Sign-up

ID

VAR-201911-1166


CVE

CVE-2019-18580


TITLE

Dell EMC Storage Monitoring and Reporting Vulnerable to unreliable data deserialization

Trust: 0.8

sources: JVNDB: JVNDB-2019-013090

DESCRIPTION

Dell EMC Storage Monitoring and Reporting version 4.3.1 contains a Java RMI Deserialization of Untrusted Data vulnerability. A remote unauthenticated attacker may potentially exploit this vulnerability by sending a crafted RMI request to execute arbitrary code on the target host. Authentication is not required to exploit this vulnerability.The specific flaw exists within the Java RMI service, which listens on TCP port 52569 by default. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of SYSTEM. The software provides features such as storage performance monitoring and report generation

Trust: 2.34

sources: NVD: CVE-2019-18580 // JVNDB: JVNDB-2019-013090 // ZDI: ZDI-19-996 // VULHUB: VHN-150941

AFFECTED PRODUCTS

vendor:dellmodel:emc storage monitoring and reportingscope:eqversion:4.3.1

Trust: 1.6

vendor:dell emc old emcmodel:storage m&rscope:eqversion:4.3.1

Trust: 0.8

vendor:dellmodel:emc storage monitoring and reportingscope: - version: -

Trust: 0.7

sources: ZDI: ZDI-19-996 // JVNDB: JVNDB-2019-013090 // CNNVD: CNNVD-201911-1415 // NVD: CVE-2019-18580

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2019-18580
value: CRITICAL

Trust: 1.0

security_alert@emc.com: CVE-2019-18580
value: CRITICAL

Trust: 1.0

NVD: CVE-2019-18580
value: CRITICAL

Trust: 0.8

ZDI: CVE-2019-18580
value: CRITICAL

Trust: 0.7

CNNVD: CNNVD-201911-1415
value: CRITICAL

Trust: 0.6

VULHUB: VHN-150941
value: HIGH

Trust: 0.1

nvd@nist.gov: CVE-2019-18580
severity: HIGH
baseScore: 10.0
vectorString: AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 10.0
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

VULHUB: VHN-150941
severity: HIGH
baseScore: 10.0
vectorString: AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 10.0
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2019-18580
baseSeverity: CRITICAL
baseScore: 10.0
vectorString: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: CHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 3.9
impactScore: 6.0
version: 3.1

Trust: 1.0

security_alert@emc.com: CVE-2019-18580
baseSeverity: CRITICAL
baseScore: 9.8
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 3.9
impactScore: 5.9
version: 3.0

Trust: 1.0

NVD: CVE-2019-18580
baseSeverity: CRITICAL
baseScore: 10.0
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: CHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

ZDI: CVE-2019-18580
baseSeverity: CRITICAL
baseScore: 9.8
vectorString: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 3.9
impactScore: 5.9
version: 3.0

Trust: 0.7

sources: ZDI: ZDI-19-996 // VULHUB: VHN-150941 // JVNDB: JVNDB-2019-013090 // CNNVD: CNNVD-201911-1415 // NVD: CVE-2019-18580 // NVD: CVE-2019-18580

PROBLEMTYPE DATA

problemtype:CWE-502

Trust: 1.9

sources: VULHUB: VHN-150941 // JVNDB: JVNDB-2019-013090 // NVD: CVE-2019-18580

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201911-1415

TYPE

code problem

Trust: 0.6

sources: CNNVD: CNNVD-201911-1415

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2019-013090

PATCH
title:DSA-2019-176: Dell EMC Storage Monitoring and Reporting (SMR) Java RMI Deserialization of Untrusted Data Vulnerabilityurl:https://www.dell.com/support/security/ja-jp/details/538977/DSA-2019-176-Dell-EMC-Storage-Monitoring-and-Reporting-SMR-Java-RMI-Deserialization-of-Untruste
Trust: 0.8
title:Dell has issued an update to correct this vulnerability.url:https://www.dell.com/support/security/es-es/details/538977/DSA-2019-176-Dell-EMC-Storage-Monitoring-and-Reporting-SMR-Java-RMI-Deserialization-of-Untruste
Trust: 0.7
title:Dell EMC Storage Monitoring and Reporting Fixes for code issue vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=105215
Trust: 0.6
sources:
            
            
            ZDI: ZDI-19-996 // 
            
            
            
            JVNDB: JVNDB-2019-013090 // 
            
            
            
            CNNVD: CNNVD-201911-1415

EXTERNAL IDS
db:NVDid:CVE-2019-18580
Trust: 3.2
db:ZDIid:ZDI-19-996
Trust: 1.3
db:JVNDBid:JVNDB-2019-013090
Trust: 0.8
db:ZDI_CANid:ZDI-CAN-8929
Trust: 0.7
db:CNNVDid:CNNVD-201911-1415
Trust: 0.7
db:VULHUBid:VHN-150941
Trust: 0.1
sources:
            
            
            ZDI: ZDI-19-996 // 
            
            
            
            VULHUB: VHN-150941 // 
            
            
            
            JVNDB: JVNDB-2019-013090 // 
            
            
            
            CNNVD: CNNVD-201911-1415 // 
            
            
            
            NVD: CVE-2019-18580

REFERENCES
url:https://www.dell.com/support/security/en-us/details/538977/dsa-2019-176-dell-emc-storage-monitoring-and-reporting-smr-java-rmi-deserialization-of-untruste
Trust: 1.7
url:https://nvd.nist.gov/vuln/detail/cve-2019-18580
Trust: 1.4
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-18580
Trust: 0.8
url:https://www.dell.com/support/security/es-es/details/538977/dsa-2019-176-dell-emc-storage-monitoring-and-reporting-smr-java-rmi-deserialization-of-untruste
Trust: 0.7
url:https://www.zerodayinitiative.com/advisories/zdi-19-996/
Trust: 0.6
sources:
            
            
            ZDI: ZDI-19-996 // 
            
            
            
            VULHUB: VHN-150941 // 
            
            
            
            JVNDB: JVNDB-2019-013090 // 
            
            
            
            CNNVD: CNNVD-201911-1415 // 
            
            
            
            NVD: CVE-2019-18580

CREDITS
tint0 of Viettel Cyber Security
Trust: 1.3
sources:
            
            
            ZDI: ZDI-19-996 // 
            
            
            
            CNNVD: CNNVD-201911-1415

SOURCES
db:ZDIid:ZDI-19-996
db:VULHUBid:VHN-150941
db:JVNDBid:JVNDB-2019-013090
db:CNNVDid:CNNVD-201911-1415
db:NVDid:CVE-2019-18580

LAST UPDATE DATE
2024-11-23T23:11:37.721000+00:00

SOURCES UPDATE DATE
db:ZDIid:ZDI-19-996date:2019-11-26T00:00:00
db:VULHUBid:VHN-150941date:2019-12-16T00:00:00
db:JVNDBid:JVNDB-2019-013090date:2019-12-19T00:00:00
db:CNNVDid:CNNVD-201911-1415date:2019-12-17T00:00:00
db:NVDid:CVE-2019-18580date:2024-11-21T04:33:20.227

SOURCES RELEASE DATE
db:ZDIid:ZDI-19-996date:2019-11-26T00:00:00
db:VULHUBid:VHN-150941date:2019-11-26T00:00:00
db:JVNDBid:JVNDB-2019-013090date:2019-12-19T00:00:00
db:CNNVDid:CNNVD-201911-1415date:2019-11-26T00:00:00
db:NVDid:CVE-2019-18580date:2019-11-26T17:15:12.750