You are here

V-036: EMC Smarts Network Configuration Manager Database Authentication Bypass Vulnerability

November 29, 2012 - 3:30am

Addthis

PROBLEM:

EMC Smarts Network Configuration Manager Database Authentication Bypass Vulnerability

PLATFORM:

EMC Smarts Network Configuration Manager (NCM) all versions prior 9.1

ABSTRACT:

Two vulnerabilities were reported in EMC Smarts Network Configuration Manager.

REFERENCE LINKS:

EMC Identifier: ESA-2012-057
Secunia Advisory SA51408
SecurityTracker Alert ID:  1027812
CVE-2012-4614
CVE-2012-4615

IMPACT ASSESSMENT:

Medium

DISCUSSION:

The systems uses a hard-coded key to encrypt authentication credentials on the target system [CVE-2012-4615]. A local user with knowledge of the key can access the credentials.

A remote user can connect to the target Network Configuration Manager (NCM) database [CVE-2012-4614].

Impact:  

A remote user can connect to the target database. 

A local user can obtain passwords.

Solution:

The vendor has issued a fix (9.1).

This fix also includes security updates for Apache Tomcat and JBOSS.

Addthis