Unisphere for VMAX used insecured Flash-to-Java interfaces, leaving door open to attacks.

Digital Defense announced today that it privately revealed a set of five "zero-day" vulnerabilities in Dell EMC's vApp Manager for Unisphere for VMAX, a Web application used to manage all of EMC's storage platforms. The flaws would allow an attacker with access to the network storage devices to send malicious Adobe Flash Action Message Format (AMF) messages to the Web application server running on the storage system. That means attackers could run arbitrary commands against the storage system and potentially gain complete control of the storage devices or shut them down.

Weaknesses were found in how Unisphere for VMAX, which usually runs on a "virtual appliance" on a VMware server, used the AMF protocol to send messages to five different interfaces on the Unisphere Web application server, sometimes without requiring authentication. The worst of these is a vulnerability that allows "arbitrary command execution with root privileges, complete compromise of the virtual appliance," Digital Defense reported in a post on the vulnerabilities. That includes the capability of creating new user credentials to give attackers unfettered access.

Over 3,300 companies worldwide use Symmetrix VMAX to manage storage systems, including T-Mobile and a number of major financial institutions. While attacks would have likely required access to the data center LANs that the systems run on, that sort of access isn't out of the question. Attackers that managed to exploit a connected Web server or other system in the data center would be able to take advantage. In a worst-case scenario, an attacker could both steal large amounts of corporate data and bring storage systems offline. EMC has released security advisories on the vulnerabilities, but those notices are available only to Dell EMC customers.