‘Complete compromise’: DIY admin, or DoS your victim
Researchers with Digital Defence have reported six dangerous vulnerabilities in EMC’s VMAX product line that can grant remote attackers arbitrary command execution with root privileges.
The since-patched flaws affect Unisphere for VMAX and vApp Manager versions 8.0 to 8.2 – and also open up avenues for denial of service.
Two critical vulnerabilities in vApp Manager permit unauthenticated command execution through crafted AMF messages leading to arbitrary command execution with root privileges and complete compromise.
Attackers can also add new administrator users through the second critical flaw.
The vApp Manager for Unisphere for VMAX web app runs on port 5480 and the Flash-based user interface uses the AMF protocol to communicate with the server.
The GetSymmCmdCommand class executes the AMF message using the ExecUtil class which calls Java’s Runtime exec method with the string array as the argument before returning the output to the client. No validation is done on the input for this command. No authentication is required to exploit this vulnerability.
…The RemoteServiceHandler class handles AMF messages using the ‘executeCommand’ operation.
This class only verifies that the client session is valid for the GeneralCmdRequest, GetCommandExecRequest, and PersistantDataRequest AMF messages.
The lack of session validation by this class for other AMF message types allows unauthenticated users to bypass authentication and call several other classes such as UserManagementRequest (can be used to add new admin user) and GetSymmCmdRequest (arbitrary root command execution).
Four of the six flaws are rated high severity, including three avenues for further “complete compromise” of vApp manager and arbitrary file retrieval against Unisphere for VMAX.
The bugs are squashed in recent security updates (registration wall [PDF]). ®