CVE-2018-1235
published 2018-05-29CVE-2018-1235: Dell EMC RecoverPoint versions prior to 5.1.2 and RecoverPoint for VMs versions prior to 5.1.1.3, contain a command injection vulnerability. An unauthenticated…
PriorityP179critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
43.29%
98.6th percentile
Dell EMC RecoverPoint versions prior to 5.1.2 and RecoverPoint for VMs versions prior to 5.1.1.3, contain a command injection vulnerability. An unauthenticated remote attacker may potentially exploit this vulnerability to execute arbitrary commands on the affected system with root privilege.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| dell_emc | dell_emc_recoverpoint | >= unspecified < 5.1.2 | 5.1.2 |
| dell_emc | dell_emc_recoverpoint_virtual_machine | >= unspecified < 5.1.1.3 | 5.1.1.3 |
| emc | recoverpoint | < 5.1.2 | 5.1.2 |
| emc | recoverpoint_for_virtual_machines | < 5.1.1.3 | 5.1.1.3 |
Detection & IOCsextracted from sources · hover to see the quote
- →Alert on creation of new UID-0 (root-equivalent) accounts via `useradd -ou0` or `useradd -o -u 0` on Dell EMC RecoverPoint appliances, as this is the persistence mechanism used post-exploitation. ↗
- →The injection payload is length-constrained: combined length of injected username + password is limited to 21 characters. Detection rules should flag unusually short but syntactically complex SSH usernames containing `$()` or backtick subshell syntax. ↗
- →Unauthenticated exploitation occurs before any credential validation; look for SSH connection attempts that are immediately followed by new local user creation or privilege escalation events (uid=0) on RecoverPoint appliances. ↗
- ·Affected versions are Dell EMC RecoverPoint prior to 5.1.2 and RecoverPoint for VMs prior to 5.1.1.3. Exploitation was confirmed on RP4VMs 5.1.1.2 and RP 5.1.SP1.P2; detections should be scoped to these appliance versions. ↗
CVSS provenance
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Dell EMC RecoverPoint < 5.1.2 - Remote Root Command Execution
exploitdb·2018-06-21·CVSS 9.8
[CRITICAL] Dell EMC RecoverPoint < 5.1.2 - Remote Root Command Execution
Dell EMC RecoverPoint < 5.1.2 - Remote Root Command Execution
---
# Exploit Title: Dell EMC RecoverPoint < 5.1.2 - Remote Root Command Execution
# Date: 2018-06-21
# Version: All versions before RP 5.1.2, and all versions before RP4VMs 5.1.1.3
# Exploit Author: Paul Taylor
# Vendor Advisory: DSA-2018-095
# Vendor KB: https://support.emc.com/kb/521234
# Github: https://github.com/bao7uo/dell-emc_recoverpoint
# Website: https://www.foregenix.com/blog/foregenix-identify-multiple-dellemc-recoverpoint-zero-day-vulnerabilities
# Tested on: RP4VMs 5.1.1.2, RP 5.1.SP1.P2
# CVE: CVE-2018-1235
# 1. Description
# An OS command injection vulnerability exists in the mechanism which processes usernames
# which are presented for authentication, allowing unauthenticated root access via
# the ssh servic
Exploit-DB
Dell EMC RecoverPoint < 5.1.2 - Local Root Command Execution
exploitdb·2018-06-21·CVSS 9.8
CVE-2018-1235 [CRITICAL] Dell EMC RecoverPoint < 5.1.2 - Local Root Command Execution
Dell EMC RecoverPoint &2)
root@recoverpoint:/# id
uid=0(root) gid=0(root) groups=0(root)
root@recoverpoint:/#
No writeups or analysis indexed.
2018-05-29
Published