CVE-2019-18580

CVSS 9.8 CRITICALEPSS 4.9%CWE-502

In short

Dell EMC Storage Monitoring and Reporting 4.3.1 has a flaw that allows attackers to send specially crafted messages over the network to run malicious code on the server without needing a password. This is dangerous because an attacker anywhere on the internet can take complete control of the system.

Technical detail

The vulnerability exists in Java RMI deserialization of untrusted data (CWE-502). An unauthenticated remote attacker can send a crafted RMI request that causes unsafe deserialization, leading to arbitrary code execution on the target host. The attack vector is network-based with no authentication or user interaction required, resulting in critical confidentiality, integrity, and availability impact.

Summary generated and translated by AI from the official description.

Dell EMC Storage Monitoring and Reporting version 4.3.1 contains a Java RMI Deserialization of Untrusted Data vulnerability. A remote unauthenticated attacker may potentially exploit this vulnerability by sending a crafted RMI request to execute arbitrary code on the target host.

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Affected products

Dell · EMC Storage M&R

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://www.dell.com/support/security/en-us/details/538977/DSA-2019-176-Dell-EMC-Storage-Monitoring-and-Reporting-SMR-Java-RMI-Deserialization-of-Untruste