CVE-2017-8011

17.07.2017, 14:29

EMC ViPR SRM, EMC Storage M&R, EMC VNX M&R, EMC M&R for SAS Solution Packs (EMC ViPR SRM prior to 4.1, EMC Storage M&R prior to 4.1, EMC VNX M&R all versions, EMC M&R (Watch4Net) for SAS Solution Packs all versions) contain undocumented accounts with default passwords for Webservice Gateway and RMI JMX components. A remote attacker with the knowledge of the default password may potentially use these accounts to run arbitrary web service and remote procedure calls on the affected system.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	9.8 CRITICAL	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
dell	CNA	---				---
CVE	ADP	---				---

Base Score

CVSS 3.x

EPSS Score

Percentile: 94%

Vendor	Product	Version
dell	emc_m\&r	-
dell	emc_storage_monitoring_and_reporting	4.0.2
dell	emc_vipr_srm	𝑥 ≤ 4.0.2
dell	emc_vnx_monitoring_and_reporting	-

𝑥

= Vulnerable software versions

Common Weakness Enumeration

CWE-798 - Use of Hard-coded Credentials
The software contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data.

References

http://seclists.org/fulldisclosure/2017/Jul/21

http://www.securityfocus.com/bid/99555

http://www.securitytracker.com/id/1038905

http://seclists.org/fulldisclosure/2017/Jul/21

http://www.securityfocus.com/bid/99555

http://www.securitytracker.com/id/1038905