PROBLEM:
EMC Smarts Network Configuration Manager Database Authentication Bypass Vulnerability
PLATFORM:
EMC Smarts Network Configuration Manager (NCM) all versions prior 9.1
ABSTRACT:
Two vulnerabilities were reported in EMC Smarts Network Configuration Manager.
REFERENCE LINKS:
EMC Identifier: ESA-2012-057
Secunia Advisory SA51408
SecurityTracker Alert ID: 1027812
CVE-2012-4614
CVE-2012-4615
IMPACT ASSESSMENT:
Medium
DISCUSSION:
The systems uses a hard-coded key to encrypt authentication credentials on the target system [CVE-2012-4615]. A local user with knowledge of the key can access the credentials.
A remote user can connect to the target Network Configuration Manager (NCM) database [CVE-2012-4614].
Impact:
A remote user can connect to the target database.
A local user can obtain passwords.
Solution:
The vendor has issued a fix (9.1).
This fix also includes security updates for Apache Tomcat and JBOSS.