Foregenix Identify Multiple Dell EMC RecoverPoint Zero-Day Vulnerabilities

In the course of the engagement, Foregenix encountered several Dell EMC RecoverPoint devices as part of the designated scope. Foregenix was aware of some recently patched vulnerabilities (CVE-2018-1184, CVE-2018-1185) affecting RecoverPoint devices, for which no public exploits were available. As well as deducing a method of successfully exploiting these known vulnerabilities, Paul Taylor, one of our senior penetration testers, discovered five additional new zero-day vulnerabilities in the RecoverPoint devices, as well as an insecure configuration option which also constitutes a vulnerability.

The vulnerabilities, one of which is of critical severity, affected all versions of Dell EMC RecoverPoint prior to 5.1.2 and RecoverPoint for Virtual Machines prior to 5.1.1.3. The critical vulnerability allows unauthenticated remote code execution with root privileges. This means, that if an attacker with no knowledge of any credentials has visibility of RecoverPoint on the network, or local access to it, they can gain complete control over the RecoverPoint and its underlying Linux operating system.

To show the extent of compromise possible, during the engagement, once Foregenix had complete control of the RecoverPoint devices, it was then possible to exploit some of the other zero-day vulnerabilities discovered in order to pivot and gain control of the Microsoft Active Directory network that the RecoverPoints were integrated with.

Following Foregenix’s responsible disclosure in February 2018 to Dell EMC, the vendor has released security fixes on 2018-05-18 to address some of these vulnerabilities. The fixes can be obtained from Dell EMC support. Please contact Dell EMC technical support representative for any assistance or further information. For more details on Dell EMC Vulnerability Response Policy please refer to their product security response center.

Summary of identified vulnerabilities:

At the time of writing Dell EMC has issued CVEs for three of the vulnerabilities and included them in its advisory DSA-2018-095 scheduled for public release on 2018-05-21. Here is a summary of the vulnerabilities, with the full disclosure further down the page:

Critical unauthenticated remote code execution with root privileges via unspecified attack vector (CVE-2018-1235, CVSS 9.8, critical severity)

• Permits an attacker with visibility of a RecoverPoint device on the network to gain complete control over the underlying Linux operating system.

Administrative menu arbitrary file read (CVE-2018-1242, CVSS 6.7, medium severity)

• An attacker with access to the boxmgmt administrative menu can read files from the file system which are accessible to the boxmgmt user.

LDAP credentials in Tomcat log file (CVE-2018-1241, CVSS 6.2, medium severity)

• In certain conditions, RecoverPoint will leak plaintext credentials into a log file.

World readable log contains password hash (CVE not issued at time of writing)

• RecoverPoint is shipped with a system password hash stored in a world readable file.

Hardcoded root password (CVE not issued at time of writing)

• RecoverPoint uses a hardcoded root password which can only be changed by contacting the vendor.

LDAP credentials sent in cleartext (CVE not issued at time of writing)

• An insecure configuration option permits LDAP credentials sent by the RecoverPoint to be intercepted by attackers.

Find full details of the vulnerabilities below:

Vulnerability Title: Critical unauthenticated remote code execution with root privileges via unspecified attack vector

Vulnerability Reference: CVE-2018-1235 (CVSS 9.8, critical severity)

Vendor Advisory: DSA-2018-095

Vulnerable Product: Dell EMC RecoverPoint, Dell EMC RecoverPoint for Virtual Machines

Vulnerable Versions: All versions prior to RP 5.1.2, and prior to RP4VMs 5.1.1.3

Credit: Paul Taylor (@bao7uo) / Foregenix Ltd.

Vulnerability Details: The critical vulnerability allows unauthenticated remote code execution with root privileges. This means, that if an attacker has visibility of RecoverPoint on the network, they can gain complete control over the underlying Linux operating system. The attack can also be performed locally. Due to the critical nature of this vulnerability and ease of exploitation, at this stage further details are not being released to provide opportunity for RecoverPoint customers to patch the vulnerability.

Remediation: Dell EMC advise that upgrading to the latest version will fix the vulnerability.

Advisory Timeline:

• 2018-02-09 - Discovery
• 2018-02-13 - Reported to Dell EMC
• 2018-05-18 - Upgrade release date
• 2018-05-21 - General public disclosure date

Vulnerability Title: Administrative menu arbitrary file read

Vulnerability Reference: CVE-2018-1242 (CVSS 6.7, medium severity)

Vendor Advisory: DSA-2018-095

Vulnerable Product: Dell EMC RecoverPoint, Dell EMC RecoverPoint for Virtual Machines

Vulnerable Versions: All versions prior to RP 5.1.2, and prior to RP4VMs 5.1.1.3

Credit: Paul Taylor (@bao7uo) / Foregenix Ltd.

Vulnerability Details: When logging in as boxmgmt and running an internal command, the ssh command may be used to display the contents of files from the file system which are accessible to the boxmgmt user. For example /etc/passwd can be read:

ssh -F /etc/passwd 127.0.0.1

Remediation: Dell EMC advise that upgrading to the latest version will fix the vulnerability.

Advisory Timeline:

• 2018-02-13 - Discovery
• 2018-02-15 - Reported to Dell EMC
• 2018-05-18 - Upgrade release date
• 2018-05-21 - General public disclosure date

Vulnerability Title: LDAP credentials in Tomcat log file

Vulnerability Reference: CVE-2018-1241 (CVSS 6.2, medium severity)

Vendor Advisory: DSA-2018-095

Vulnerable Product: Dell EMC RecoverPoint, Dell EMC RecoverPoint for Virtual Machines

Vulnerable Versions: All versions prior to RP 5.1.2, and prior to RP4VMs 5.1.1.3

Credit: Paul Taylor (@bao7uo) / Foregenix Ltd.

Vulnerability Details: When the LDAP server is not contactable by RecoverPoint, and a log in attempt is made to an LDAP linked account via a RecoverPoint web interface, LDAP credentials are leaked into the tomcat.log file. These credentials may remain in the log file indefinitely, providing opportunity for attackers with access to the RecoverPoint file system to obtain them and resulting in LDAP account compromise.

Remediation: Dell EMC advise that upgrading to the latest version will fix the vulnerability.

Advisory Timeline:

• 2018-02-13 - Discovery
• 2018-02-15 - Reported to Dell EMC
• 2018-05-18 - Upgrade release date
• 2018-05-21 - General public disclosure date

Vulnerability Title: World readable log contains password hash

Vulnerability Reference: CVE revoked – PSRC-5489

Vulnerable Product: Dell EMC RecoverPoint, Dell EMC RecoverPoint for Virtual Machines

Vulnerable Versions: All versions prior to RP 5.1.2, and prior to RP4VMs 5.1.1.3

Credit: Paul Taylor (@bao7uo) / Foregenix Ltd.

Vulnerability Details: The file /distribution.log (and /home/kos/kbox/src/installation/distribution/kdist.pl) contains "root" password hashes for grub. File permissions allow this file to be read by any user. Dell EMC initially issued a CVE for this vulnerability, but then revoked it, claiming that the log file was only readable by root. Foregenix contested this, having been able to read the file as the www-data user, such as would be possible following a web application compromise. Despite revoking the CVE, the vendor appears to have fixed the issue for new installations of RecoverPoint, but at the time of writing it was not clear whether the vendor would reinstate the CVE, or whether performing an upgrade would remove the hash from previous versions of the world-readable log file.

Remediation: Foregenix would advise RecoverPoint customers to contact Dell EMC to request clarification about this vulnerability.

Advisory Timeline:

• 2018-02-13 - Discovery
• 2018-02-15 - Reported to Dell EMC
• 2018-05-21 - General public disclosure date

Vulnerability Title: Hardcoded root password

Vulnerability Reference: No CVE issued – PSRC-5485

Vendor Advisory: DSA-2018-095 – note about default system passwords

Vulnerable Product: Dell EMC RecoverPoint, Dell EMC RecoverPoint for Virtual Machines

Vulnerable Versions: All versions prior to RP 5.1.2, and prior to RP4VMs 5.1.1.3

Credit: Paul Taylor (@bao7uo) / Foregenix Ltd.

Vulnerability Details: The root account password for RecoverPoint's underlying linux operating system is a hardcoded password set by the vendor. An attacker with knowledge of the root password of one device can gain control over all of the devices by logging in at the local console, or gaining console access as an unprivileged user, and changing to root. Although a CVE was not issued, the vendor intends to update its documentation to make it clear that the password can only be changed by requesting a dedicated script from its support team. If an attacker with knowledge of the hardcoded password compromised a different user account on the RecoverPoint, they could use the password to escalate to root.

Remediation: Foregenix would advise all RecoverPoint customers to request this script and change the password.

Advisory Timeline:

• 2018-02-13 - Discovery
• 2018-02-15 - Reported to Dell EMC
• 2018-05-21 - General public disclosure date

Vulnerability Title: Insecure configuration option results in LDAP credentials sent as cleartext

Vulnerability Reference: No CVE issued - PSRC-5488

Vulnerable Product: Dell EMC RecoverPoint, Dell EMC RecoverPoint for Virtual Machines

Vulnerable Versions: All versions prior to RP 5.1.2, and prior to RP4VMs 5.1.1.3

Credit: Paul Taylor (@bao7uo) / Foregenix Ltd.

Vulnerability Details: When the LDAP simple bind configuration is used, credentials are sent from the RecoverPoint server in cleartext. This means that a man-in-the-middle attacker or an attacker who has gained access to the RecoverPoint using another vulnerability, can monitor the traffic and discover LDAP credentials which have been entrusted to the RecoverPoint. Dell EMC informed Foregenix that the RecoverPoint documentation provides a warning about the insecure nature of this configuration. There did not appear to be any warning in the RecoverPoint menu itself. Foregenix was able to successfully exploit this vulnerability, intercepting credentials sent from the RecoverPoint to compromise a Microsoft Active Directory domain.

Remediation: Foregenix would advise all RecoverPoint customers to ensure that if LDAP integration is required, it is configured to bind securely.

Advisory Timeline:

• 2018-02-13 - Discovery
• 2018-02-15 - Reported to Dell EMC
• 2018-05-21 - General public disclosure date