Several flaws discovered in Dell EMC RecoverPoint devices

News by Rene Millman

Security researchers have unearthed six flaws in Dell EMC RecoverPoint devices. One flaw could enable attackers to execute unauthenticated remote code with root privileges.

Security researchers have unearthed six flaws in Dell EMC RecoverPoint devices. One flaw could enable attackers to execute unauthenticated remote code with root privileges.

This means, that if an attacker with no knowledge of any credentials has visibility of RecoverPoint on the network, or local access to it, they can gain complete control over the RecoverPoint and its underlying Linux operating system, according to a blog post by researchers at Foregenix.

The vulnerabilities affect all versions of Dell EMC RecoverPoint prior to 5.1.2 and RecoverPoint for Virtual Machines prior to 5.1.1.3.

The worse bug (CVE-2018-1235, CVSS 9.8) allowed an attacker with visibility of a RecoverPoint device on the network to gain complete control over the underlying Linux operating system.

Researchers said that during a recent engagement with an unnamed client, once Foregenix had complete control of the RecoverPoint devices, it was then possible to “exploit some of the other zero-day vulnerabilities discovered in order to pivot and gain control of the Microsoft Active Directory network that the RecoverPoints were integrated with”.

Another bug (CVE-2018-1242) enabled an attacker with access to the boxmgmt administrative menu can read files from the file system which are accessible to the boxmgmt user.

A third vulnerability, in certain conditions, saw RecoverPoint leak plaintext credentials into a log file. 

At the time of writing Dell EMC has issued CVEs for three of the vulnerabilities and included them in its advisory DSA-2018-095 scheduled for public release on 21 May this year.

However, three other bugs remain unpatched at the time of writing. These flaws do not have CVEs issued. One found that RecoverPoint shipped with a system password hash stored in a world readable file. A second one discovered that RecoverPoint uses a hardcoded root password which can only be changed by contacting the vendor. A third flaw was an insecure configuration option permits LDAP credentials sent by the RecoverPoint to be intercepted by attackers.

For the last flaw, researchers said it “would advise all RecoverPoint customers to ensure that if LDAP integration is required, it is configured to bind securely”.

Nicholas Griffin, senior cyber security specialist at Performanta, told SC Media UK that attackers could use these vulnerabilities to steal or poison data backups, using vulnerable RecoverPoint appliances as effective staging posts to launch further attacks throughout the network. 

“Not only that, but visibility into LDAP credentials could allow an attacker to gain access to other key resources in the network, or even compromise the entire Active Directory domain,” he said.

“To defend against attacks to internal systems like these, organisations need to firstly understand the access footprint to the system. Ask yourself - is it possible to access this system publicly? If not, which devices in the network would an attacker have to compromise to be able to see this system? Which users are able to authenticate to the system? Do any of these users also have access to other sensitive resources on my network?”

Liviu Arsene, senior e-threat analyst at Bitdefender, told SC Media UK that preventing these attacks is a matter of deploying a layered security defence throughout the entire organisation, that's capable of defending not just endpoints (physical or virtual) but also trigger security warning indicative of potential security breaches. 

“Of course, constantly applying the latest security patches is more than recommended as it can help prevent threat actors from leveraging known vulnerabilities to breach perimeter defences,” he said.
Topics:

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Upcoming Events