Multiple vulnerabilities in IBM SAN Volume Controller and Storwize Family

Published: 2013-04-21 | Updated: 2023-10-18

Risk	High
Patch available	YES
Number of vulnerabilities	2
CVE-ID	CVE-2013-4310 CVE-2013-4316
CWE-ID	CWE-264 CWE-16
Exploitation vector	Network
Public exploit	N/A
Vulnerable software Subscribe	SAN Volume Controller and Storwize Family Hardware solutions / Firmware
Vendor	IBM Corporation

Security Bulletin

This security bulletin contains information about 2 vulnerabilities.

1) Permissions, Privileges, and Access Controls

EUVDB-ID: #VU82187

Risk: Medium

CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2013-4310

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Exploit availability: No

Description

The vulnerability allows a remote attacker to escalate privileges on the system.

The vulnerability exists due to application does not properly impose security restrictions, which leads to security restrictions bypass and privilege escalation.

Mitigation

Install update from vendor's website.

Vulnerable software versions

SAN Volume Controller and Storwize Family: before 7.1.0.6

External links

http://www.ibm.com/support/pages/node/866010

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Configuration

EUVDB-ID: #VU82186

Risk: High

CVSSv3.1: 8.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2013-4316

CWE-ID: CWE-16 - Configuration