CVE-2017-4997
published 2017-06-29CVE-2017-4997: EMC VASA Provider Virtual Appliance versions 8.3.x and prior has an unauthenticated remote code execution vulnerability that could potentially be exploited by…
PriorityP263critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
4.48%
90.3th percentile
EMC VASA Provider Virtual Appliance versions 8.3.x and prior has an unauthenticated remote code execution vulnerability that could potentially be exploited by malicious users to compromise the affected system.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| dell | emc_vasa_provider_virtual_appliance | <= 8.3.0 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect login attempts using the default credential pair 'smc:smc' against the EMC VASA Virtual Appliance SE web application at /SE/app on port 5480. ↗
- →Monitor for successful authentication log entries for user 'smc' followed immediately by 'smc User Not Authorized' — this sequence indicates exploitation of the default credential bypass, as the session is still issued despite the authorization failure. ↗
- →Alert on JSP file uploads to arbitrary locations on the VASA appliance following authentication with the 'smc' account, as the incomplete fix still allows authenticated arbitrary file upload (JSP shell upload). ↗
- →Flag HTTP POST requests to /SE/app with body parameters 'user=smc&passwd=smc' as exploitation attempts against CVE-2017-4997. ↗
- ·The JSESSIONID cookie is issued even when the user is not authorized for the web interface; the session ID is the JSESSIONID value stripped of the trailing '.hostname' suffix, meaning the appliance issues valid sessions to unauthorized accounts. ↗
- ·The vendor's patch for CVE-2017-4997 was incomplete — it did not prevent authenticated users from uploading files to arbitrary locations, leaving the appliance still exploitable post-patch. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No public exploits indexed.
2017-06-29
Published