CVE-2017-8011

EMC ViPR SRM, EMC Storage M&R, EMC VNX M&R, EMC M&R for SAS Solution Packs (EMC ViPR SRM prior to 4.1, EMC Storage M&R prior to 4.1, EMC VNX M&R all versions, EMC M&R (Watch4Net) for SAS Solution Packs all versions) contain undocumented accounts with default passwords for Webservice Gateway and RMI JMX components. A remote attacker with the knowledge of the default password may potentially use these accounts to run arbitrary web service and remote procedure calls on the affected system.

CVSS v3 9.8 CRITICAL
CVSS v2.0 10.0 HIGH

9.8^/10

CVSS v3 : CRITICAL

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

10.0^/10

CVSS v2.0 : HIGH

Vector : AV:N/AC:L/Au:N/C:C/I:C/A:C

Exploitability : 10.0 / Impact : 10.0

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact COMPLETE

Integrity Impact COMPLETE

Availability Impact COMPLETE

References

Link	Resource
http://seclists.org/fulldisclosure/2017/Jul/21	Mailing List Third Party Advisory
http://www.securityfocus.com/bid/99555	Third Party Advisory VDB Entry
http://www.securitytracker.com/id/1038905	Third Party Advisory VDB Entry

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:dell:emc_m\&r:-:::::::*
	cpe:2.3:a:dell:emc_storage_monitoring_and_reporting:4.0.2:::::::*
	cpe:2.3:a:dell:emc_vipr_srm::::::::
	cpe:2.3:a:dell:emc_vnx_monitoring_and_reporting:-:::::::*

History

No history.

Information

Published : 2017-07-17 14:29

Updated : 2024-02-28 16:04

NVD link : CVE-2017-8011

Mitre link : CVE-2017-8011

CVE.ORG link : CVE-2017-8011

JSON object : View

Products Affected

dell

emc_vipr_srm
emc_vnx_monitoring_and_reporting
emc_m\&r
emc_storage_monitoring_and_reporting

CWE

CWE-798

Use of Hard-coded Credentials

{"id": "CVE-2017-8011", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 10.0, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "authentication": "NONE", "integrityImpact": "COMPLETE", "accessComplexity": "LOW", "availabilityImpact": "COMPLETE", "confidentialityImpact": "COMPLETE"}, "acInsufInfo": false, "impactScore": 10.0, "baseSeverity": "HIGH", "obtainAllPrivilege": false, "exploitabilityScore": 10.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}]}, "published": "2017-07-17T14:29:01.250", "references": [{"url": "http://seclists.org/fulldisclosure/2017/Jul/21", "tags": ["Mailing List", "Third Party Advisory"], "source": "security_alert@emc.com"}, {"url": "http://www.securityfocus.com/bid/99555", "tags": ["Third Party Advisory", "VDB Entry"], "source": "security_alert@emc.com"}, {"url": "http://www.securitytracker.com/id/1038905", "tags": ["Third Party Advisory", "VDB Entry"], "source": "security_alert@emc.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-798"}]}], "descriptions": [{"lang": "en", "value": "EMC ViPR SRM, EMC Storage M&R, EMC VNX M&R, EMC M&R for SAS Solution Packs (EMC ViPR SRM prior to 4.1, EMC Storage M&R prior to 4.1, EMC VNX M&R all versions, EMC M&R (Watch4Net) for SAS Solution Packs all versions) contain undocumented accounts with default passwords for Webservice Gateway and RMI JMX components. A remote attacker with the knowledge of the default password may potentially use these accounts to run arbitrary web service and remote procedure calls on the affected system."}, {"lang": "es", "value": "EMC ViPR SRM, EMC Storage M&R, EMC VNX M&R, EMC M&R para SAS Solution Packs (EMC ViPR SRM anterior a versi\u00f3n 4.1, EMC Storage M&R anterior a versi\u00f3n 4.1, EMC VNX M&R todas las versiones, EMC M&R (Watch4Net) para todas las versiones de SAS Solution Packs), contienen cuentas no documentadas con contrase\u00f1as por defecto para los componentes WebService Gateway y RMI JMX. Un atacante remoto con conocimiento de la contrase\u00f1a por defecto puede usar estas cuentas para ejecutar servicios web arbitrarios y llamadas a procedimientos remotos sobre el sistema afectado."}], "lastModified": "2021-09-13T12:06:56.493", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:dell:emc_m\\&r:-:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "53A85D4E-3852-4638-9CD0-EBA9544B950F"}, {"criteria": "cpe:2.3:a:dell:emc_storage_monitoring_and_reporting:4.0.2:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "D171B347-D3A0-4067-B92F-60FE4DC64F3E"}, {"criteria": "cpe:2.3:a:dell:emc_vipr_srm:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "15CDF8E3-4681-48E5-A0D3-CF40E301D23C", "versionEndIncluding": "4.0.2"}, {"criteria": "cpe:2.3:a:dell:emc_vnx_monitoring_and_reporting:-:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "AE16D5AE-ABC8-4210-A54C-67F2162F64E7"}], "operator": "OR"}]}], "sourceIdentifier": "security_alert@emc.com"}