Multiple vulnerabilities in Dell VPLEX GeoSynchrony
| Risk | Medium |
| Patch available | NO |
| Number of vulnerabilities | 4 |
| CVE-ID | CVE-2014-0633 CVE-2014-0634 CVE-2014-0635 CVE-2014-0632 |
| CWE-ID | CWE-20 CWE-287 CWE-22 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software |
VPLEX GeoSynchrony Server applications / Virtualization software |
| Vendor | Dell |
Security Bulletin
This security bulletin contains information about 4 vulnerabilities.
1) Input validation error
EUVDB-ID: #VU41867
Risk: Medium
CVSSv4.0: 5.9 [CVSS:4.0/AV:A/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2014-0633
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote #AU# to execute arbitrary code.
The GUI in EMC VPLEX GeoSynchrony 4.x and 5.x before 5.3 does not properly validate session-timeout values, which might make it easier for remote attackers to execute arbitrary code by leveraging an unattended workstation.
MitigationInstall update from vendor's website.
Vulnerable software versionsVPLEX GeoSynchrony: 4.0 - 5.2.1
CPE2.3- cpe:2.3:a:dell:geosynchrony:4.0:*:*:*:*:*:*:*
- cpe:2.3:a:dell:geosynchrony:5.0:*:*:*:*:*:*:*
- cpe:2.3:a:dell:geosynchrony:5.1:*:*:*:*:*:*:*
https://archives.neohapsis.com/archives/bugtraq/2014-03/0157.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated privileged user via the local network (LAN).
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Input validation error
EUVDB-ID: #VU41868
Risk: Low
CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2014-0634
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote #AU# to read and manipulate data.
EMC VPLEX GeoSynchrony 4.x and 5.x before 5.3 does not include the HTTPOnly flag in a Set-Cookie header for an unspecified cookie, which makes it easier for remote attackers to obtain potentially sensitive information via script access to this cookie.
MitigationInstall update from vendor's website.
Vulnerable software versionsVPLEX GeoSynchrony: 4.0 - 5.2.1
CPE2.3- cpe:2.3:a:dell:geosynchrony:4.0:*:*:*:*:*:*:*
- cpe:2.3:a:dell:geosynchrony:5.0:*:*:*:*:*:*:*
- cpe:2.3:a:dell:geosynchrony:5.1:*:*:*:*:*:*:*
https://archives.neohapsis.com/archives/bugtraq/2014-03/0157.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Improper Authentication
EUVDB-ID: #VU41869
Risk: Medium
CVSSv4.0: 4.8 [CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2014-0635
CWE-ID:
CWE-287 - Improper Authentication
Exploit availability: No
DescriptionThe vulnerability allows a remote #AU# to read, manipulate or delete data.
Session fixation vulnerability in EMC VPLEX GeoSynchrony 4.x and 5.x before 5.3 allows remote attackers to hijack web sessions via unspecified vectors.
MitigationInstall update from vendor's website.
Vulnerable software versionsVPLEX GeoSynchrony: 4.0 - 5.2.1
CPE2.3- cpe:2.3:a:dell:geosynchrony:4.0:*:*:*:*:*:*:*
- cpe:2.3:a:dell:geosynchrony:5.0:*:*:*:*:*:*:*
- cpe:2.3:a:dell:geosynchrony:5.1:*:*:*:*:*:*:*
https://archives.neohapsis.com/archives/bugtraq/2014-03/0157.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
4) Path traversal
EUVDB-ID: #VU41870
Risk: Medium
CVSSv4.0: 6.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2014-0632
CWE-ID:
CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform directory traversal attacks.
The vulnerability exists due to input validation error when processing directory traversal sequences in EMC VPLEX GeoSynchrony 4.x and 5.x before 5.3. A remote authenticated attacker can send a specially crafted HTTP request and remote authenticated users to execute arbitrary code via unspecified vectors.
MitigationCybersecurity Help is currently unaware of any official solution to address this vulnerability.
Vulnerable software versionsVPLEX GeoSynchrony: 4.0 - 5.2.1
CPE2.3- cpe:2.3:a:dell:geosynchrony:4.0:*:*:*:*:*:*:*
- cpe:2.3:a:dell:geosynchrony:5.0:*:*:*:*:*:*:*
- cpe:2.3:a:dell:geosynchrony:5.1:*:*:*:*:*:*:*
https://archives.neohapsis.com/archives/bugtraq/2014-03/0157.html
https://www.securityfocus.com/bid/66513
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
