-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

ESA-2017-036: EMC Data Domain Privilege Escalation Vulnerability 

EMC Identifier: ESA-2017-036
   
CVE Identifier: CVE-2017-4983

Severity Rating: CVSS v3 Base Score: 6.7 (AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H)

Affected products: 

  EMC Data Domain OS 5.2 All versions 
  EMC Data Domain OS 5.4 All versions
  EMC Data Domain OS 5.5 All versions
  EMC Data Domain OS 5.6 All versions
  EMC Data Domain OS 5.7 All versions prior to DD OS 5.7.3.0
  EMC Data Domain OS 6.0 All versions prior to DD OS 6.0.1.0

Summary: 

EMC Data Domain  OS is affected by a privilege escalation vulnerability that may potentially be exploited by attackers to compromise the affected system. 

Details: 

EMC Data Domain OS is potentially vulnerable to a privilege escalation vulnerability. 
A rogue administrator may be able to log in as the Security Office (SO) and escalate privileges by using SO users public key that is stored unprotected on the Data Domain system.  

Resolution: 

EMC recommends all customers upgrade to one of the versions listed below at the earliest opportunity, after verifying environment compatibility:

  EMC Data Domain 5.7 - DD OS 5.7.3.0 or later
  EMC Data Domain 6.0 - DD OS 6.0.1.0 or later

Please verify that the backup software in your environment is compatible with the target DD OS version before upgrading your system.


Link to remedies:
Registered EMC Online Support customers can download patches and software from: 

  EMC Data Domain OS 5.7 version 5.7.3.0 is available at: https://support.emc.com
  EMC Data Domain OS 6.0 version 6.0.1.0 is available at: https://support.emc.com

If you have any questions, please contact EMC Support.

Credit:
EMC would like to thank Geoffrey Janjua from Northrop Grumman for reporting this vulnerability.

Read and use the information in this EMC Security Advisory to assist in avoiding any situation that might arise from the problems described herein. If you have any questions regarding this product alert, contact EMC Software Technical Support at 1-877-534-2867. 


For an explanation of Severity Ratings, refer to EMC Knowledgebase solution emc218831. EMC recommends all customers take into account both the base score and any relevant temporal and environmental scores which may impact the potential severity associated with particular security vulnerability. EMC Corporation distributes EMC Security Advisories, in order to bring to the attention of users of the affected EMC products, important security information. EMC recommends that all users determine the applicability of this information to their individual situations and take appropriate action. The information set forth herein is provided "as is" without warranty of any kind. EMC disclaims all warranties, either express or implied, including the warranties of merchantability, fitness for a particular purpose, title and non-infringement. In no event, shall EMC or its suppliers, be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if EMC or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages, so the foregoing limitation may not apply.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQEcBAEBCAAGBQJY3A//AAoJEHbcu+fsE81ZuGcH/3k5BGtFdpaWGGpRzJiPXAQ0
mlYXqe+sPw/zDBn5Km6VF+mKBDJ2RzJAEkahhBDtrIBzAzczwpbwQ/20RQ2FI7Jq
wRWeMkfeFxEKuFm+Gkwf8QRve9tTKJnibebA1NLg4S9TSj5wR63iy4kXq/ldZvul
MG2x2Nyaoscz2AgNna0qZYFtD+jMSferX/nOAQQPxR60duw7B/AEnI7QgaO9uFH0
t6YuhGdQXsqHOFx3uIxcDpgQIuGtA3eD/ZCPAUqcFfXFLHu2ygoNBhHUJ0kEO7XO
yUw2J03cTscSyE7C6J/sc+kAHQvC4dFOkK1gYmD/V0EAV5U5iBP/IN1AdbMFG7c=
=qekP
-----END PGP SIGNATURE-----