Tegile Intelliflash OS Version 3.7.0.8.180413 (GA) - Password Disclosure
Product Vendor
Tegile Systems/Western Digital
Product Description
Tegile IntelliFlash is an enterprise storage solution, encompassing flash and hybrid arrays designed to deliver performance and economics for a wide range of workloads. The official website is https://www.westerndigital.com.
Affected Version(s)
Tested on Tegile IntelliFlash OS version 3.7.08.180413(GA)
Vulnerability Details
The Tegile IntelliFlash OS was affected by a password disclosure vulnerability. The web interface stored passwords in cleartext. By inspecting the source code of the web interface, an attacker could retrieve passwords.
Vulnerability List
One vulnerability was identified within the Tegile IntelliFlash application:
- Password Disclosure
Impact
An attacker could view passwords - including those necessary for servers, virtual platforms, and protocols - upon successful exploitation of this vulnerability.
Vulnerability Details
CVE ID: CVE-2019-6464
Access Vector: Remote
Security Risk: Medium
Vulnerability: CWE-200
CVSS Base Score: 4.9
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
Password Disclosure
By inspecting the source code, an authenticated user could retrieve the cleartext passwords for SMTP, SNMP, VMWare, and Windows servers, as shown in the figure below:
Using the same technique, a malicious user could view the password in other fields.
The figure below shows the password for the VMWare vCenter server:
To exploit this vulnerability, the attacker must be an authenticated user.
Solution
TBD - as of this publication, none exists.
Disclosure Timeline
• 12/12/2018: Initial discovery
• 01/16/2019: First contact with vendor
• 05/14/2019: Vulnerability publicly disclosed
Researcher
Thiago Campos, Senior Security Analyst at Bishop Fox
Subscribe to Bishop Fox's Security Blog
Be first to learn about latest tools, advisories, and findings.
Thank You! You have been subscribed.
