Advisory

Han Sahin, November 2014

Weak authentication in EMC Secure Remote Services Virtual Edition Web Portal

Abstract

It was discovered that the session tokens in EMC Secure Remote Services Virtual Edition are Base64 encoded XML tokens that lack any cryptographic protection. Due to this it is possible for attackers to create their own session cookies. Attackers with network access (insiders) to the ESRS Web Portal can exploit this issue to gain unauthorized access to the management interface.

Affected versions

EMC reports that the following versions are affected by this vulnerability:

- EMC Secure Remote Services Virtual Edition 3.02
- EMC Secure Remote Services Virtual Edition 3.03
- EMC Secure Remote Services Virtual Edition 3.04

See also

- CVE-2015-0544
- ESA-2015-097: EMC Secure Remote Services (ESRS) Virtual Edition (VE) Multiple Security Vulnerabilities

Fix

EMC released EMC Secure Remote Services Virtual Edition 3.06 that resolves this vulnerability. Registered EMC Online Support customers can download patches and software from support.emc.com at:

EMC Secure Remote Services -> EMC Secure Remote Services Virtual Edition -> Downloads

Introduction

EMC Secure Remote Services (ESRS) is a two-way remote connection between EMC Customer Service and your EMC products and solutions. ESRS maintains connectivity with your EMC products around the clock and automatically notifies EMC if a problem or potential problem occurs. If troubleshooting is necessary, an authorized and authenticated EMC Customer Service professional uses the secure connection to establish a remote session to diagnose, and if necessary, to repair your EMC products and solutions.

The ESRS_SESSION session cookie does not contain unique or cryptographic random values; hence the cookie can be exchanged on different ESRS VE installations, resulting in unauthorized access to ESRS VE's management interface. The cookie value is a Base64 encoded XML token, decoded a token looks something like this:

<?xml version="1.0" encoding="UTF-8"?>
<token type="CSP">
   <data expires="1970-01-01T00:00:00.000000Z" starts="2014-11-14T11:42:49.029935Z">
      <principal format="" authority="" account="" type=""/>
      <identities>
         <UserIdentifier format="CST">LocalDirectory:Admin/admin</UserIdentifier>
      </identities>
      <groups>
         <GroupIdentifier format="CST">LocalDirectory:Admin/Group:VEUsers</GroupIdentifier>
      </groups>
      <session>
         <attribute name="AuthenticationAuthority" type="String">
            <value>LocalDirectory:Admin</value>
         </attribute>
         <attribute name="ServiceName" type="String">
            <value>&lt;ServiceId name=&quot;DefaultAuthentication&quot;&gt;CSPAuthenticationService&lt;interface-id class=&quot;Authentication&quot;&gt;&lt;/interface-id&gt;&lt;/ServiceId&gt;</value>
         </attribute>
         <attribute name="AuthenticationPolicy" type="String">
            <value>OS|CSP</value>
         </attribute>
      </session>
      <identity/>
      <authentication/>
   </data>
</token>

The session token lacks any cryptographic protection. Due to this it is possible for attackers to create their own session cookies. Attackers with network access (insiders) to the ESRS Web Portal can exploit this issue to gain unauthorized access to the management interface.

Work with us →