Vulnerability-Lookup

CNVD-2017-35686

Vulnerability from cnvd - Published: 2017-11-30

Title

EMC ScaleIO for Linux信息泄露漏洞

Description

EMC ScaleIO for Linux是美国易安信（EMC）公司的一套基于Linux平台的将DAS存储转换为共享数据块存储的软件定义的解决方案。基于Linux平台的EMC ScaleIO 2.0.1.x版本中存在信息泄露漏洞，该漏洞源于程序以明文的形式将ScaleIO MDM用户证书保存到临时文件中。攻击者可利用该漏洞读取用户证书。

Severity

高

Patch Name

EMC ScaleIO for Linux信息泄露漏洞的补丁

Patch Description

Formal description

目前厂商已发布升级补丁以修复漏洞，详情请关注厂商主页： https://www.emc.com

Reference

http://seclists.org/fulldisclosure/2017/Nov/35

Impacted products

Name
EMC ScaleIO 2.0.1.x

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2017-8001"
    }
  },
  "description": "EMC ScaleIO for Linux\u662f\u7f8e\u56fd\u6613\u5b89\u4fe1\uff08EMC\uff09\u516c\u53f8\u7684\u4e00\u5957\u57fa\u4e8eLinux\u5e73\u53f0\u7684\u5c06DAS\u5b58\u50a8\u8f6c\u6362\u4e3a\u5171\u4eab\u6570\u636e\u5757\u5b58\u50a8\u7684\u8f6f\u4ef6\u5b9a\u4e49\u7684\u89e3\u51b3\u65b9\u6848\u3002\r\n\r\n\u57fa\u4e8eLinux\u5e73\u53f0\u7684EMC ScaleIO 2.0.1.x\u7248\u672c\u4e2d\u5b58\u5728\u4fe1\u606f\u6cc4\u9732\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u7a0b\u5e8f\u4ee5\u660e\u6587\u7684\u5f62\u5f0f\u5c06ScaleIO MDM\u7528\u6237\u8bc1\u4e66\u4fdd\u5b58\u5230\u4e34\u65f6\u6587\u4ef6\u4e2d\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u8bfb\u53d6\u7528\u6237\u8bc1\u4e66\u3002",
  "discovererName": "David Berard, from Ubisoft Security \u0026 Risk Management team",
  "formalWay": "\u76ee\u524d\u5382\u5546\u5df2\u53d1\u5e03\u5347\u7ea7\u8865\u4e01\u4ee5\u4fee\u590d\u6f0f\u6d1e\uff0c\u8be6\u60c5\u8bf7\u5173\u6ce8\u5382\u5546\u4e3b\u9875\uff1a\r\nhttps://www.emc.com",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2017-35686",
  "openTime": "2017-11-30",
  "patchDescription": "EMC ScaleIO for Linux\u662f\u7f8e\u56fd\u6613\u5b89\u4fe1\uff08EMC\uff09\u516c\u53f8\u7684\u4e00\u5957\u57fa\u4e8eLinux\u5e73\u53f0\u7684\u5c06DAS\u5b58\u50a8\u8f6c\u6362\u4e3a\u5171\u4eab\u6570\u636e\u5757\u5b58\u50a8\u7684\u8f6f\u4ef6\u5b9a\u4e49\u7684\u89e3\u51b3\u65b9\u6848\u3002\r\n\r\n\u57fa\u4e8eLinux\u5e73\u53f0\u7684EMC ScaleIO 2.0.1.x\u7248\u672c\u4e2d\u5b58\u5728\u4fe1\u606f\u6cc4\u9732\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u7a0b\u5e8f\u4ee5\u660e\u6587\u7684\u5f62\u5f0f\u5c06ScaleIO MDM\u7528\u6237\u8bc1\u4e66\u4fdd\u5b58\u5230\u4e34\u65f6\u6587\u4ef6\u4e2d\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u8bfb\u53d6\u7528\u6237\u8bc1\u4e66\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "EMC ScaleIO for Linux\u4fe1\u606f\u6cc4\u9732\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": "EMC ScaleIO 2.0.1.x"
  },
  "referenceLink": "http://seclists.org/fulldisclosure/2017/Nov/35",
  "serverity": "\u9ad8",
  "submitTime": "2017-11-22",
  "title": "EMC ScaleIO for Linux\u4fe1\u606f\u6cc4\u9732\u6f0f\u6d1e"
}

CVE-2017-8001 (GCVE-0-2017-8001)

Vulnerability from cvelistv5 – Published: 2017-11-28 07:00 – Updated: 2024-08-05 16:19

Summary

An issue was discovered in EMC ScaleIO 2.0.1.x. In a Linux environment, one of the support scripts saves the credentials of the ScaleIO MDM user who executed the script in clear text in temporary log files. The temporary files may potentially be read by an unprivileged user with access to the server where the script was executed to recover exposed credentials.

Severity ?

No CVSS data available.

CWE

Sensitive Information Disclosure

Assigner

dell

References

2 references

URL	Tags
http://www.securityfocus.com/bid/101997	vdb-entryx_refsource_BID
http://seclists.org/fulldisclosure/2017/Nov/35	x_refsource_CONFIRM

Impacted products

1 product

Vendor	Product	Version
n/a	EMC ScaleIO EMC ScaleIO 2.0.1.x	Affected: EMC ScaleIO EMC ScaleIO 2.0.1.x

Date Public ?

2017-11-28 00:00

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-05T16:19:29.773Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "101997",
            "tags": [
              "vdb-entry",
              "x_refsource_BID",
              "x_transferred"
            ],
            "url": "http://www.securityfocus.com/bid/101997"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "http://seclists.org/fulldisclosure/2017/Nov/35"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "EMC ScaleIO EMC ScaleIO 2.0.1.x",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "EMC ScaleIO EMC ScaleIO 2.0.1.x"
            }
          ]
        }
      ],
      "datePublic": "2017-11-28T00:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "An issue was discovered in EMC ScaleIO 2.0.1.x. In a Linux environment, one of the support scripts saves the credentials of the ScaleIO MDM user who executed the script in clear text in temporary log files. The temporary files may potentially be read by an unprivileged user with access to the server where the script was executed to recover exposed credentials."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "Sensitive Information Disclosure",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2017-12-01T10:57:01.000Z",
        "orgId": "c550e75a-17ff-4988-97f0-544cde3820fe",
        "shortName": "dell"
      },
      "references": [
        {
          "name": "101997",
          "tags": [
            "vdb-entry",
            "x_refsource_BID"
          ],
          "url": "http://www.securityfocus.com/bid/101997"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "http://seclists.org/fulldisclosure/2017/Nov/35"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "security_alert@emc.com",
          "ID": "CVE-2017-8001",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "EMC ScaleIO EMC ScaleIO 2.0.1.x",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "EMC ScaleIO EMC ScaleIO 2.0.1.x"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "An issue was discovered in EMC ScaleIO 2.0.1.x. In a Linux environment, one of the support scripts saves the credentials of the ScaleIO MDM user who executed the script in clear text in temporary log files. The temporary files may potentially be read by an unprivileged user with access to the server where the script was executed to recover exposed credentials."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "Sensitive Information Disclosure"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "101997",
              "refsource": "BID",
              "url": "http://www.securityfocus.com/bid/101997"
            },
            {
              "name": "http://seclists.org/fulldisclosure/2017/Nov/35",
              "refsource": "CONFIRM",
              "url": "http://seclists.org/fulldisclosure/2017/Nov/35"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "c550e75a-17ff-4988-97f0-544cde3820fe",
    "assignerShortName": "dell",
    "cveId": "CVE-2017-8001",
    "datePublished": "2017-11-28T07:00:00.000Z",
    "dateReserved": "2017-04-21T00:00:00.000Z",
    "dateUpdated": "2024-08-05T16:19:29.773Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CNVD-2017-35686

CVE-2017-8001 (GCVE-0-2017-8001)

Tags

Sightings

Nomenclature