IntelliFlash Web-Based Management Interface Information Vulnerability Disclosure
WDC Tracking Number: WDC-19008
Published: June 6, 2019
Last Updated: June 6, 2019
Description
A vulnerability in the IntelliFlash System Management Console could allow an authenticated admin-privileged account to retrieve sensitive information.
Affected Products
This vulnerability affects IntelliFlash OS software versions from 3.7.0 up to and including 3.9.1 running on IntelliFlash All-Flash and Hybrid Storage Arrays, including HA, T-3xxx and T-4xxx series, HD-series and N-series systems.
Western Digital is releasing software updates to address the vulnerability.
Update Availability
- IntelliFlash OS Releases 3.9.2.x and 3.10.x address the vulnerability. Early availability for these OS releases is scheduled for June 30, 2019.
- Customers may only download software for which they have a valid service agreement procured from Western Digital directly, or through a Western Digital authorized reseller or partner. In most cases, this will be a maintenance upgrade to software that was previously licensed. Security software updates do not entitle customers to a new service agreement or software license, additional software feature sets, or major revision upgrades.
- Upgrade instructions and release notes will be made available from the Customer Support Community. The software is available for download from the IntelliFlash array via the software upgrade server. If the array requires a manual upgrade, contact IntelliFlash Support to obtain the upgrade files.
- Customers who purchased directly from Western Digital or previously from Tegile but do not hold a Western Digital service contract should obtain upgrades by contacting IntelliFlash Technical Support.
Advisory Summary
The IntelliFlash web-based management interface improperly sends third-party system usernames and passwords to authenticated users of the interface. While the information sent is not displayed in the interface, it is present, and an authenticated administrator of the array could exploit this vulnerability by inspecting the source of the web-based management interface. A successful exploit would allow the retrieval of these usernames and passwords from the array.
Exposed System Credentials
- VMWare: vCenter admin credential (R/W)
- SNMP: monitoring IFA (Read only)
- SMTP: user email account for sending notifications and the call home feature (R/W)
- Windows Servers: Machine user credential for the Windows Server TDPS plug-in used for quiesced IF arrays snapshots
Mitigations
- While only an authenticated admin should have access to the IntelliFlash System Management Console, to mitigate the vulnerability, ensure that admin access to IntelliFlash is limited to admins who are authorized to access credentials to the exposed systems identified above.
CVE Number: CVE-2019-6464
Reported by: Thiago Campos of Bishop Fox