE

CVE-2018-1238


TITLE

Dell EMC ScaleIO Command injection vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2018-003557

DESCRIPTION

Dell EMC ScaleIO versions prior to 2.5, contain a command injection vulnerability in the Light Installation Agent (LIA). This component is used for central management of ScaleIO deployment and uses shell commands for certain actions. A remote malicious user, with network access to LIA and knowledge of the LIA administrative password, could potentially exploit this vulnerability to run arbitrary commands as root on the systems where LIAs are installed. Dell EMC ScaleIO is a software-defined solution for converting DAS storage into shared data block storage from Dell. Light Installation Agent (LIA) is one of the installation agents. An attacker can exploit this vulnerability to execute arbitrary commands on the system with root privileges. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 DSA-2018-058: Dell EMC ScaleIO Multiple Security Vulnerabilities Dell EMC Identifier: DSA-2018-058 CVE Identifier: CVE-2018-1205, CVE-2018-1237, CVE-2018-1238 Severity: Medium Severity Rating: CVSS v3 Base Score: See below for CVSS v3 scores Affected products: Dell EMC ScaleIO versions prior to 2.5 Summary: Dell EMC ScaleIO customers are encouraged to update to ScaleIO v2.5, which contains fixes for multiple security vulnerabilities in earlier ScaleIO software versions that could potentially be exploited by malicious users to compromise the affected system. As a result, a remote attacker could potentially send specifically crafted packet data to the MDM service causing it to crash. CVSSv3 Base Score: 6.6 (AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H) Resolution: The following Dell EMC ScaleIO release contains resolutions to these vulnerabilities: * Dell EMC ScaleIO version 2.5 Dell EMC recommends all customers upgrade at the earliest opportunity. Link to remedies: Customers can download software from https://support.emc.com/downloads/40635_ScaleIO-Product-Family Credit: Dell EMC would like to thank David Berard, from the Ubisoft Security & Risk Management team, for reporting these vulnerabilities. Read and use the information in this Dell EMC Security Advisory to assist in avoiding any situation that might arise from the problems described herein. If you have any questions regarding this product alert, contact Dell EMC Software Technical Support at 1-877-534-2867. For an explanation of Severity Ratings, refer to Dell EMC Knowledgebase solution emc218831. Dell EMC recommends all customers take into account both the base score and any relevant temporal and environmental scores which may impact the potential severity associated with particular security vulnerability. Dell EMC recommends that all users determine the applicability of this information to their individual situations and take appropriate action. The information set forth herein is provided "as is" without warranty of any kind. Dell EMC disclaims all warranties, either express or implied, including the warranties of merchantability, fitness for a particular purpose, title and non-infringement. In no event, shall Dell EMC or its suppliers, be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Dell EMC or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages, so the foregoing limitation may not apply. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQEcBAEBCAAGBQJauOjDAAoJEHbcu+fsE81Z3/wH/jL9Ub908R9cXBOLhTbwCohq pVPgYZwy8ew96iuUaqDgqy3KmarYebeZ9MAG2gxW5URYqNSO7LJBZG8Jo4qWB3gB QuShn8UvJ0yfo4vxznkXtGjxhFLopYaoN+tgDQ3IjkcH3chvAHS0dnUk9Uj7OQsx KEltBIFJmzv97ZxkCLxqEtNu0LSTFsvKhjyKl6lOJZ8yVfTZR/p+Awx1czEyJc8Z /sfRBBgqJnK3LHBNEsuqCy+wedlDHwj+/d3wBr51eR0+3UrD2jRaDQVx3VkcE7Gb DGjCoZRJ8qiWp7muB0rC7/6PxxxQcNlBludSiYDTkdrQpjot1G37w+TX1GFVUUk= =FvDE -----END PGP SIGNATURE-----

Trust: 1.8

sources: NVD: CVE-2018-1238 // JVNDB: JVNDB-2018-003557 // VULHUB: VHN-122333 // PACKETSTORM: 146920

AFFECTED PRODUCTS

vendor:dellmodel:emc scaleioscope:ltversion:2.5

Trust: 1.0

vendor:dell emc old emcmodel:scaleioscope:ltversion:2.5

Trust: 0.8

sources: JVNDB: JVNDB-2018-003557 // NVD: CVE-2018-1238

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2018-1238
value: HIGH

Trust: 1.0

NVD: CVE-2018-1238
value: HIGH

Trust: 0.8

CNNVD: CNNVD-201803-947
value: HIGH

Trust: 0.6

VULHUB: VHN-122333
value: HIGH

Trust: 0.1

nvd@nist.gov: CVE-2018-1238
severity: HIGH
baseScore: 8.5
vectorString: AV:N/AC:M/AU:S/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: SINGLE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 6.8
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

VULHUB: VHN-122333
severity: HIGH
baseScore: 8.5
vectorString: AV:N/AC:M/AU:S/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: SINGLE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 6.8
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2018-1238
baseSeverity: HIGH
baseScore: 7.5
vectorString: CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: HIGH
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 1.6
impactScore: 5.9
version: 3.0

Trust: 1.8

sources: VULHUB: VHN-122333 // JVNDB: JVNDB-2018-003557 // CNNVD: CNNVD-201803-947 // NVD: CVE-2018-1238

PROBLEMTYPE DATA

problemtype:CWE-78

Trust: 1.1

problemtype:CWE-77

Trust: 0.9

sources: VULHUB: VHN-122333 // JVNDB: JVNDB-2018-003557 // NVD: CVE-2018-1238

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201803-947

TYPE

operating system commend injection

Trust: 0.6

sources: CNNVD: CNNVD-201803-947

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2018-003557

PATCH
title:Dell EMC ScaleIOurl:https://www.dellemc.com/ja-jp/storage/scaleio/index.htm
Trust: 0.8
title:Dell EMC ScaleIO Light Installation Agent Fixes for command injection vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=79437
Trust: 0.6
sources:
            
            
            JVNDB: JVNDB-2018-003557 // 
            
            
            
            CNNVD: CNNVD-201803-947

EXTERNAL IDS
db:NVDid:CVE-2018-1238
Trust: 2.6
db:JVNDBid:JVNDB-2018-003557
Trust: 0.8
db:CNNVDid:CNNVD-201803-947
Trust: 0.6
db:VULHUBid:VHN-122333
Trust: 0.1
db:PACKETSTORMid:146920
Trust: 0.1
sources:
            
            
            VULHUB: VHN-122333 // 
            
            
            
            JVNDB: JVNDB-2018-003557 // 
            
            
            
            PACKETSTORM: 146920 // 
            
            
            
            CNNVD: CNNVD-201803-947 // 
            
            
            
            NVD: CVE-2018-1238

REFERENCES
url:http://seclists.org/fulldisclosure/2018/mar/59
Trust: 2.5
url:https://nvd.nist.gov/vuln/detail/cve-2018-1238
Trust: 0.9
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-1238
Trust: 0.8
url:https://nvd.nist.gov/vuln/detail/cve-2018-1237
Trust: 0.1
url:https://support.emc.com/downloads/40635_scaleio-product-family
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2018-1205
Trust: 0.1
sources:
            
            
            VULHUB: VHN-122333 // 
            
            
            
            JVNDB: JVNDB-2018-003557 // 
            
            
            
            PACKETSTORM: 146920 // 
            
            
            
            CNNVD: CNNVD-201803-947 // 
            
            
            
            NVD: CVE-2018-1238

CREDITS
David Berard
Trust: 0.1
sources:
            
            
            PACKETSTORM: 146920

SOURCES
db:VULHUBid:VHN-122333
db:JVNDBid:JVNDB-2018-003557
db:PACKETSTORMid:146920
db:CNNVDid:CNNVD-201803-947
db:NVDid:CVE-2018-1238

LAST UPDATE DATE
2024-11-23T22:17:37.434000+00:00

SOURCES UPDATE DATE
db:VULHUBid:VHN-122333date:2020-08-24T00:00:00
db:JVNDBid:JVNDB-2018-003557date:2018-05-28T00:00:00
db:CNNVDid:CNNVD-201803-947date:2020-08-25T00:00:00
db:NVDid:CVE-2018-1238date:2024-11-21T03:59:26.560

SOURCES RELEASE DATE
db:VULHUBid:VHN-122333date:2018-03-27T00:00:00
db:JVNDBid:JVNDB-2018-003557date:2018-05-28T00:00:00
db:PACKETSTORMid:146920date:2018-03-27T23:23:23
db:CNNVDid:CNNVD-201803-947date:2018-03-28T00:00:00
db:NVDid:CVE-2018-1238date:2018-03-27T21:29:00.907