Tegile Intelliflash OS Version 3.7.0.8.180413 (GA) - Password Disclosure

Medium Risk Advisory Featured

Share

Product Vendor

Tegile Systems/Western Digital

Product Description

Tegile IntelliFlash is an enterprise storage solution, encompassing flash and hybrid arrays designed to deliver performance and economics for a wide range of workloads. The official website is https://www.westerndigital.com.

Affected Version(s)

Tested on Tegile IntelliFlash OS version 3.7.08.180413(GA)

Vulnerability Details

The Tegile IntelliFlash OS was affected by a password disclosure vulnerability. The web interface stored passwords in cleartext. By inspecting the source code of the web interface, an attacker could retrieve passwords.

Vulnerability List 

One vulnerability was identified within the Tegile IntelliFlash application:

  • Password Disclosure 

Impact

An attacker could view passwords - including those necessary for servers, virtual platforms, and protocols - upon successful exploitation of this vulnerability. 

Vulnerability Details

CVE ID: CVE-2019-6464

Access Vector: Remote

Security Risk: Medium

Vulnerability: CWE-200

CVSS Base Score: 4.9

CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

Password Disclosure

By inspecting the source code, an authenticated user could retrieve the cleartext passwords for SMTP, SNMP, VMWare, and Windows servers, as shown in the figure below:

140519-BishopFox-Advisory-Tegile-Password-Disclosure-1

Using the same technique, a malicious user could view the password in other fields.

The figure below shows the password for the VMWare vCenter server:

140519-BishopFox-Advisory-Tegile-Password-Disclosure-1

To exploit this vulnerability, the attacker must be an authenticated user.

Solution

TBD - as of this publication, none exists.

Disclosure Timeline

• 12/12/2018: Initial discovery
• 01/16/2019: First contact with vendor
• 05/14/2019: Vulnerability publicly disclosed

Researcher

Thiago Campos, Senior Security Analyst at Bishop Fox


Thiago campos

About the author, Thiago Campos

Senior Security Consultant

Thiago Campos is a Senior Security Consultant at Bishop Fox, where he focuses on application and network penetration testing. He has assessed Fortune 500 organizations including major brands and financial powerhouses, and he provided security services for the 2016 Olympic Games and a United Nations conference.

Thiago discovered the vulnerability CVE-2019-6464 in Western Digital software and has written the blog post "Every Sign Has a Story."

Thiago presented "The Banker Trojan and the DDoS" as part of the Skytalks track at DEF CON 22 in 2014.

More by Thiago

This site uses cookies to provide you with a great user experience. By continuing to use our website, you consent to the use of cookies. To find out more about the cookies we use, please see our Privacy Policy.