Dell EMC Response to DPA Remote Code Execution Vulnerability Claims by ZDI (ZDI-17-812)
Dell EMC takes security very seriously, consistently working with the security community to respond to, and to mitigate, reported vulnerabilities in a timely manner.
The original report from ZDI (ZDI-CAN-4697/ ZDI-17-812) chained other vulnerabilities that were reported in conjunction with ZDI-CAN-4697 to achieve pre-authentication remote code execution. Dell EMC has addressed the other vulnerabilities reported to us by ZDI (CVE-2017-8002, CVE-2017-8003 and CVE-2017-8013) and has issued security advisories (ESA-2017-075 and ESA-2017-098) to notify customers to properly patch and mitigate these vulnerabilities.
With fixes for CVE-2017-8002, CVE-2017-8003 and CVE-2017-8013 applied to DPA, chaining will no longer result in the exploitation of ZDI-CAN-4697/ ZDI-17-812 as described in the ZDI article. DPA administrator credentials are required to invoke identified REST API calls. They cannot be invoked without DPA authentication nor by DPA user accounts with lower level privileges. The module in question is used by DPA administrators to execute custom non-DPA reporting scripts created by customers. This feature is documented for customers in the DPA product documentation. The scripts are executed with the privileges of the application server hosting the DPA application. Dell EMC always recommends customers to follow the least privilege principle when installing and running the application server.
When DPA is installed and configured per Dell EMC best practices and with the latest security patches outlined above, ZDI-CAN-4697/ ZDI-17-812, as a standalone issue, does not introduce additional risk to the customer environment.
Customers are strongly advised to apply security fixes outlined in ESA-2017-075 and ESA-2017-098. Security advisories can be found here EMC Security Advisories (requires Dell EMC Online Support credentials). In addition, customers are advised to follow the security best practices outlined below. Please see Dell EMC Data Protection Advisor Security Configuration Guide for more information.
- Change any default passwords for DPA administrator and limit this privilege to trusted users only
- Run application server where DPA is installed with least privileged account
- Block all traffic to DPA by default and explicitly allow only specific traffic from known hosts.
Direct links to security advisories (requires Dell EMC Online Support credentials)
Dell EMC Data Protection Advisor documentation can be found here: https://support.emc.com/products/829_Data-Protection-Advisor/Documentation/.