------------------------------------------------------------------------ Command injection vulnerability in EMC Secure Remote Services Virtual Edition ------------------------------------------------------------------------ Han Sahin, November 2014 ------------------------------------------------------------------------ Abstract ------------------------------------------------------------------------ A command injection vulnerability was found in EMC Secure Remote Services Virtual Edition (ESRS VE) that allows an attacker to execute arbitrary system commands and take full control over ESRS VE. ------------------------------------------------------------------------ Affected versions ------------------------------------------------------------------------ EMC reports that the following versions are affected by this vulnerability: - EMC Secure Remote Services Virtual Edition 3.02 - EMC Secure Remote Services Virtual Edition 3.03 ------------------------------------------------------------------------ See also ------------------------------------------------------------------------ - CVE-2015-0525 - ESA-2015-040: EMC Secure Remote Services Virtual Edition Security Update for Multiple Vulnerabilities ------------------------------------------------------------------------ Fix ------------------------------------------------------------------------ EMC released EMC Secure Remote Services Virtual Edition 3.04 that resolves this vulnerability. Registered EMC Online Support customers can download patches and software from support.emc.com at: EMC Secure Remote Services -> EMC Secure Remote Services Virtual Edition -> Downloads ------------------------------------------------------------------------ Details ------------------------------------------------------------------------ https://www.securify.nl/advisory/SFY20141112/command_injection_vulnerability_in_emc_secure_remote_services_virtual_edition.html The command injection vulnerability exists in the PVSServiceImpl class of the Provisioning component. In particular, the serialno argument is not validated and used insecurely to construct a system command. An attacker can supply a specially crafted value as serialno, which results in arbitrary commands being executed. com/emc/esrs/provisioning/service/PVSServiceImpl.java: private void copyCertstoDir(String serialno) throws IOException { try { String[] cmd_exec = new String[4]; String s = null; cmd_exec[0] = ("/bin/cp " + (String)this.configurations.get("provclient.session.directory") + "/session-" + serialno + "/Temp1/wgcmers " + (String)this.configurations.get("gw.dir")); cmd_exec[1] = ("/bin/cp " + (String)this.configurations.get("provclient.session.directory") + "/session-" + serialno + "/Temp1/wgcmersgw " + (String)this.configurations.get("gw.dir")); cmd_exec[2] = ("/bin/cp " + (String)this.configurations.get("provclient.session.directory") + "/session-" + serialno + "/Temp1/Gateway/xgDeployConfig.xml " + (String)this.configurations.get("gw.dir")); cmd_exec[3] = ((String)this.configurations.get("provclient.datfile.generation") + " -generateDat"); for (String cmd : cmd_exec) { this.logger.debug("Copy Certs to Dir:" + cmd); Process p_exec = Runtime.getRuntime().exec(cmd); BufferedReader stdInput2 = new BufferedReader(new InputStreamReader(p_exec.getInputStream())); BufferedReader stdError2 = new BufferedReader(new InputStreamReader(p_exec.getErrorStream()));