[NT] EMC DiskXtender Multiple Vulnerabilities



The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -



EMC DiskXtender Multiple Vulnerabilities
------------------------------------------------------------------------


SUMMARY

<http://software.emc.com/products/product_family/diskxtender_family.htm>
EMC DiskXtender is "a data backup and migration suite. It consists of
several applications that are used to manage storing large quantities of
files across multiple storage devices. The main components of the product
suite are the File System Manager, the MediaStor and the License Server.
These components all create RPC endpoints that can be accessed remotely.
One of the components of DiskXtender is the MediaStor, which is used to
provide support for a variety of media and device types, another ne of the
components of DiskXtender is the File System Manager, which is used to
create and manage backups., ". Multiple vulnerabilities have been
discovered in EMC DiskXtender's components.

DETAILS

Vulnerable Systems:
* EMC DiskXtender version 6.20.060

EMC DiskXtender Authentication Bypass Vulnerability
Remote exploitation of an authentication bypass vulnerability in EMC
Corp.'s DiskXtender could allow an attacker to execute arbitrary code.

Each of the main components of the DiskXtender suite is vulnerable to an
authentication bypass vulnerability. Specifically, the authentication code
contains a hard-coded login and password. By connecting to the RPC
interface, and logging on with these credentials, it is possible to bypass
the normal authentication process.

Analysis:
Exploitation of this vulnerability results in an unauthenticated attacker
gaining administrative access to the DiskXtender server. This allows an
attacker to create and delete files on the backup server, and run other
DiskXtender commands. This could potentially lead to the execution of
arbitrary code with SYSTEM privileges.

CVE Information:
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0961>
CVE-2008-0961

EMC DiskXtender File System Manager Stack Buffer Overflow Vulnerability
Remote exploitation of a buffer overflow vulnerability in EMC Corp.'s
DiskXtender could allow an attacker to execute arbitrary code with the
privileges of the affected service.

The File System Manager is prone to a stack-based buffer overflow
vulnerability. When handling requests on the RPC interface with UUID
b157b800-aef5-11d3-ae49-00600834c15f, the service does not properly
validate the length of a string in the request. By making a specially
crafted request, a stack based buffer overflow occurs.

Analysis:
Exploitation of this vulnerability results in the execution of arbitrary
code with the privileges of the affected service, usually SYSTEM. In order
to exploit this vulnerability, authentication is required.

CVE Information:
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0962>
CVE-2008-0962

EMC DiskXtender MediaStor Format String Vulnerability
Remote exploitation of a format string vulnerability in EMC Corp.'s
DiskXtender could allow an attacker to execute arbitrary code with the
privileges of the affected service.

When handling requests on the RPC interface with UUID
b157b800-aef5-11d3-ae49-00600834c15f, the service does not properly
validate the content of a string in requests. Since this string is passed
directly to a formatting function, a format string vulnerability occurs.

Analysis:
Exploitation of this vulnerability results in the execution of arbitrary
code with the privileges of the affected service, usually SYSTEM. In order
to exploit this vulnerability, authentication is required.

Vendor response:
"EMC has issued updates to correct this issue. More details can be found
in knowledgebase article emc184091 available from powerlink.emc.com. EMC
customers can further contact EMC Software Technical Support at
1-877-534-2867."

CVE Information:
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0963>
CVE-2008-0963

Disclosure timeline:
02/21/2008 - Initial vendor notification
02/22/2008 - Initial vendor response
04/09/2008 - Coordinated public disclosure


ADDITIONAL INFORMATION

The information has been provided by
<mailto:idlabs-advisories@xxxxxxxxxxxx> iDefense Labs Security Advisories.
The original article can be found at:
<http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=685>
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=685,
<http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=684>
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=684
and
<http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=683>
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=683



========================================


This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx


====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.



Relevant Pages