CVE-2018-1206 - OpenCVE

Dell EMC Data Protection Advisor versions prior to 6.3 Patch 159 and Dell EMC Data Protection Advisor versions prior to 6.4 Patch 110 contain a hardcoded database account with administrative privileges. The affected account is "apollosuperuser." An attacker with local access to the server where DPA Datastore Service is installed and knowledge of the password may potentially gain unauthorized access to the database. Note: The Datastore Service database cannot be accessed remotely using this account.

No CVSS v4.0

No CVSS v3.1

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Access Vector Local

Access Complexity Low

Authentication None

Confidentiality Impact Complete

Integrity Impact Complete

Availability Impact Complete

AV:L/AC:L/Au:N/C:C/I:C/A:C

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Emc	Data Protection Advisor

Configuration 1 [-]

OR	cpe:2.3:a:emc:data_protection_advisor:6.3.0:::::::*
	cpe:2.3:a:emc:data_protection_advisor:6.4.0:::::::*

No data.

References

Link	Providers
http://seclists.org/fulldisclosure/2018/Mar/22
http://www.securityfocus.com/bid/103376
http://www.securitytracker.com/id/1040484

History

No history.

MITRE

Status: PUBLISHED

Assigner: dell

Published: 2018-03-12T17:00:00

Updated: 2024-08-05T03:51:49.014Z

Reserved: 2017-12-06T00:00:00

Link: CVE-2018-1206

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2018-03-12T17:29:00.237

Modified: 2018-04-13T14:51:15.537

Link: CVE-2018-1206

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "Dell EMC Data Protection Advisor versions prior to 6.3 Patch 159 and Dell EMC Data Protection Advisor versions prior to 6.4 Patch 110", "vendor": "n/a", "versions": [{"status": "affected", "version": "Dell EMC Data Protection Advisor versions prior to 6.3 Patch 159 and Dell EMC Data Protection Advisor versions prior to 6.4 Patch 110"}]}], "datePublic": "2018-03-12T00:00:00", "descriptions": [{"lang": "en", "value": "Dell EMC Data Protection Advisor versions prior to 6.3 Patch 159 and Dell EMC Data Protection Advisor versions prior to 6.4 Patch 110 contain a hardcoded database account with administrative privileges. The affected account is \"apollosuperuser.\" An attacker with local access to the server where DPA Datastore Service is installed and knowledge of the password may potentially gain unauthorized access to the database. Note: The Datastore Service database cannot be accessed remotely using this account."}], "problemTypes": [{"descriptions": [{"description": "Hardcoded Password Vulnerability", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2018-03-17T09:57:01", "orgId": "c550e75a-17ff-4988-97f0-544cde3820fe", "shortName": "dell"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "http://seclists.org/fulldisclosure/2018/Mar/22"}, {"name": "1040484", "tags": ["vdb-entry", "x_refsource_SECTRACK"], "url": "http://www.securitytracker.com/id/1040484"}, {"name": "103376", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/103376"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security_alert@emc.com", "ID": "CVE-2018-1206", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Dell EMC Data Protection Advisor versions prior to 6.3 Patch 159 and Dell EMC Data Protection Advisor versions prior to 6.4 Patch 110", "version": {"version_data": [{"version_value": "Dell EMC Data Protection Advisor versions prior to 6.3 Patch 159 and Dell EMC Data Protection Advisor versions prior to 6.4 Patch 110"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Dell EMC Data Protection Advisor versions prior to 6.3 Patch 159 and Dell EMC Data Protection Advisor versions prior to 6.4 Patch 110 contain a hardcoded database account with administrative privileges. The affected account is \"apollosuperuser.\" An attacker with local access to the server where DPA Datastore Service is installed and knowledge of the password may potentially gain unauthorized access to the database. Note: The Datastore Service database cannot be accessed remotely using this account."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Hardcoded Password Vulnerability"}]}]}, "references": {"reference_data": [{"name": "http://seclists.org/fulldisclosure/2018/Mar/22", "refsource": "CONFIRM", "url": "http://seclists.org/fulldisclosure/2018/Mar/22"}, {"name": "1040484", "refsource": "SECTRACK", "url": "http://www.securitytracker.com/id/1040484"}, {"name": "103376", "refsource": "BID", "url": "http://www.securityfocus.com/bid/103376"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-05T03:51:49.014Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "http://seclists.org/fulldisclosure/2018/Mar/22"}, {"name": "1040484", "tags": ["vdb-entry", "x_refsource_SECTRACK", "x_transferred"], "url": "http://www.securitytracker.com/id/1040484"}, {"name": "103376", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/103376"}]}]}, "cveMetadata": {"assignerOrgId": "c550e75a-17ff-4988-97f0-544cde3820fe", "assignerShortName": "dell", "cveId": "CVE-2018-1206", "datePublished": "2018-03-12T17:00:00", "dateReserved": "2017-12-06T00:00:00", "dateUpdated": "2024-08-05T03:51:49.014Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:emc:data_protection_advisor:6.3.0:*:*:*:*:*:*:*", "matchCriteriaId": "2FF0EB8B-2808-4853-BF33-F8BA3115E772", "vulnerable": true}, {"criteria": "cpe:2.3:a:emc:data_protection_advisor:6.4.0:*:*:*:*:*:*:*", "matchCriteriaId": "487958A0-C038-47D0-A977-15A0F63F1626", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Dell EMC Data Protection Advisor versions prior to 6.3 Patch 159 and Dell EMC Data Protection Advisor versions prior to 6.4 Patch 110 contain a hardcoded database account with administrative privileges. The affected account is \"apollosuperuser.\" An attacker with local access to the server where DPA Datastore Service is installed and knowledge of the password may potentially gain unauthorized access to the database. Note: The Datastore Service database cannot be accessed remotely using this account."}, {"lang": "es", "value": "Dell EMC Data Protection Advisor, en versiones anteriores a la 6.3 Patch 159 y Dell EMC Data Protection Advisor, en versiones anteriores a la 6.4 Patch 110, contienen una cuenta de base de datos embebida con privilegios de administrador. La cuenta afectada es \"apollosuperuser\". Un atacante con acceso local al servidor en el que est\u00e1 instalado DPA Datastore Service y que conozca la contrase\u00f1a podr\u00eda obtener acceso no autorizado a la base de datos. Nota: no se puede acceder de forma remota a la base de datos Datastore Service mediante esta cuenta."}], "id": "CVE-2018-1206", "lastModified": "2018-04-13T14:51:15.537", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "LOCAL", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 7.2, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 3.9, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2018-03-12T17:29:00.237", "references": [{"source": "security_alert@emc.com", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://seclists.org/fulldisclosure/2018/Mar/22"}, {"source": "security_alert@emc.com", "tags": ["VDB Entry", "Third Party Advisory"], "url": "http://www.securityfocus.com/bid/103376"}, {"source": "security_alert@emc.com", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.securitytracker.com/id/1040484"}], "sourceIdentifier": "security_alert@emc.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-798"}], "source": "nvd@nist.gov", "type": "Primary"}]}