Details of VAR-201808-0596

ID

VAR-201808-0596

CVE

CVE-2018-11050

TITLE

Dell EMC NetWorker Vulnerabilities related to certificate and password management

Trust: 0.8

sources: JVNDB: JVNDB-2018-009135

DESCRIPTION

Dell EMC NetWorker versions between 9.0 and 9.1.1.8 through 9.2.1.3, and the version 18.1.0.1 contain a Clear-Text authentication over network vulnerability in the Rabbit MQ Advanced Message Queuing Protocol (AMQP) component. User credentials are sent unencrypted to the remote AMQP service. An unauthenticated attacker in the same network collision domain, could potentially sniff the password from the network and use it to access the component using the privileges of the compromised user. Dell EMC NetWorker Contains vulnerabilities related to certificate and password management and vulnerabilities related to cryptography.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Dell EMC NetWorker is prone to a security bypass vulnerability. An attacker can exploit this issue to perform man-in-the-middle attacks and certain unauthorized actions, which will aid in further attacks. The following product are affected: Dell EMC NetWorker 9.0 Dell EMC NetWorker 9.1.1.8 and prior Dell EMC NetWorker 9.2.1.3 and prior Dell EMC NetWorker 18.1.0.1. The software provides backup and recovery, deduplication, backup reporting, and more. Dell EMC recommends all customers upgrade at the earliest opportunity. Customers can download a fixed version directly at the links below. Link to remedies: For more information and access to the various releases, see https://support.emc.com/downloads/1095_NetWorker Severity Rating For an explanation of Severity Ratings, refer to Dell EMC Knowledgebase article 468307 (https://support.emc.com/kb/468307). Dell EMC recommends all customers take into account both the base score and any relevant temporal and environmental scores which may impact the potential severity associated with particular security vulnerability. Legal Information Read and use the information in this Dell EMC Security Advisory to assist in avoiding any situation that might arise from the problems described herein. If you have any questions regarding this advisory, contact Dell EMC Technical Support (https://support.emc.com/servicecenter/contactEMC/). Dell EMC recommends that all users determine the applicability of this information to their individual situations and take appropriate action. The information set forth herein is provided "as is" without warranty of any kind. Dell EMC disclaims all warranties, either express or implied, including the warranties of merchantability, fitness for a particular purpose, title and non-infringement. In no event, shall Dell EMC or its suppliers, be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of bus iness profits or special damages, even if Dell EMC or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages, so the foregoing limitation may not apply. Dell EMC Product Security Response Center security_alert@emc.com http://www.emc.com/products/security/product-security-response-center.htm -----BEGIN PGP SIGNATURE----- iQEzBAEBCAAdFiEEazKDH3UU9DEtTDc5dty75+wTzVkFAltYym8ACgkQdty75+wT zVni7gf+OdRos9pBAxu6Q0HePcbikxSojfZ7lPV7C+v0tm57U6m8tezCMK/Vr2Tp UjkwvAhCbuYPjauffqaKh2zZ1OgaibbMTp1y3cDtVbvO0rrM0dnKydnpOzTyAI4a ooKA7OvFrw1qJpmv8zABzv4c9A2+YjBRRMlHX2OFTWei7ZR17Uux+LvBZOpj3/dF cqSMj8LKxaZBQ/w7F3e8fDxMKazHf422N3Hc/P2mDe4d/GAPovs5yd8Urpl/UHno V7QhwmRdaxmFf7T/GfFw58ZOEOI2B19K5PLFtLnrgBLAOc+SPvJELyAwJi4W4NFG ihUimCnuTW6200OY6l+4/AsdJpfEEQ== =P3D/ -----END PGP SIGNATURE-----

Trust: 2.07

sources: NVD: CVE-2018-11050 // JVNDB: JVNDB-2018-009135 // BID: 104963 // VULHUB: VHN-120871 // PACKETSTORM: 148739

AFFECTED PRODUCTS

vendor:	dell	model:	emc networker	scope:	eq	version:	18.1.0.1	Trust: 1.9
vendor:	dell	model:	emc networker	scope:	lte	version:	9.0	Trust: 1.0
vendor:	dell	model:	emc networker	scope:	lte	version:	9.2.1.3	Trust: 1.0
vendor:	dell	model:	emc networker	scope:	gte	version:	9.1.1.8	Trust: 1.0
vendor:	dell	model:	emc networker	scope:	eq	version:	9.0	Trust: 0.9
vendor:	dell emc old emc	model:	networker	scope:	-	version:	-	Trust: 0.8
vendor:	dell	model:	emc networker	scope:	eq	version:	9.2.1.3	Trust: 0.3
vendor:	dell	model:	emc networker	scope:	eq	version:	9.1.1.8	Trust: 0.3
vendor:	dell	model:	emc networker	scope:	ne	version:	9.2.1.4	Trust: 0.3
vendor:	dell	model:	emc networker	scope:	ne	version:	9.1.1.9	Trust: 0.3
vendor:	dell	model:	emc networker	scope:	ne	version:	18.1.0.2	Trust: 0.3

sources: BID: 104963 // JVNDB: JVNDB-2018-009135 // CNNVD: CNNVD-201808-057 // NVD: CVE-2018-11050

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2018-11050
value:	HIGH
Trust: 1.0
NVD:	CVE-2018-11050
value:	HIGH
Trust: 0.8
CNNVD:	CNNVD-201808-057
value:	HIGH
Trust: 0.6
VULHUB:	VHN-120871
value:	LOW
Trust: 0.1

nvd@nist.gov:	CVE-2018-11050
severity:	LOW
baseScore:	3.3
vectorString:	AV:A/AC:L/AU:N/C:P/I:N/A:N
accessVector:	ADJACENT_NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	6.5
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
VULHUB:	VHN-120871
severity:	LOW
baseScore:	3.3
vectorString:	AV:A/AC:L/AU:N/C:P/I:N/A:N
accessVector:	ADJACENT_NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	6.5
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2018-11050
baseSeverity:	HIGH
baseScore:	8.8
vectorString:	CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector:	ADJACENT
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	2.8
impactScore:	5.9
version:	3.0
Trust: 1.8

sources: VULHUB: VHN-120871 // JVNDB: JVNDB-2018-009135 // CNNVD: CNNVD-201808-057 // NVD: CVE-2018-11050

PROBLEMTYPE DATA

problemtype:	CWE-319	Trust: 1.1
problemtype:	CWE-522	Trust: 1.1
problemtype:	CWE-255	Trust: 0.9
problemtype:	CWE-310	Trust: 0.9

sources: VULHUB: VHN-120871 // JVNDB: JVNDB-2018-009135 // NVD: CVE-2018-11050

THREAT TYPE

remote or local

Trust: 0.6

sources: CNNVD: CNNVD-201808-057

TYPE

encryption problem

Trust: 0.6

sources: CNNVD: CNNVD-201808-057

CONFIGURATIONS

sources: JVNDB: JVNDB-2018-009135

EXPLOIT AVAILABILITY

sources: VULHUB: VHN-120871

PATCH

title:	NETWORKER	url:	https://japan.emc.com/data-protection/networker.htm	Trust: 0.8
title:	Dell EMC NetWorker Rabbit MQ Advanced Message Queuing Protocol Fixes for component security vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=82803	Trust: 0.6

sources: JVNDB: JVNDB-2018-009135 // CNNVD: CNNVD-201808-057

EXTERNAL IDS

db:	NVD	id:	CVE-2018-11050	Trust: 2.9
db:	BID	id:	104963	Trust: 2.0
db:	SECTRACK	id:	1041393	Trust: 1.7
db:	JVNDB	id:	JVNDB-2018-009135	Trust: 0.8
db:	CNNVD	id:	CNNVD-201808-057	Trust: 0.7
db:	PACKETSTORM	id:	148739	Trust: 0.2
db:	VULHUB	id:	VHN-120871	Trust: 0.1

sources: VULHUB: VHN-120871 // BID: 104963 // JVNDB: JVNDB-2018-009135 // PACKETSTORM: 148739 // CNNVD: CNNVD-201808-057 // NVD: CVE-2018-11050

REFERENCES

url:	http://seclists.org/fulldisclosure/2018/jul/92	Trust: 2.8
url:	http://www.securityfocus.com/bid/104963	Trust: 1.7
url:	http://www.securitytracker.com/id/1041393	Trust: 1.7
url:	https://nvd.nist.gov/vuln/detail/cve-2018-11050	Trust: 0.9
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-11050	Trust: 0.8
url:	http://www.emc.com/	Trust: 0.3
url:	https://support.emc.com/servicecenter/contactemc/).	Trust: 0.1
url:	http://www.emc.com/products/security/product-security-response-center.htm	Trust: 0.1
url:	https://support.emc.com/kb/468307).	Trust: 0.1
url:	https://support.emc.com/downloads/1095_networker	Trust: 0.1

sources: VULHUB: VHN-120871 // BID: 104963 // JVNDB: JVNDB-2018-009135 // PACKETSTORM: 148739 // CNNVD: CNNVD-201808-057 // NVD: CVE-2018-11050

CREDITS

The vendor reported this issue.

Trust: 0.3

sources: BID: 104963

SOURCES

db:	VULHUB	id:	VHN-120871
db:	BID	id:	104963
db:	JVNDB	id:	JVNDB-2018-009135
db:	PACKETSTORM	id:	148739
db:	CNNVD	id:	CNNVD-201808-057
db:	NVD	id:	CVE-2018-11050

LAST UPDATE DATE

2024-11-23T22:48:35.556000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-120871	date:	2019-10-03T00:00:00
db:	BID	id:	104963	date:	2018-08-01T00:00:00
db:	JVNDB	id:	JVNDB-2018-009135	date:	2018-11-08T00:00:00
db:	CNNVD	id:	CNNVD-201808-057	date:	2019-10-23T00:00:00
db:	NVD	id:	CVE-2018-11050	date:	2024-11-21T03:42:34.017

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-120871	date:	2018-08-01T00:00:00
db:	BID	id:	104963	date:	2018-08-01T00:00:00
db:	JVNDB	id:	JVNDB-2018-009135	date:	2018-11-08T00:00:00
db:	PACKETSTORM	id:	148739	date:	2018-07-30T17:20:17
db:	CNNVD	id:	CNNVD-201808-057	date:	2018-08-02T00:00:00
db:	NVD	id:	CVE-2018-11050	date:	2018-08-01T06:29:00.587