Advisory

Han Sahin, November 2014

Command injection vulnerability in EMC Secure Remote Services Virtual Edition

Abstract

A command injection vulnerability was found in EMC Secure Remote Services Virtual Edition (ESRS VE) that allows an attacker to execute arbitrary system commands and take full control over ESRS VE.

Affected versions

EMC reports that the following versions are affected by this vulnerability:

- EMC Secure Remote Services Virtual Edition 3.02
- EMC Secure Remote Services Virtual Edition 3.03

See also

- CVE-2015-0525
- ESA-2015-040: EMC Secure Remote Services Virtual Edition Security Update for Multiple Vulnerabilities

Fix

EMC released EMC Secure Remote Services Virtual Edition 3.04 that resolves this vulnerability. Registered EMC Online Support customers can download patches and software from support.emc.com at:

EMC Secure Remote Services -> EMC Secure Remote Services Virtual Edition -> Downloads

Introduction

EMC Secure Remote Services (ESRS) is a two-way remote connection between EMC Customer Service and your EMC products and solutions. ESRS maintains connectivity with your EMC products around the clock and automatically notifies EMC if a problem or potential problem occurs. If troubleshooting is necessary, an authorized and authenticated EMC Customer Service professional uses the secure connection to establish a remote session to diagnose, and if necessary, to repair your EMC products and solutions.

A command injection vulnerability was found in EMC Secure Remote Services Virtual Edition (ESRS VE) that allows an attacker to execute arbitrary system commands and take full control over ESRS VE.

Details

The command injection vulnerability exists in the PVSServiceImpl class of the Provisioning component. In particular, the serialno argument is not validated and used insecurely to construct a system command. An attacker can supply a specially crafted value as serialno, which results in arbitrary commands being executed.

com/emc/esrs/provisioning/service/PVSServiceImpl.java: private void copyCertstoDir(String serialno)
   throws IOException
{
   try
   {
      String[] cmd_exec = new String[4];
      String s = null;

      cmd_exec[0] = ("/bin/cp " + (String)this.configurations.get("provclient.session.directory") + "/session-" + serialno + "/Temp1/wgcmers " + (String)this.configurations.get("gw.dir"));
      cmd_exec[1] = ("/bin/cp " + (String)this.configurations.get("provclient.session.directory") + "/session-" + serialno + "/Temp1/wgcmersgw " + (String)this.configurations.get("gw.dir"));
      cmd_exec[2] = ("/bin/cp " + (String)this.configurations.get("provclient.session.directory") + "/session-" + serialno + "/Temp1/Gateway/xgDeployConfig.xml " + (String)this.configurations.get("gw.dir"));
      cmd_exec[3] = ((String)this.configurations.get("provclient.datfile.generation") + " -generateDat");

      for (String cmd : cmd_exec) {
         this.logger.debug("Copy Certs to Dir:" + cmd);
         Process p_exec = Runtime.getRuntime().exec(cmd);
         BufferedReader stdInput2 = new BufferedReader(new InputStreamReader(p_exec.getInputStream()));
         BufferedReader stdError2 = new BufferedReader(new InputStreamReader(p_exec.getErrorStream()));

Work with us →