Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2018-1240

Dell EMC ViPR Controller, versions after 3.0.0.38, contain an information exposure vulnerability in the VRRP. VRRP defaults to an insecure configuration in Linux's keepalived component which sends the cluster password in plaintext through multicast. A malicious user, having access to the vCloud subnet where ViPR is deployed, could potentially sniff the password and use it to take over the cluster's virtual IP and cause a denial of service on that ViPR Controller system.

Published

2018-04-18T16:29:00.370

Last Modified

2024-11-21T03:59:26.793

Status

Modified

Source

[email protected]

Severity

CVSSv3.0: 8.0 (HIGH)

CVSSv2 Vector

AV:A/AC:L/Au:S/C:P/I:N/A:N

Access Vector: ADJACENT_NETWORK
Access Complexity: LOW
Authentication: SINGLE
Confidentiality Impact: PARTIAL
Integrity Impact: NONE
Availability Impact: NONE

Exploitability Score

5.1

Impact Score

2.9

Weaknesses

Type: Primary
CWE-200

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	emc	vipr_controller	< 3.6.1.4	Yes

References

http://seclists.org/fulldisclosure/2018/Apr/29 Mailing List, Third Party Advisory ([email protected])
http://seclists.org/fulldisclosure/2018/Apr/29 Mailing List, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)