exploitDog

CVE-2018-1240

Опубликовано: 18 апр. 2018

Источник: nvd

CVSS3: 8

CVSS2: 2.7

EPSS Низкий

Описание

Dell EMC ViPR Controller, versions after 3.0.0.38, contain an information exposure vulnerability in the VRRP. VRRP defaults to an insecure configuration in Linux's keepalived component which sends the cluster password in plaintext through multicast. A malicious user, having access to the vCloud subnet where ViPR is deployed, could potentially sniff the password and use it to take over the cluster's virtual IP and cause a denial of service on that ViPR Controller system.

Ссылки

http://seclists.org/fulldisclosure/2018/Apr/29
Mailing List
Third Party Advisory
http://seclists.org/fulldisclosure/2018/Apr/29
Mailing List
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:emc:vipr_controller:*:*:*:*:*:*:*:*

Версия от 3.0.0.39 (включая) до 3.6.1.4 (исключая)

EPSS

Процентиль: 35%

0.00145

Низкий

8 High

CVSS3

2.7 Low

CVSS2

Дефекты

CWE-200

Связанные уязвимости

GHSA-r4qw-7cmh-wgff

CVSS3: 8

github

больше 3 лет назад

Dell EMC ViPR Controller, versions after 3.0.0.38, contain an information exposure vulnerability in the VRRP. VRRP defaults to an insecure configuration in Linux's keepalived component which sends the cluster password in plaintext through multicast. A malicious user, having access to the vCloud subnet where ViPR is deployed, could potentially sniff the password and use it to take over the cluster's virtual IP and cause a denial of service on that ViPR Controller system.

EPSS

Процентиль: 35%

0.00145

Низкий

8 High

CVSS3

2.7 Low

CVSS2

Дефекты

CWE-200