A recent discovery has found various vulnerabilities within EMC products, which could allow a remote authenticated attacker to potentially exploit these vulnerabilities to gain information about the application by causing execution of arbitrary SQL commands. In light of this discovery, cyber security experts from Tripwire and Positive Technologies have given comment:
Craig Young, Security Researcher at Tripwire, said: "The command injection, SQL injection, and path traversal vulnerabilities all require that the attacker already has privileged access to the affected system. This greatly reduces the risk of attack since it is likely that anyone with access to exploit the vulnerabilities would not really need to use them.
"The default account credential issue is probably the most serious of the bunch since it can be exploited by someone with no legitimate access to the system. Without additional information, it is not possible to tell, but it seems likely that the undocumented account would not give the attacker the ability to exploit the other flaws.
"An attacker may be able to gain access to other user accounts through compromise of the local LDAP service if the default account credentials are enabled. From my interpretation of these vulnerability reports however, I would not expect that hackers have many options to use these vulnerabilities to take over infrastructure and hack users.
"This is namely due to the fact that the vulnerabilities can only be exploited by someone who already has access to make configuration changes to the product and these changes could already be used to steal account credentials or potentially seed malware to users of the NAS."The OpenDS admin account credentials should be changed ASAP as per: https://support.emc.com/kb/483941
"The other flaws are limited to authorized users or attackers who have managed to steal account credentials. Following the principle of least privilege can help in this situation. Organizations should limit administrative access to whatever extent is possible. Only trusted personal should have access to administer these systems and their access can be limited further with proper network segmentation.
"For the blind SQL injection, it is unclear what level of permission the attacker needs to exploit the vulnerability. It may be possible that normal users can access the vulnerable component. For this situation, tools like IDS or IPS can help alert to SQL injection attempts on the network but these technologies are not themselves without risk.
"Another option may be to install monitoring software on the database server itself to recognize unexpected queries that an attacker may use to siphon data via SQL injection.
"It is critical that embedded systems like this receive regular security audits and that patches are applied promptly. These systems should also never be exposed to the Internet at the risk of giving an intruder a way to enter a private network.
"Although I don’t see these attacks as likely vectors for an outside attacker to breach the network, there is still a high potential for insider threat. An employee with administrative access to the system may for example use these flaws to backdoor the product so that they may access data without leaving a trace or perhaps even to gain access after leaving their job. Product owners should definitely patch ASAP."
Leigh-Anne Galloway, Cyber Security Resilience Lead at Positive Technologies, added: “Among the listed vulnerabilities, the most severe one is an undocumented account with a default password in EMC ESRS Policy Manager: an attacker may gain administrator privileges to the local LDAP directory server. SQL Injection and Path Traversal vulnerabilities in EMC Data Protection Advisor are pretty serious as well: an attacker can access a lot of unauthorized information.
“To fix these flaws you have to update all the affected applications, usually it takes time. We would recommend to use web application firewalls to protect the applications before their code is fixed.
“It's also worth to note that these vulnerabilities are very common, they are listed among the most popular web application vulnerabilities of last years, and these flaws are quite easy to detect if vendors apply automated source code analysis before they provide their products to the customers."