-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
ESA-2017-036: EMC Data Domain Privilege Escalation Vulnerability
EMC Identifier: ESA-2017-036
CVE Identifier: CVE-2017-4983
Severity Rating: CVSS v3 Base Score: 6.7 (AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H)
Affected products:
EMC Data Domain OS 5.2 All versions
EMC Data Domain OS 5.4 All versions
EMC Data Domain OS 5.5 All versions
EMC Data Domain OS 5.6 All versions
EMC Data Domain OS 5.7 All versions prior to DD OS 5.7.3.0
EMC Data Domain OS 6.0 All versions prior to DD OS 6.0.1.0
Summary:
EMC Data Domain OS is affected by a privilege escalation vulnerability that
may potentially be exploited by attackers to compromise the affected system.
Details:
EMC Data Domain OS is potentially vulnerable to a privilege escalation
vulnerability.
A rogue administrator may be able to log in as the Security Office (SO) and
escalate privileges by using SO users public key that is stored unprotected on
the Data Domain system.
Resolution:
EMC recommends all customers upgrade to one of the versions listed below at the
earliest opportunity, after verifying environment compatibility:
EMC Data Domain 5.7 - DD OS 5.7.3.0 or later
EMC Data Domain 6.0 - DD OS 6.0.1.0 or later
Please verify that the backup software in your environment is compatible with
the target DD OS version before upgrading your system.
Link to remedies:
Registered EMC Online Support customers can download patches and software from:
EMC Data Domain OS 5.7 version 5.7.3.0 is available at:
https://support.emc.com
EMC Data Domain OS 6.0 version 6.0.1.0 is available at:
https://support.emc.com
If you have any questions, please contact EMC Support.
Credit:
EMC would like to thank Geoffrey Janjua from Northrop Grumman for reporting
this vulnerability.
Read and use the information in this EMC Security Advisory to assist in
avoiding any situation that might arise from the problems described herein. If
you have any questions regarding this product alert, contact EMC Software
Technical Support at 1-877-534-2867.
For an explanation of Severity Ratings, refer to EMC Knowledgebase solution
emc218831. EMC recommends all customers take into account both the base score
and any relevant temporal and environmental scores which may impact the
potential severity associated with particular security vulnerability. EMC
Corporation distributes EMC Security Advisories, in order to bring to the
attention of users of the affected EMC products, important security
information. EMC recommends that all users determine the applicability of this
information to their individual situations and take appropriate action. The
information set forth herein is provided "as is" without warranty of any kind.
EMC disclaims all warranties, either express or implied, including the
warranties of merchantability, fitness for a particular purpose, title and
non-infringement. In no event, shall EMC or its suppliers, be liable for any
damages whatsoever including direct, indirect, incidental, consequential, loss
of business profits or special damages, even if EMC or its suppliers have been
advised of the possibility of such damages. Some states do not allow the
exclusion or limitation of liability for consequential or incidental damages,
so the foregoing limitation may not apply.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQEcBAEBCAAGBQJY3A//AAoJEHbcu+fsE81ZuGcH/3k5BGtFdpaWGGpRzJiPXAQ0
mlYXqe+sPw/zDBn5Km6VF+mKBDJ2RzJAEkahhBDtrIBzAzczwpbwQ/20RQ2FI7Jq
wRWeMkfeFxEKuFm+Gkwf8QRve9tTKJnibebA1NLg4S9TSj5wR63iy4kXq/ldZvul
MG2x2Nyaoscz2AgNna0qZYFtD+jMSferX/nOAQQPxR60duw7B/AEnI7QgaO9uFH0
t6YuhGdQXsqHOFx3uIxcDpgQIuGtA3eD/ZCPAUqcFfXFLHu2ygoNBhHUJ0kEO7XO
yUw2J03cTscSyE7C6J/sc+kAHQvC4dFOkK1gYmD/V0EAV5U5iBP/IN1AdbMFG7c=
=qekP
-----END PGP SIGNATURE-----
