SSD Advisory – EMC IsilonSD Edge Management Server Command Injection

Want to get paid for a vulnerability similar to this one?
Contact us at: sxsxdx@xbxexyxoxnxdxsxexcxuxrxixtxy.xcom

Vulnerability Summary
The following advisory describes a Remote Command Injection vulnerability found in EMC IsilonSD Edge Management Server version 1.0.1.0005.

IsilonSD Edge Management Server enables you to deploy industry leading scale-out NAS operating system using industry-standard hardware. Key benefits of IsilonSD Edge: Simple yet powerful and efficient scale-out storage solution for remote and branch offices, Easily extends your enterprise data lake from the core data center to edge locations and Enables consolidation and distribution of unstructured data

Credit
An independent security researcher, Nahuel D. Sánchez from vvvSecurity, has reported this vulnerability to Beyond Security’s SecuriTeam Secure Disclosure program

Vendor response
We have informed EMC of the vulnerability on the 24th of April 2017.

The vendor has sent the following statement in response to this advisory:
Dell EMC recently became aware of a potential vulnerability that was disclosed regarding EMC IsilonSD Management Server by third-party researchers. IsilonSD Management Server is a gateway for deploying virtual OneFS clusters on VMware ESXi. Note: IsilonSD Management Server is NOT used for deploying physical OneFS clusters.

Based on the current design of the product, we believe the reported issue does not add any additional security risk to the customer environment. The reported flaw does exist but exploitation of the vulnerability requires a privilege that is considered normal operating privilege and that should be highly protected in any Isilon deployment.

Below are our findings after initial review of the reported issue:

  • The attacker requires the knowledge of the password for IsilonSD Management Server administrator to exploit the issue described in the report
  • The authenticated user can then run OS commands via the reported web interface flaw on the virtual OS where IsilonSD Management Server is deployed. This issue does not allow remote code execution on the virtual OneFS clusters.
  • IsilonSD Management Server administrator user is considered highly privileged user and has full access to the underlying virtual OS as part of the product design. The access to the IsilonSD Management Server (including the web interface) and administrative user credentials should be given to trusted users only. Any default credentials should be also changed as part of the best practice recommendations. Please see IsilonSD Edge with IsilonSD Management Server Installation and Administration Guide for more information.

Dell EMC continuously reviews the product design for IsilonSD Management Server to identify potential areas of improvements to raise the overall security posture of the product.

Continue reading SSD Advisory – EMC IsilonSD Edge Management Server Command Injection

SSD Advisory – Odoo CRM Code Execution

Want to get paid for a vulnerability similar to this one?
Contact us at: sxsxdx@xbxexyxoxnxdxsxexcxuxrxixtxy.xcom

Vulnerability Summary
The following advisory describe arbitrary Python code execution found in Odoo CRM version 10.0

Odoo is a suite of open source business apps that cover all your company needs: CRM, eCommerce, accounting, inventory, point of sale, project management, etc. Odoo’s unique value proposition is to be at the same time very easy to use and fully integrated.

Credit
An independent security researcher has reported this vulnerability to Beyond Security’s SecuriTeam Secure Disclosure program.

Vendor response
Odoo has done a private disclosure for the issue we reported, and the patch was merged in all supported branches.

The full public disclosure will be available at https://github.com/odoo/odoo/issues/17898.

Continue reading SSD Advisory – Odoo CRM Code Execution

SSD Advisory – Sophos XG Firewall Path Traversal

Want to get paid for a vulnerability similar to this one?
Contact us at: sxsxdx@xbxexyxoxnxdxsxexcxuxrxixtxy.xcom

Vulnerabilities Summary
The following advisory describe two (2) vulnerabilities, a Path Traversal and a Missing Function Level Access Control, in Sophos XG Firewall 16.05.4 MR-4.

Sophos XG Firewall provides “unprecedented visibility into your network, users, and applications directly from the all-new control center. You also get rich on-box reporting and the option to add Sophos iView for centralized reporting across multiple firewalls”.

Credit
An independent security researcher has reported this vulnerability to Beyond Security’s SecuriTeam Secure Disclosure program

Vendor response
The vendor has released patches to address this vulnerability:
“The patches were released as part of SFOS 16.05.5 MR5:
https://community.sophos.com/products/xg-firewall/b/xg-blog/posts/sfos-16-05-5-mr5-released

Our internal bug number was NC-18958, mentioned in the changelog”

CVE: CVE-2017-12854

Continue reading SSD Advisory – Sophos XG Firewall Path Traversal

SSD Advisory – ManageEngine Code Execution

Want to get paid for a vulnerability similar to this one?
Contact us at: sxsxdx@xbxexyxoxnxdxsxexcxuxrxixtxy.xcom

Vulnerability Summary
The following advisory describes Unrestricted File Upload vulnerability that leads to Code Execution found in ManageEngine Firewall Analyzer and ManageEngine OpManager.

ManageEngine Firewall Analyzer is a browser-based firewall/VPN/proxy server reporting solution that uses a built-in syslog server to store, analyze, and report on these logs. Firewall Analyzer provides daily, weekly, monthly, and yearly reports on firewall traffic, security breaches, and more. This helps network administrators to proactively secure networks before security threats arise, avoid network abuses, manage bandwidth requirements, monitor web site visits, and ensure appropriate usage of networks by employees.

ManageEngine OpManager is a comprehensive network monitoring software that provides the network administrators with an integrated console for managing routers, firewalls, servers, switches, and printers. OpManager offers extensive fault management and performance management functionality. It provides handy but powerful Customizable Dashboards and CCTV views that display the immediate status of your devices, at-a-glance reports, business views etc. OpManager also provides a lot of out-of-the-box graphs and reports, which give a wealth of information to the network administrators about the health of their networks, servers and applications.

Credit
An independent security researcher, Yasser Ali (https://yasserali.com), has reported this vulnerability to Beyond Security’s SecuriTeam Secure Disclosure program.

Vendor response
ManageEngine has released patches to address these vulnerabilities and issued the following advisory: https://desk.zoho.com/portal/manageengine/kb/articles/latest-consolidated-patch

Continue reading SSD Advisory – ManageEngine Code Execution