You are here

V-075: EMC AlphaStor Command Injection and Format String Flaws Let Remote Users Execute Arbitrary Code

January 23, 2013 - 12:26am

Addthis

PROBLEM:

EMC AlphaStor Command Injection and Format String Flaws Let Remote Users Execute Arbitrary Code

PLATFORM:

EMC AlphaStor 4.0 prior to build 800 (All platforms)

ABSTRACT:

Two vulnerabilities were reported in EMC AlphaStor.

REFERENCE LINKS:

ESA-2013-008:
SecurityTracker Alert ID:  1028020
Secunia Advisory SA51930
CVE-2013-0928
CVE-2013-0929

IMPACT ASSESSMENT:

Medium

DISCUSSION:

A remote user can send a specially crafted DCP run command to inject commands and cause the Device Manager (rrobotd.exe) to execute arbitrary code on the target system [CVE-2013-0928].

A remote user can send specially crafted commands to trigger a format string flaw in a _vsnsprintf() function in the Device Manager and execute arbitrary code on the target system [CVE-2013-0929].

IMPACT:

A remote user can execute arbitrary code on the target system.

SOLUTION:

The vendor has issued a fix (4.0 build 800).

Addthis