An insecure file permissions vulnerability has been discovered in the Dell EMC VPlex Geosynchrony. It’s found to affect versions older than its version 6.1, particularly its versions 5.4, 5.5, and 6.0. This vulnerability allows malicious authenticated attackers to remotely read through VPN configuration files. The exploit also poses the threat of the attacker being able to execute a man-in-the-middle attack on the VPN traffic, secretly relaying and potentially altering the communication between two end points which are communicating with the assumption of full integrity.
Dell’s EMC VPlex is a virtual computer data storage solution. It was first brought out in 2010 by the EMC corporation. It is applauded for its ability to set in a distributed virtualization layer seamless through (in between and across) geographically incomparable Fibre Channel storage area networks and data centers.
This vulnerability has been assigned the Dell EMC identification label DSA-2018-156 and the CVE identification label CVE-2018-11078. It’s considered to pose a medium severity risk and has been assessed to have a CVSS 3.0 base score of 4.0. According to the preliminary analysis, this vulnerability plagues Witness only. It affects the Dell EMC VPlex GeooSynchrony’s 5.4 (all versions), 5.5 (all versions), and 6.0 (all versions).
As this vulnerability exposes your system to insecure file permission exploits in versions prior to version 6.1, the mitigation solution suggested by Dell at this point is a mere upgrade to version 6.2 of Dell VPlex Geosynchrony. As this vulnerability does not plague the most recent version, it does not warrant an entirely new update release as the currently most latest release mitigates this concern on its own.
A special note from Dell to those in need of an update to mitigate this vulnerability: you are requested to contact your local field representative to assist with the planning for the VPlex upgrade which requires a Change Control Authorization (CCA).