A recent investigation revealed six vulnerabilities in Dell EMC RecoverPoint devices. One of the flaws found allows attackers to execute remote unauthenticated code with administrator privileges.
A team of information security experts explain in one publication that if an attacker without knowledge of any credentials has RecoverPoint visibility on the network or local access to it, he can gain control over RecoverPoint and its underlying Linux operating system.
The vulnerabilities found affect all versions of Dell EMC RecoverPoint prior to 5.1.2 and RecoverPoint for virtual machines prior to 18.104.22.168.
The most critical vulnerability is CVE-2018-1235, CVSS 9.8, which allows an attacker with visibility to a RecoverPoint device in the network to gain control over the underlying Linux operating system.
The Foregenix researchers commented that during a contract with an unnamed customer, once the researchers had control of the RecoverPoint devices, it was possible to exploit the discovered other zero-day vulnerabilities to pivot and gain control of the Microsoft Active Directory network with which the RecoverPoints were integrated.
On the other hand, vulnerability CVE-2018-1242, gave an attacker with access to the boxmgmt administrative menu the ability to read file system files to which only the boxmgmt user can access.
A third vulnerability, showed that RecoverPoint loses the credentials of clear text in a file of registry, the information security professionals commented.
Dell EMC issued CVE for three of the vulnerabilities and included them in its DSA-2018-095 notice of May 21.
But also the other three errors remain unpatched until now. These vulnerabilities do not have CVEs issued. It was found in one of these errors, that RecoverPoint was sent with a system password hash stored in a file readable by anyone. In a second error, it was discovered that RecoverPoint uses a coded root password that can only be changed by contacting the provider. Regarding the third vulnerability, it is an insecure configuration option that allows the LDAP credentials sent by RecoverPoint to be intercepted by the attackers.
Regarding this latest vulnerability, information security professionals recommend that RecoverPoint customers make sure that if LDAP integration is required, it is configured to link securely.
Performanta security specialist Nicholas Griffin commented that attackers could use these vulnerabilities to steal data backups using vulnerable RecoverPoint devices.
“The visibility of LDAP credentials could allow a malicious actor to gain access to other key resources on the network, or even compromise the Active Directory domain,” the information security expert said.
For the defense of attacks on internal systems; Organizations must first understand the access footprint to the system.
Bitdefender analyst Liviu Arsene said that preventing these attacks is a security defense issue throughout the organization, which is able to defend not only endpoints, but also activate a security warning indicative of possible security breaches.