PROBLEM:
EMC AlphaStor Command Injection and Format String Flaws Let Remote Users Execute Arbitrary Code
PLATFORM:
EMC AlphaStor 4.0 prior to build 800 (All platforms)
ABSTRACT:
Two vulnerabilities were reported in EMC AlphaStor.
REFERENCE LINKS:
ESA-2013-008:
SecurityTracker Alert ID: 1028020
Secunia Advisory SA51930
CVE-2013-0928
CVE-2013-0929
IMPACT ASSESSMENT:
Medium
DISCUSSION:
A remote user can send a specially crafted DCP run command to inject commands and cause the Device Manager (rrobotd.exe) to execute arbitrary code on the target system [CVE-2013-0928].
A remote user can send specially crafted commands to trigger a format string flaw in a _vsnsprintf() function in the Device Manager and execute arbitrary code on the target system [CVE-2013-0929].
IMPACT:
A remote user can execute arbitrary code on the target system.
SOLUTION:
The vendor has issued a fix (4.0 build 800).