CVE-2017-10955

8.8HIGH

Key Information:

Vendor: Dell
Status: Dell Emc Data Protection Advisor
Vendor: CVE Published:; 19 October 2017

Summary

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of EMC Data Protection Advisor 6.3.0. Authentication is required to exploit this vulnerability. The specific flaw exists within the EMC DPA Application service, which listens on TCP port 9002 by default. When parsing the preScript parameter, the process does not properly validate a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute arbitrary code under the context of SYSTEM. Was ZDI-CAN-4697. NOTE: Dell EMC disputes that this is a vulnerability

Affected Version(s)

Dell EMC Data Protection Advisor 6.3.0

References

http://www.securityfocus.com/bid/101008

vdb-entryx_refsource_BID

https://zerodayinitiative.com/advisories/ZDI-17-812

x_refsource_MISC

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Oct 19, 2017
Vulnerability Reserved
Jul 5, 2017