SB2022102512 - Multiple vulnerabilities in Dell EMC Unisphere for PowerMax and Dell EMC Solutions Enabler

Description

This security bulletin contains information about 42 secuirty vulnerabilities.

1) Out-of-bounds read (CVE-ID: CVE-2020-16937)

The vulnerability allows a local user to gain access to potentially sensitive information.

The vulnerability exists due to a boundary condition within the .NET Framework. A local user can use a specially crafted application to trigger out-of-bounds read error and read contents of memory on the system.

2) Buffer overflow (CVE-ID: CVE-2020-1260)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error within the VBScript engine. A remote attacker can create a specially crafted webpage, trick the victim into visiting it, trigger memory corruption and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

3) Buffer overflow (CVE-ID: CVE-2020-1062)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error within the implementation of garbage collection in jscript.dll. A remote attacker can create a specially crafted website, trick the victim into visiting it, trigger memory corruption and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

4) Buffer overflow (CVE-ID: CVE-2020-1035)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error within the VBScript engine. A remote attacker can create a specially crafted webpage, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

5) Buffer overflow (CVE-ID: CVE-2020-1093)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error within the VBScript engine. A remote attacker can create a specially crafted webpage, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

6) Input validation error (CVE-ID: CVE-2020-1064)

The vulnerability allows a remote attacker to execute arbitrary code on the system.

The vulnerability exists due to insufficient validation of user-supplied input in the MSHTML engine. A remote attacker can trick a victim into editing a specially crafted file and execute arbitrary code on the target system.

7) Buffer overflow (CVE-ID: CVE-2020-1058)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error within the VBScript engine. A remote attacker can create a specially crafted webpage, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

8) Buffer overflow (CVE-ID: CVE-2020-1060)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error within the VBScript engine. A remote attacker can create a specially crafted webpage, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

9) Buffer overflow (CVE-ID: CVE-2020-1092)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error when Internet Explorer processing HTML content. A remote attacker can create a specially crafted website, trick the victim into visiting it, trigger memory corruption and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

10) Buffer overflow (CVE-ID: CVE-2020-0908)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error when the Windows Text Service Module improperly handles memory. A remote attacker can create a specially crafted webpage, trick the victim to visit it, trigger memory corruption and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

11) Buffer overflow (CVE-ID: CVE-2020-1216)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error within the VBScript engine. A remote attacker can create a specially crafted webpage, trick the victim into visiting it, trigger memory corruption and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

12) Buffer overflow (CVE-ID: CVE-2020-0922)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error within Microsoft COM for Windows. A remote attacker can trick a victim to open a specially crafted file or visit a malicious webpage, trigger memory corruption and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

13) Out-of-bounds write (CVE-ID: CVE-2020-0997)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error in the WindowsCodecsRaw module within the Windows Camera Codec Pack. A remote attacker can create a specially crafted file, trick the victim into opening it, trigger out-of-bounds write and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

14) Buffer overflow (CVE-ID: CVE-2020-1057)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error within the ChakraCore scripting engine. A remote attacker can trigger memory corruption and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

15) Buffer overflow (CVE-ID: CVE-2020-1129)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error within Microsoft Windows Codecs Library. A remote attacker can send a specially crafted image file, trigger memory corruption and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

16) Buffer overflow (CVE-ID: CVE-2020-1172)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error within the ChakraCore scripting engine. A remote attacker can trigger memory corruption and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

17) Buffer overflow (CVE-ID: CVE-2020-1252)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error within Windows. A remote attacker can create a specially crafted file, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

18) Buffer overflow (CVE-ID: CVE-2020-1285)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error when the Windows Graphics Device Interface (GDI) improperly handles objects in the memory. A remote attacker can trick a victim to open a specially crafted file or visit a malicious website, trigger memory corruption and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

19) Buffer overflow (CVE-ID: CVE-2020-1508)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error when Windows Media Audio Decoder improperly handles objects. A remote authenticated attacker can trick a victim to open a specially crafted document or visit a malicious webpage, trigger memory corruption and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

20) Buffer overflow (CVE-ID: CVE-2020-1593)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error when Windows Media Audio Decoder improperly handles objects. A remote authenticated attacker can trick a victim to open a specially crafted document or visit a malicious webpage, trigger memory corruption and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

21) Buffer overflow (CVE-ID: CVE-2020-1219)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error within the handling of the Intl object in JavaScript. A remote attacker can create a specially crafted webpage, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

22) Buffer overflow (CVE-ID: CVE-2020-1215)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error within the VBScript engine. A remote attacker can create a specially crafted webpage, trick the victim into visiting it, trigger memory corruption and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

23) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2020-1476)

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to ASP.NET or .NET web applications running on IIS improperly allow access to cached files. A local user can send a specially crafted request and gain elevated privileges on the target system.

24) Improper input validation (CVE-ID: CVE-2020-14803)

The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.

The vulnerability exists due to improper input validation within the Libraries component in Java SE. A remote non-authenticated attacker can exploit this vulnerability to gain access to sensitive information.

25) Improper input validation (CVE-ID: CVE-2020-14792)

The vulnerability allows a remote non-authenticated attacker to read and manipulate data.

The vulnerability exists due to improper input validation within the Hotspot component in Java SE Embedded. A remote non-authenticated attacker can exploit this vulnerability to read and manipulate data.

26) Missing Encryption of Sensitive Data (CVE-ID: CVE-2020-14781)

The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.

The vulnerability exists due to improper input validation within the JNDI component in Java SE Embedded when processing encrypted LDAP requests. A remote non-authenticated attacker can downgrade the encrypted LDAP connection and gain access to sensitive information.

27) Improper input validation (CVE-ID: CVE-2020-14782)

The vulnerability allows a remote non-authenticated attacker to manipulate data.

The vulnerability exists due to an error in CertPath implementation within the Libraries component in Java SE Embedded. A remote non-authenticated attacker can exploit this vulnerability to manipulate data.

28) Improper input validation (CVE-ID: CVE-2020-14797)

The vulnerability allows a remote non-authenticated attacker to manipulate data.

The vulnerability exists due to improper input validation within the Libraries component in Java SE Embedded. A remote non-authenticated attacker can exploit this vulnerability to manipulate data.

29) Improper input validation (CVE-ID: CVE-2020-14779)

The vulnerability allows a remote non-authenticated attacker to perform service disruption.

The vulnerability exists due to improper input validation within the Serialization component in Java SE Embedded. A remote non-authenticated attacker can exploit this vulnerability to perform service disruption.

30) Improper input validation (CVE-ID: CVE-2020-14796)

The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.

The vulnerability exists due to improper input validation within the Libraries component in Java SE Embedded. A remote non-authenticated attacker can exploit this vulnerability to gain access to sensitive information.

31) Improper input validation (CVE-ID: CVE-2020-14798)

The vulnerability allows a remote non-authenticated attacker to manipulate data.

The vulnerability exists due to improper input validation within the Libraries component in Java SE Embedded. A remote non-authenticated attacker can exploit this vulnerability to manipulate data.

32) Out-of-bounds read (CVE-ID: CVE-2020-1315)

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to a boundary condition within Internet Explorer. A remote attacker can trick a victim to visit a malicious website, trigger out-of-bounds read error and read contents of memory on the system.

33) Buffer overflow (CVE-ID: CVE-2020-1214)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error within the VBScript engine. A remote attacker can create a specially crafted webpage, trick the victim into visiting it, trigger memory corruption and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

34) Buffer overflow (CVE-ID: CVE-2020-1012)

The vulnerability allows a remote attacker to escalate privilege so the system.

The vulnerability exists due to a boundary error in the Wininit.dll when handling objects in memory. A remote attacker can trick a victim to open a specially crafted file or visit a malicious webpage, trigger memory corruption and execute arbitrary code on the target system with elevated privileges.

35) Buffer overflow (CVE-ID: CVE-2020-0878)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error within ChakraCore engine. A remote attacker can create a specially crafted webpage, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

36) Buffer overflow (CVE-ID: CVE-2020-1570)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error within the scripting engine. A remote attacker can create a specially crafted webpage, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

37) Buffer overflow (CVE-ID: CVE-2020-1380)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error within the scripting engine. A remote attacker can create a specially crafted webpage, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Note: this vulnerability is being actively exploited in the wild.

38) Input validation error (CVE-ID: CVE-2020-1567)

The vulnerability allows a remote attacker to execute arbitrary code on the system.

The vulnerability exists due to insufficient validation of user-supplied input in the MSHTML engine. A remote attacker can trick a victim to edit a specially crafted file and execute arbitrary code on the target system.

39) Buffer overflow (CVE-ID: CVE-2020-1403)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error within the VBScript engine. A remote attacker can create a specially crafted webpage, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

40) Information disclosure (CVE-ID: CVE-2020-1432)

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to Skype for Business is accessed via Internet Explorer. A remote attacker can trick a victim to click a specially crafted URL that prompts the Skype app and gain unauthorized access to sensitive information on the system.

41) Buffer overflow (CVE-ID: CVE-2020-1230)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error within the VBScript engine. A remote attacker can create a specially crafted webpage, trick the victim into visiting it, trigger memory corruption and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

42) Buffer overflow (CVE-ID: CVE-2020-1213)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error within the VBScript engine. A remote attacker can create a specially crafted webpage, trick the victim into visiting it, trigger memory corruption and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Remediation

Install update from vendor's website.

References

• https://www.dell.com/support/kbdoc/en-us/000181200/dsa-2020-278-dell-emc-unisphere-for-powermax-dell-emc-unisphere-for-powermax-virtual-appliance-dell-emc-solutions-enabler-virtual-appliance-and-dell-emc-powermax-embedded-management-security-update-for-multiple-third-party-component-vulnerabilities