Advertisement
A pen-tester has found six vulnerabilities in Dell EMC RecoverPoint devices, including a critical remote code execution flaw that could allow total system compromise.
EMC RecoverPoint is a disaster recovery tool that can be used to back up local and remote information storage, across data centers and across physical and virtual machines. It continuously, in real time, replicates the data, so in the event a system is compromised or data is lost (from, say, a ransomware attack or a natural disaster), RecoverPoint allows a company to go back in time and recover an exact image of that data from a specific moment in time.
Each of the flaws affect all versions of Dell EMC RecoverPoint prior to 5.1.2 and RecoverPoint for Virtual Machines prior to 5.1.1.3. The vendor has so far patched three of the issues, released Monday in advisory DSA-2018-095 (the non-public advisory is available to registered customers via the vendor’s Product Security Response Center). For two of the additional vulnerabilities, Dell EMC offers remediation instructions, but no specific patch. The additional flaw, according to researchers, is an insecure configuration option which they said also constitutes a vulnerability.
The most serious of the vulnerabilities, and one of the patched bugs, is rated critical (CVE-2018-1235, CVSS 9.8). It allows unauthenticated remote code execution with root privileges – which can pretty much hand over the keys to the kingdom to an attacker.
According to Taylor, a bad actor with visibility of a RecoverPoint device on the network (either remotely or locally) can not only gain complete control over the RecoverPoint device itself, but also the underlying Linux operating system. No credentials are needed to carry out the attack. From there, the perpetrators can pivot to wreak more havoc.
“To show the extent of compromise possible, during the engagement, once Foregenix had complete control of the RecoverPoint devices, it was then possible to exploit some of the other zero-day vulnerabilities discovered in order to pivot and gain control of the Microsoft Active Directory network that the RecoverPoints were integrated with,” he said in a disclosure posting, in particular the aforementioned insecure configuration option.
Dell EMC and Taylor are providing no further details on the critical-rated flaw for fear attackers could use them as a blueprint to exploit the flaw while companies work to apply the fix.
Another patched vulnerability is a medium-severity administrative menu arbitrary file read flaw (CVE-2018-1242, CVSS 6.7). It allows an attacker with local access to the “boxmgmt” administrative menu to read files from the file system, the vendor said. Interestingly, this same system was patched for a different vulnerability back in February, for a privilege escalation issue that could allow a local attacker to run arbitrary commands with root privileges on the targeted system.
The third patched issue is also a medium-severity bug (CVE-2018-1241, CVSS 6.2). Here, LDAP plaintext credentials are leaked into a Tomcat log file if a user logs into an LDAP account via RecoverPoint’s web interface. The problem is that the credentials can remain in the log file indefinitely, and attackers with access to the RecoverPoint file system can hijack them to then compromise the LDAP account.
The two unpatched vulnerabilities involve the fact that RecoverPoint is shipped with a system password hash stored in a world-readable file (i.e., it can be read by any user, according to Taylor); and the use of a hardcoded root password that can only be changed by contacting the vendor.
Dell EMC initially issued a CVE for the first vulnerability, but then revoked it, claiming that the log file was only readable by root. Foregenix’ Taylor however said he was able to read the file following a web application compromise. He added that nonetheless, Dell EMC may have fixed the flaw in the latest upgrade. Threatpost has reached out to Dell EMC for clarification and will update the story once more information becomes available.
As for the hardcoded password, Taylor said that the password at issue is for the root account for RecoverPoint’s underlying Linux OS. Thus, compromising the root password of one device means that an attacker could gain control over all of the devices by logging in at the local console, or gaining console access as an unprivileged user, and changing to root. Dell EMC said that rather than change that approach, it plans to update its documentation to make it clear that the password can only be changed by requesting a dedicated script from its support team.
And finally, the insecure configuration allows LDAP credentials to be sent in clear text, which means they can be intercepted by attackers in a a man-in-the-middle offensive, or by someone who has gained access to the RecoverPoint device using another vulnerability.
Dell EMC said that the RecoverPoint documentation provides a warning about the insecure nature of that particular configuration, so users are setting it up that way at their own risk.
“Foregenix was able to successfully exploit this vulnerability, intercepting credentials sent from the RecoverPoint to compromise a Microsoft Active Directory domain,” Taylor said. “Foregenix would advise all RecoverPoint customers to ensure that if LDAP integration is required, it is configured to bind securely.”
About Post Author
Share this via:
