Vulnerability-Lookup

CNVD-2018-07121

Vulnerability from cnvd - Published: 2018-04-04

Title

Dell EMC ScaleIO命令注入漏洞

Description

Dell EMC ScaleIO是美国戴尔（Dell）公司的一套将DAS存储转换为共享数据块存储的软件定义的解决方案。Light Installation Agent（LIA）是其中的一个安装代理程序。 Dell EMC ScaleIO 2.5之前版本中的LIA存在命令注入漏洞。攻击者可利用该漏洞以root权限在系统上执行任意命令。

Severity

高

Patch Name

Dell EMC ScaleIO命令注入漏洞的补丁

Patch Description

Formal description

厂商已发布漏洞修复程序，请及时关注更新： https://support.emc.com/downloads/40635_ScaleIO-Product-Family

Reference

http://seclists.org/fulldisclosure/2018/Mar/59

Impacted products

Name
DELL EMC ScaleIO <2.5

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2018-1238"
    }
  },
  "description": "Dell EMC ScaleIO\u662f\u7f8e\u56fd\u6234\u5c14\uff08Dell\uff09\u516c\u53f8\u7684\u4e00\u5957\u5c06DAS\u5b58\u50a8\u8f6c\u6362\u4e3a\u5171\u4eab\u6570\u636e\u5757\u5b58\u50a8\u7684\u8f6f\u4ef6\u5b9a\u4e49\u7684\u89e3\u51b3\u65b9\u6848\u3002Light Installation Agent\uff08LIA\uff09\u662f\u5176\u4e2d\u7684\u4e00\u4e2a\u5b89\u88c5\u4ee3\u7406\u7a0b\u5e8f\u3002\r\n\r\nDell EMC ScaleIO 2.5\u4e4b\u524d\u7248\u672c\u4e2d\u7684LIA\u5b58\u5728\u547d\u4ee4\u6ce8\u5165\u6f0f\u6d1e\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u4ee5root\u6743\u9650\u5728\u7cfb\u7edf\u4e0a\u6267\u884c\u4efb\u610f\u547d\u4ee4\u3002",
  "discovererName": "David Berard",
  "formalWay": "\u5382\u5546\u5df2\u53d1\u5e03\u6f0f\u6d1e\u4fee\u590d\u7a0b\u5e8f\uff0c\u8bf7\u53ca\u65f6\u5173\u6ce8\u66f4\u65b0\uff1a\r\nhttps://support.emc.com/downloads/40635_ScaleIO-Product-Family",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2018-07121",
  "openTime": "2018-04-04",
  "patchDescription": "Dell EMC ScaleIO\u662f\u7f8e\u56fd\u6234\u5c14\uff08Dell\uff09\u516c\u53f8\u7684\u4e00\u5957\u5c06DAS\u5b58\u50a8\u8f6c\u6362\u4e3a\u5171\u4eab\u6570\u636e\u5757\u5b58\u50a8\u7684\u8f6f\u4ef6\u5b9a\u4e49\u7684\u89e3\u51b3\u65b9\u6848\u3002Light Installation Agent\uff08LIA\uff09\u662f\u5176\u4e2d\u7684\u4e00\u4e2a\u5b89\u88c5\u4ee3\u7406\u7a0b\u5e8f\u3002\r\n\r\nDell EMC ScaleIO 2.5\u4e4b\u524d\u7248\u672c\u4e2d\u7684LIA\u5b58\u5728\u547d\u4ee4\u6ce8\u5165\u6f0f\u6d1e\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u4ee5root\u6743\u9650\u5728\u7cfb\u7edf\u4e0a\u6267\u884c\u4efb\u610f\u547d\u4ee4\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Dell EMC ScaleIO\u547d\u4ee4\u6ce8\u5165\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": "DELL EMC ScaleIO \u003c2.5"
  },
  "referenceLink": "http://seclists.org/fulldisclosure/2018/Mar/59",
  "serverity": "\u9ad8",
  "submitTime": "2018-03-28",
  "title": "Dell EMC ScaleIO\u547d\u4ee4\u6ce8\u5165\u6f0f\u6d1e"
}

CVE-2018-1238 (GCVE-0-2018-1238)

Vulnerability from cvelistv5 – Published: 2018-03-27 21:00 – Updated: 2024-09-16 20:06

Summary

Dell EMC ScaleIO versions prior to 2.5, contain a command injection vulnerability in the Light Installation Agent (LIA). This component is used for central management of ScaleIO deployment and uses shell commands for certain actions. A remote malicious user, with network access to LIA and knowledge of the LIA administrative password, could potentially exploit this vulnerability to run arbitrary commands as root on the systems where LIAs are installed.

Severity

No CVSS data available.

CWE

Command injection vulnerability

Assigner

dell

References

1 reference

URL	Tags
http://seclists.org/fulldisclosure/2018/Mar/59	mailing-listx_refsource_FULLDISC

Impacted products

1 product

Vendor	Product	Version
Dell EMC	ScaleIO	Affected: versions prior to 2.5

Date Public

2018-03-26 00:00

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-05T03:51:48.950Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "20180326 DSA-2018-058: Dell EMC ScaleIO Multiple Security Vulnerabilities",
            "tags": [
              "mailing-list",
              "x_refsource_FULLDISC",
              "x_transferred"
            ],
            "url": "http://seclists.org/fulldisclosure/2018/Mar/59"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "ScaleIO",
          "vendor": "Dell EMC",
          "versions": [
            {
              "status": "affected",
              "version": "versions prior to 2.5"
            }
          ]
        }
      ],
      "datePublic": "2018-03-26T00:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "Dell EMC ScaleIO versions prior to 2.5, contain a command injection vulnerability in the Light Installation Agent (LIA). This component is used for central management of ScaleIO deployment and uses shell commands for certain actions. A remote malicious user, with network access to LIA and knowledge of the LIA administrative password, could potentially exploit this vulnerability to run arbitrary commands as root on the systems where LIAs are installed."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "Command injection vulnerability",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2018-03-27T20:57:01.000Z",
        "orgId": "c550e75a-17ff-4988-97f0-544cde3820fe",
        "shortName": "dell"
      },
      "references": [
        {
          "name": "20180326 DSA-2018-058: Dell EMC ScaleIO Multiple Security Vulnerabilities",
          "tags": [
            "mailing-list",
            "x_refsource_FULLDISC"
          ],
          "url": "http://seclists.org/fulldisclosure/2018/Mar/59"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "security_alert@emc.com",
          "DATE_PUBLIC": "2018-03-26T00:00:00",
          "ID": "CVE-2018-1238",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "ScaleIO",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "versions prior to 2.5"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Dell EMC"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Dell EMC ScaleIO versions prior to 2.5, contain a command injection vulnerability in the Light Installation Agent (LIA). This component is used for central management of ScaleIO deployment and uses shell commands for certain actions. A remote malicious user, with network access to LIA and knowledge of the LIA administrative password, could potentially exploit this vulnerability to run arbitrary commands as root on the systems where LIAs are installed."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "Command injection vulnerability"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "20180326 DSA-2018-058: Dell EMC ScaleIO Multiple Security Vulnerabilities",
              "refsource": "FULLDISC",
              "url": "http://seclists.org/fulldisclosure/2018/Mar/59"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "c550e75a-17ff-4988-97f0-544cde3820fe",
    "assignerShortName": "dell",
    "cveId": "CVE-2018-1238",
    "datePublished": "2018-03-27T21:00:00.000Z",
    "dateReserved": "2017-12-06T00:00:00.000Z",
    "dateUpdated": "2024-09-16T20:06:14.715Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CNVD-2018-07121

CVE-2018-1238 (GCVE-0-2018-1238)

Tags

Sightings

Nomenclature