CVE-2018-1216 — CRITICAL (9.8)

Q: How severe is CVE-2018-1216?

CVE-2018-1216 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.

Q: Is there a patch for CVE-2018-1216?

Check the references section above for vendor advisories and patch information. Affected products include: Dell Emc Solutions Enabler Virtual Appliance, Dell Emc Unisphere For Vmax Virtual Appliance, Dell Emc Vasa Virtual Appliance, Dell Emc Vmax Embedded Management.

Vulnerability Description

A hard-coded password vulnerability was discovered in vApp Manager which is embedded in Dell EMC Unisphere for VMAX, Dell EMC Solutions Enabler, Dell EMC VASA Virtual Appliances, and Dell EMC VMAX Embedded Management (eManagement): Dell EMC Unisphere for VMAX Virtual Appliance versions prior to 8.4.0.18, Dell EMC Solutions Enabler Virtual Appliance versions prior to 8.4.0.21, Dell EMC VASA Virtual Appliance versions prior to 8.4.0.514, and Dell EMC VMAX Embedded Management (eManagement) versions prior to and including 1.4 (Enginuity Release 5977.1125.1125 and earlier). They contain an undocumented default account (smc) with a hard-coded password that may be used with certain web servlets. A remote attacker with the knowledge of the hard-coded password and the message format may use vulnerable servlets to gain unauthorized access to the system. Note: This account cannot be used to log in via the web user interface.

CVSS Score

9.8

CRITICAL

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

HIGH

Affected Products

Vendor	Product	Versions
Dell	Emc Solutions Enabler Virtual Appliance	< 8.4.0.21
Dell	Emc Unisphere For Vmax Virtual Appliance	< 8.4.0.18
Dell	Emc Vasa Virtual Appliance	< 8.4.0.514
Dell	Emc Vmax Embedded Management	<= 1.4

Related Weaknesses (CWE)

CWE-798

References

http://seclists.org/fulldisclosure/2018/Feb/41Mailing ListThird Party Advisory
http://www.securityfocus.com/bid/103039Third Party AdvisoryVDB Entry
http://www.securitytracker.com/id/1040383Third Party AdvisoryVDB Entry
https://www.tenable.com/security/research/tra-2018-03Third Party Advisory
http://seclists.org/fulldisclosure/2018/Feb/41Mailing ListThird Party Advisory
http://www.securityfocus.com/bid/103039Third Party AdvisoryVDB Entry
http://www.securitytracker.com/id/1040383Third Party AdvisoryVDB Entry
https://www.tenable.com/security/research/tra-2018-03Third Party Advisory

FAQ

What is CVE-2018-1216?

CVE-2018-1216 is a vulnerability with a CVSS score of 9.8 (CRITICAL). A hard-coded password vulnerability was discovered in vApp Manager which is embedded in Dell EMC Unisphere for VMAX, Dell EMC Solutions Enabler, Dell EMC VASA Virtual Appliances, and Dell EMC VMAX Emb...

How severe is CVE-2018-1216?

CVE-2018-1216 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.

Is there a patch for CVE-2018-1216?

Check the references section above for vendor advisories and patch information. Affected products include: Dell Emc Solutions Enabler Virtual Appliance, Dell Emc Unisphere For Vmax Virtual Appliance, Dell Emc Vasa Virtual Appliance, Dell Emc Vmax Embedded Management.