CVE-2018-1216

Name of the Vulnerable Software and Affected Versions Dell EMC Unisphere for VMAX Virtual Appliance versions prior to 8.4.0.18 Dell EMC Solutions Enabler Virtual Appliance versions prior to 8.4.0.21 Dell EMC VASA Virtual Appliance versions prior to 8.4.0.514 Dell EMC VMAX Embedded Management (eManagement) versions prior to and including 1.4

Description The issue is related to the use of hardcoded credentials in the vApp Manager component of Dell EMC Unisphere for VMAX, Dell EMC Solutions Enabler, Dell EMC VASA Virtual Appliances, and Dell EMC VMAX Embedded Management (eManagement). This allows a remote attacker to gain unauthorized access to the system using certain web servlets and the knowledge of the hardcoded password. The undocumented default account smc with a hardcoded password is the key factor in this issue.

Recommendations For Dell EMC Unisphere for VMAX Virtual Appliance versions prior to 8.4.0.18, update to version 8.4.0.18 or later. For Dell EMC Solutions Enabler Virtual Appliance versions prior to 8.4.0.21, update to version 8.4.0.21 or later. For Dell EMC VASA Virtual Appliance versions prior to 8.4.0.514, update to version 8.4.0.514 or later. For Dell EMC VMAX Embedded Management (eManagement) versions prior to and including 1.4, update to a version later than 1.4. As a temporary workaround, consider restricting access to the vulnerable web servlets until a patch is available.