A vulnerability was found in Dell EMC ScaleIO up to 2.4. It has been declared as critical. Affected by this vulnerability is some unknown functionality of the component Light Installation Agent. The manipulation with an unknown input leads to a improper authentication vulnerability. The CWE definition for the vulnerability is CWE-287. When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct. As an impact it is known to affect confidentiality, integrity, and availability. The summary by CVE is:

Dell EMC ScaleIO versions prior to 2.5, contain improper restriction of excessive authentication attempts on the Light installation Agent (LIA). This component is deployed on every server in the ScaleIO cluster and is used for central management of ScaleIO nodes. A remote malicious user, having network access to LIA, could potentially exploit this vulnerability to launch brute force guessing of user names and passwords of user accounts on the LIA.

The bug was discovered 03/26/2018. The weakness was disclosed 03/27/2018 as not defined mailinglist post (Full-Disclosure). The advisory is shared at seclists.org. This vulnerability is known as CVE-2018-1237 since 12/06/2017. The exploitation appears to be easy. The attack can be launched remotely. The exploitation doesn't need any form of authentication. Neither technical details nor an exploit are publicly available.

The vulnerability was handled as a non-public zero-day exploit for at least 1 days. During that time the estimated underground price was around $5k-$25k.

Upgrading to version 2.5 eliminates this vulnerability.

The entries 115115 and 115118 are pretty similar.

Productinfo

Vendor

• Dell EMC

Name

• ScaleIO

Version

• 2.0
• 2.1
• 2.2
• 2.3
• 2.4

License

• commercial

CPE 2.3info

• 🔍
• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍
• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Discussion